Ben Stienstra

Linux, Unix, network, radio and more...

User Tools

Site Tools


apache_reverse_proxy_on_centos_6.5

Apache reverse proxy

Install apache reverse proxy with SSL

Install

  • Install EPEL repo

Install Apache and mod_proxy_html

yum install httpd mod_proxy_html

Install SSL keys

/etc/pki/tls/certs (CA bundle and cert)
/etc/pki/tls/private (private key)

Configure

Edit Apache config

vi /etc/httpd/conf/httpd.conf

NameVirtualHost *:443

vi /etc/httpd/conf.d/ssl.conf

ServerName reverse.<yourdomain>
SSLCertificateFile <your cert>
SSLCertificateKeyFile <your key>
SSLCertificateChainFile <your CA cert chain>

Open port 443 with iptables

Check line numbers first, or edit in /etc/sysconfig/iptables.

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
service iptables save

Start Apache and test SSL

service httpd restart
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server reverse.<your local domain>:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.

Config reverse proxy

Create wildcard A record for your domain. For example *.reverse.<yourdomain>

Edit /etc/http/conf.d/proxy_html.conf

vi /etc/http/conf.d/proxy_html.conf

ProxyRequests Off  <-- this is an important security setting

<Proxy *>
	AllowOverride None
	Order allow,deny
	Allow from all
	AuthName "Password Required"
	AuthType Basic
	AuthBasicProvider file
	AuthUserFile <your htpasswd file>
	Require user <your required user/group>
</Proxy>

Edit /etc/httpd/ssl.conf

Create virtual hosts for every reverse proxyable app!

For example for Synology Rackstation

<VirtualHost _default_:443>
ServerName rackstation.reverse.<yourdomain>
ErrorLog logs/rackstation_ssl_error_log
TransferLog logs/rackstation_ssl_access_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/<your cert>
SSLCertificateKeyFile /etc/pki/tls/private/<your key>
SSLCertificateChainFile /etc/pki/tls/certs/<your ca chain>

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ProxyPass        / http://rackstation.<your local domain>:5000/
ProxyPassReverse / http://rackstation.<your local domain>:5000/
ProxyHTMLURLMap  http://rackstation.<your local domain>:5000 /

<Location />
  ProxyHTMLEnable On
  ProxyPassReverse http://rackstation.<your local domain>:5000/
  SetOutputFilter proxy-html
</Location>

</VirtualHost>

Enable Apache to network_connect (SELinux)

setsebool -P httpd_can_network_connect 1

Restart Apache

service httpd restart

Tips

Basic auth through reverse proxy

RequestHeader set Authorization "Basic XXXXX"

XXXXX can be calculated this way using a simple shell command:

echo -n "back-end_login:back-end_password" | base64

Enable compression

Solve the firefox error: “The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.”

Edit /etc/httpd/conf/httpd.conf

vi /etc/httpd/conf/httpd.conf

<IfModule mod_deflate.c>
 AddEncoding x-compress Z
 AddEncoding x-gzip gz tgz
 DeflateCompressionLevel 9
 AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript

 # Setup custom deflate log
 DeflateFilterNote Input instream
 DeflateFilterNote Output outstream
 DeflateFilterNote Ratio ratio
 LogFormat '"%r" %{outstream}n/%{instream}n (%{ratio}n%%)' deflate
 #CustomLog logs/deflate.log deflate

 <Directory />
  # Insert filter
  SetOutputFilter DEFLATE
  # Netscape 4.x has some problems...
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  # Netscape 4.06-4.08 have some more problems
  BrowserMatch ^Mozilla/4\.0[678] no-gzip
  # MSIE masquerades as Netscape, but it is fine
  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  # Don't compress images
  SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
  SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
  SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar|7z)$ no-gzip dont-vary
  # Make sure proxies don't deliver the wrong content
  Header append Vary User-Agent env=!dont-vary  
  </Directory>
</IfModule>

Edit your virtual host and change SetOutputFilter

vi /etc/httpd/conf.d/ssl.conf

  #SetOutputFilter proxy-html
  SetOutputFilter INFLATE;proxy-html;DEFLATE

Install mod_xml2enc, to fix character encoding

yum install httpd-devel libxml2-devel
yum groupinstall "Development tools"

wget http://apache.webthing.com/mod_proxy_html/mod_proxy_html.zip

mkdir /root/mod_xml2enc
cd /root/modxml2enc

wget http://apache.webthing.com/svn/apache/filters/mod_xml2enc.c
wget http://apache.webthing.com/svn/apache/filters/mod_xml2enc.h

cd ..
unzip mod_proxy_html.zip

apxs -aic -I/usr/include/libxml2 /root/mod_xml2enc/mod_xml2enc.c
apxs -aic -I/usr/include/libxml2 -I/root/mod_xml2enc /root/mod_proxy_html/mod_proxy_html.c
vi /etc/httpd/conf/httpd.conf

#Add libxml2.so before added lines by apxs in /etc/http/conf/httpd.conf
LoadFile /usr/lib64/libxml2.so
LoadModule xml2enc_module     /usr/lib64/httpd/modules/mod_xml2enc.so
LoadModule proxy_html_module  /usr/lib64/httpd/modules/mod_proxy_html.so


Configure virtual host

ProxyHTMLCharsetOut *
apache_reverse_proxy_on_centos_6.5.txt · Last modified: 2014/06/10 13:56 by admin