Jump to: navigation, search

This page talks about how to set up a reverse proxy in apache in order to provide a website to the outside world that is normally hidden in a private network...

Currently this setup is used by owncloud.tolabaki.gr.

Configuration of the actual host of the web page[edit]

The actual host needs no special configuration. It should serve the page as if it was being requested directly.

Configuration of the proxy host[edit]

Inside the VirtualHost we add these commands:

 
        ProxyPreserveHost On
        ProxyRequests off
        ProxyPass / https://172.16.115.2/
        ProxyPassReverse / https://172.16.115.2/
        SSLProxyEngine on
        SSLProxyVerify require
        SSLProxyCACertificateFile /etc/ssl/certs/cacert-chain.crt
        SSLProxyVerifyDepth 2
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyProtocol -SSLv3 +TLSv1 +TLSv1.1

  • ProxyRequests off tells apache NOT to function as a forward proxy. A forward proxy is something completely different (squid for example is a forward proxy server).
  • ProxyPass enables the reverse proxy and tells apache to redirect anything under / to the remote host https://172.16.115.2/
  • ProxyPassReverse lets apache rewrite URLs in the headers of the response
  • SSLProxyEngine enables apache to use SSL/TLS when connecting to the actual host. This is essential when using https in the ProxyPass{,Reverse} directives.
  • SSLProxyVerify enables apache to verify the certificate of the actual host. The default is not to verify it.
  • SSLProxyCACertificateFile lets apache know which is the CA that has signed the certificate that the actual host presents for this website. This is used to verify the certificate
  • SSLProxyVerifyDepth 2 is necessary to use a CA that belongs to another CA (therefore you have 2 certificates in that file). In our case, CACert Class 3 is the CA of tolabaki, but CACert Class 3 is itself signed by CACert Class 1 and the .crt file contains both certificates.
  • SSLProxyCheckPeerCN and SSLProxyCheckPeerName turn off verification of the hostname against the certificate.
  • SSLProxyProtocol disables the insecure SSLv3 and enables TLS. For some reason, if TLSv1 is not enabled, the connection doesn't work.

Of course none of the SSL* options are necessary if ProxyPass specifies an http host.

In addition to the above, the following apache mods should be enabled:

  • mod_proxy
  • mod_proxy_http
  • mod_proxy_html
  • mod_proxy_connect