Jump to: navigation, search

Apache Reverse Proxy

Revision as of 04:00, 31 January 2016 by Gkiagia (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Apache Reverse Proxy

This page talks about how to set up a reverse proxy in apache in order to provide a website to the outside world that is normally hidden in a private network...

Currently this setup is used by owncloud.tolabaki.gr.

Configuration of the actual host of the web page

The actual host needs no special configuration. It should serve the page as if it was being requested directly.

Configuration of the proxy host

Inside the VirtualHost we add these commands:

 
        ProxyPreserveHost On
        ProxyRequests off
        ProxyPass / https://172.16.115.2/
        ProxyPassReverse / https://172.16.115.2/
        SSLProxyEngine on
        SSLProxyVerify require
        SSLProxyCACertificateFile /etc/ssl/certs/cacert-chain.crt
        SSLProxyVerifyDepth 2
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyProtocol -SSLv3 +TLSv1 +TLSv1.1

  • ProxyRequests off tells apache NOT to function as a forward proxy. A forward proxy is something completely different (squid for example is a forward proxy server).
  • ProxyPass enables the reverse proxy and tells apache to redirect anything under / to the remote host https://172.16.115.2/
  • ProxyPassReverse lets apache rewrite URLs in the headers of the response
  • SSLProxyEngine enables apache to use SSL/TLS when connecting to the actual host. This is essential when using https in the ProxyPass{,Reverse} directives.
  • SSLProxyVerify enables apache to verify the certificate of the actual host. The default is not to verify it.
  • SSLProxyCACertificateFile lets apache know which is the CA that has signed the certificate that the actual host presents for this website. This is used to verify the certificate
  • SSLProxyVerifyDepth 2 is necessary to use a CA that belongs to another CA (therefore you have 2 certificates in that file). In our case, CACert Class 3 is the CA of tolabaki, but CACert Class 3 is itself signed by CACert Class 1 and the .crt file contains both certificates.
  • SSLProxyCheckPeerCN and SSLProxyCheckPeerName turn off verification of the hostname against the certificate.
  • SSLProxyProtocol disables the insecure SSLv3 and enables TLS. For some reason, if TLSv1 is not enabled, the connection doesn't work.

Of course none of the SSL* options are necessary if ProxyPass specifies an http host.

In addition to the above, the following apache mods should be enabled:

  • mod_proxy
  • mod_proxy_http
  • mod_proxy_html
  • mod_proxy_connect