{{tag>[security centos6.5]}}
=====Apache reverse proxy=====
Install apache reverse proxy with SSL
====Install====
* Install EPEL repo
Install Apache and mod_proxy_html
yum install httpd mod_proxy_html
Install SSL keys
/etc/pki/tls/certs (CA bundle and cert)
/etc/pki/tls/private (private key)
====Configure====
===Edit Apache config===
vi /etc/httpd/conf/httpd.conf
NameVirtualHost *:443
vi /etc/httpd/conf.d/ssl.conf
ServerName reverse.
SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile
===Open port 443 with iptables===
Check line numbers first, or edit in /etc/sysconfig/iptables.
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
service iptables save
===Start Apache and test SSL===
service httpd restart
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server reverse.:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
====Config reverse proxy====
Create wildcard A record for your domain. For example *.reverse.
Edit /etc/http/conf.d/proxy_html.conf
vi /etc/http/conf.d/proxy_html.conf
ProxyRequests Off <-- this is an important security setting
AllowOverride None
Order allow,deny
Allow from all
AuthName "Password Required"
AuthType Basic
AuthBasicProvider file
AuthUserFile
Require user
Edit /etc/httpd/ssl.conf
Create virtual hosts for every reverse proxyable app!
For example for Synology Rackstation
ServerName rackstation.reverse.
ErrorLog logs/rackstation_ssl_error_log
TransferLog logs/rackstation_ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/
SSLCertificateKeyFile /etc/pki/tls/private/
SSLCertificateChainFile /etc/pki/tls/certs/
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ProxyPass / http://rackstation.:5000/
ProxyPassReverse / http://rackstation.:5000/
ProxyHTMLURLMap http://rackstation.:5000 /
ProxyHTMLEnable On
ProxyPassReverse http://rackstation.:5000/
SetOutputFilter proxy-html
Enable Apache to network_connect (SELinux)
setsebool -P httpd_can_network_connect 1
Restart Apache
service httpd restart
====Tips====
===Basic auth through reverse proxy===
RequestHeader set Authorization "Basic XXXXX"
XXXXX can be calculated this way using a simple shell command:
echo -n "back-end_login:back-end_password" | base64
===Enable compression===
Solve the firefox error: //"The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression."//
Edit /etc/httpd/conf/httpd.conf
vi /etc/httpd/conf/httpd.conf
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz
DeflateCompressionLevel 9
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript
# Setup custom deflate log
DeflateFilterNote Input instream
DeflateFilterNote Output outstream
DeflateFilterNote Ratio ratio
LogFormat '"%r" %{outstream}n/%{instream}n (%{ratio}n%%)' deflate
#CustomLog logs/deflate.log deflate
# Insert filter
SetOutputFilter DEFLATE
# Netscape 4.x has some problems...
BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
# Don't compress images
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar|7z)$ no-gzip dont-vary
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
Edit your virtual host and change SetOutputFilter
vi /etc/httpd/conf.d/ssl.conf
#SetOutputFilter proxy-html
SetOutputFilter INFLATE;proxy-html;DEFLATE
===Install mod_xml2enc, to fix character encoding===
yum install httpd-devel libxml2-devel
yum groupinstall "Development tools"
wget http://apache.webthing.com/mod_proxy_html/mod_proxy_html.zip
mkdir /root/mod_xml2enc
cd /root/modxml2enc
wget http://apache.webthing.com/svn/apache/filters/mod_xml2enc.c
wget http://apache.webthing.com/svn/apache/filters/mod_xml2enc.h
cd ..
unzip mod_proxy_html.zip
apxs -aic -I/usr/include/libxml2 /root/mod_xml2enc/mod_xml2enc.c
apxs -aic -I/usr/include/libxml2 -I/root/mod_xml2enc /root/mod_proxy_html/mod_proxy_html.c
vi /etc/httpd/conf/httpd.conf
#Add libxml2.so before added lines by apxs in /etc/http/conf/httpd.conf
LoadFile /usr/lib64/libxml2.so
LoadModule xml2enc_module /usr/lib64/httpd/modules/mod_xml2enc.so
LoadModule proxy_html_module /usr/lib64/httpd/modules/mod_proxy_html.so
Configure virtual host
ProxyHTMLCharsetOut *