Jump to: navigation, search

Difference between revisions of "Apache Reverse Proxy"

Difference between revisions of "Apache Reverse Proxy"

(drop some info about the current owncloud reverse proxy setup)
 
 
Line 1: Line 1:
 +
[[Category:Sysadmin]]
 
This page talks about how to set up a reverse proxy in apache in order to provide a website to the outside world that is normally hidden in a private network...
 
This page talks about how to set up a reverse proxy in apache in order to provide a website to the outside world that is normally hidden in a private network...
  

Latest revision as of 17:20, 31 January 2016

This page talks about how to set up a reverse proxy in apache in order to provide a website to the outside world that is normally hidden in a private network...

Currently this setup is used by owncloud.tolabaki.gr.

Configuration of the actual host of the web page[edit]

The actual host needs no special configuration. It should serve the page as if it was being requested directly.

Configuration of the proxy host[edit]

Inside the VirtualHost we add these commands:

 
        ProxyPreserveHost On
        ProxyRequests off
        ProxyPass / https://172.16.115.2/
        ProxyPassReverse / https://172.16.115.2/
        SSLProxyEngine on
        SSLProxyVerify require
        SSLProxyCACertificateFile /etc/ssl/certs/cacert-chain.crt
        SSLProxyVerifyDepth 2
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyProtocol -SSLv3 +TLSv1 +TLSv1.1

  • ProxyRequests off tells apache NOT to function as a forward proxy. A forward proxy is something completely different (squid for example is a forward proxy server).
  • ProxyPass enables the reverse proxy and tells apache to redirect anything under / to the remote host https://172.16.115.2/
  • ProxyPassReverse lets apache rewrite URLs in the headers of the response
  • SSLProxyEngine enables apache to use SSL/TLS when connecting to the actual host. This is essential when using https in the ProxyPass{,Reverse} directives.
  • SSLProxyVerify enables apache to verify the certificate of the actual host. The default is not to verify it.
  • SSLProxyCACertificateFile lets apache know which is the CA that has signed the certificate that the actual host presents for this website. This is used to verify the certificate
  • SSLProxyVerifyDepth 2 is necessary to use a CA that belongs to another CA (therefore you have 2 certificates in that file). In our case, CACert Class 3 is the CA of tolabaki, but CACert Class 3 is itself signed by CACert Class 1 and the .crt file contains both certificates.
  • SSLProxyCheckPeerCN and SSLProxyCheckPeerName turn off verification of the hostname against the certificate.
  • SSLProxyProtocol disables the insecure SSLv3 and enables TLS. For some reason, if TLSv1 is not enabled, the connection doesn't work.

Of course none of the SSL* options are necessary if ProxyPass specifies an http host.

In addition to the above, the following apache mods should be enabled:

  • mod_proxy
  • mod_proxy_http
  • mod_proxy_html
  • mod_proxy_connect