{{tag>[security centos6.5]}}

=====Apache reverse proxy=====
Install apache reverse proxy with SSL

====Install====
  * Install EPEL repo

Install Apache and mod_proxy_html
  yum install httpd mod_proxy_html

Install SSL keys  
  /etc/pki/tls/certs (CA bundle and cert)
  /etc/pki/tls/private (private key)

====Configure====  
===Edit Apache config===
<code>
vi /etc/httpd/conf/httpd.conf

NameVirtualHost *:443

vi /etc/httpd/conf.d/ssl.conf

ServerName reverse.<yourdomain>
SSLCertificateFile <your cert>
SSLCertificateKeyFile <your key>
SSLCertificateChainFile <your CA cert chain>

</code>

===Open port 443 with iptables===
Check line numbers first, or edit in /etc/sysconfig/iptables.
  iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
  service iptables save


===Start Apache and test SSL===
  service httpd restart
<code>
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server reverse.<your local domain>:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.</code>

====Config reverse proxy====
Create wildcard A record for your domain. For example *.reverse.<yourdomain>

Edit /etc/http/conf.d/proxy_html.conf
<code>vi /etc/http/conf.d/proxy_html.conf

ProxyRequests Off  <-- this is an important security setting

<Proxy *>
	AllowOverride None
	Order allow,deny
	Allow from all
	AuthName "Password Required"
	AuthType Basic
	AuthBasicProvider file
	AuthUserFile <your htpasswd file>
	Require user <your required user/group>
</Proxy>

</code>

Edit /etc/httpd/ssl.conf
<code>
Create virtual hosts for every reverse proxyable app!

For example for Synology Rackstation

<VirtualHost _default_:443>
ServerName rackstation.reverse.<yourdomain>
ErrorLog logs/rackstation_ssl_error_log
TransferLog logs/rackstation_ssl_access_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/<your cert>
SSLCertificateKeyFile /etc/pki/tls/private/<your key>
SSLCertificateChainFile /etc/pki/tls/certs/<your ca chain>

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ProxyPass        / http://rackstation.<your local domain>:5000/
ProxyPassReverse / http://rackstation.<your local domain>:5000/
ProxyHTMLURLMap  http://rackstation.<your local domain>:5000 /

<Location />
  ProxyHTMLEnable On
  ProxyPassReverse http://rackstation.<your local domain>:5000/
  SetOutputFilter proxy-html
</Location>

</VirtualHost>
</code>

Enable Apache to network_connect (SELinux)
  setsebool -P httpd_can_network_connect 1
  
Restart Apache
  service httpd restart

====Tips====
===Basic auth through reverse proxy===
  RequestHeader set Authorization "Basic XXXXX"
XXXXX can be calculated this way using a simple shell command:
  echo -n "back-end_login:back-end_password" | base64
  
===Enable compression===
Solve the firefox error: //"The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression."//

Edit /etc/httpd/conf/httpd.conf
<code>
vi /etc/httpd/conf/httpd.conf

<IfModule mod_deflate.c>
 AddEncoding x-compress Z
 AddEncoding x-gzip gz tgz
 DeflateCompressionLevel 9
 AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript

 # Setup custom deflate log
 DeflateFilterNote Input instream
 DeflateFilterNote Output outstream
 DeflateFilterNote Ratio ratio
 LogFormat '"%r" %{outstream}n/%{instream}n (%{ratio}n%%)' deflate
 #CustomLog logs/deflate.log deflate

 <Directory />
  # Insert filter
  SetOutputFilter DEFLATE
  # Netscape 4.x has some problems...
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  # Netscape 4.06-4.08 have some more problems
  BrowserMatch ^Mozilla/4\.0[678] no-gzip
  # MSIE masquerades as Netscape, but it is fine
  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  # Don't compress images
  SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
  SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
  SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar|7z)$ no-gzip dont-vary
  # Make sure proxies don't deliver the wrong content
  Header append Vary User-Agent env=!dont-vary  
  </Directory>
</IfModule>
</code>

Edit your virtual host and change SetOutputFilter
<code>
vi /etc/httpd/conf.d/ssl.conf

  #SetOutputFilter proxy-html
  SetOutputFilter INFLATE;proxy-html;DEFLATE
</code>

===Install mod_xml2enc, to fix character encoding===
<code>
yum install httpd-devel libxml2-devel
yum groupinstall "Development tools"

wget http://apache.webthing.com/mod_proxy_html/mod_proxy_html.zip

mkdir /root/mod_xml2enc
cd /root/modxml2enc

wget http://apache.webthing.com/svn/apache/filters/mod_xml2enc.c
wget http://apache.webthing.com/svn/apache/filters/mod_xml2enc.h

cd ..
unzip mod_proxy_html.zip

apxs -aic -I/usr/include/libxml2 /root/mod_xml2enc/mod_xml2enc.c
apxs -aic -I/usr/include/libxml2 -I/root/mod_xml2enc /root/mod_proxy_html/mod_proxy_html.c
vi /etc/httpd/conf/httpd.conf

#Add libxml2.so before added lines by apxs in /etc/http/conf/httpd.conf
LoadFile /usr/lib64/libxml2.so
LoadModule xml2enc_module     /usr/lib64/httpd/modules/mod_xml2enc.so
LoadModule proxy_html_module  /usr/lib64/httpd/modules/mod_proxy_html.so



</code>

Configure virtual host
  ProxyHTMLCharsetOut *