apache_reverse_proxy_on_centos_6.5
Table of Contents
Apache reverse proxy
Install apache reverse proxy with SSL
Install
- Install EPEL repo
Install Apache and mod_proxy_html
yum install httpd mod_proxy_html
Install SSL keys
/etc/pki/tls/certs (CA bundle and cert) /etc/pki/tls/private (private key)
Configure
Edit Apache config
vi /etc/httpd/conf/httpd.conf NameVirtualHost *:443 vi /etc/httpd/conf.d/ssl.conf ServerName reverse.<yourdomain> SSLCertificateFile <your cert> SSLCertificateKeyFile <your key> SSLCertificateChainFile <your CA cert chain>
Open port 443 with iptables
Check line numbers first, or edit in /etc/sysconfig/iptables.
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT service iptables save
Start Apache and test SSL
service httpd restart
Starting httpd: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server reverse.<your local domain>:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful.
Config reverse proxy
Create wildcard A record for your domain. For example *.reverse.<yourdomain>
Edit /etc/http/conf.d/proxy_html.conf
vi /etc/http/conf.d/proxy_html.conf ProxyRequests Off <-- this is an important security setting <Proxy *> AllowOverride None Order allow,deny Allow from all AuthName "Password Required" AuthType Basic AuthBasicProvider file AuthUserFile <your htpasswd file> Require user <your required user/group> </Proxy>
Edit /etc/httpd/ssl.conf
Create virtual hosts for every reverse proxyable app! For example for Synology Rackstation <VirtualHost _default_:443> ServerName rackstation.reverse.<yourdomain> ErrorLog logs/rackstation_ssl_error_log TransferLog logs/rackstation_ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/<your cert> SSLCertificateKeyFile /etc/pki/tls/private/<your key> SSLCertificateChainFile /etc/pki/tls/certs/<your ca chain> CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ProxyPass / http://rackstation.<your local domain>:5000/ ProxyPassReverse / http://rackstation.<your local domain>:5000/ ProxyHTMLURLMap http://rackstation.<your local domain>:5000 / <Location /> ProxyHTMLEnable On ProxyPassReverse http://rackstation.<your local domain>:5000/ SetOutputFilter proxy-html </Location> </VirtualHost>
Enable Apache to network_connect (SELinux)
setsebool -P httpd_can_network_connect 1
Restart Apache
service httpd restart
Tips
Basic auth through reverse proxy
RequestHeader set Authorization "Basic XXXXX"
XXXXX can be calculated this way using a simple shell command:
echo -n "back-end_login:back-end_password" | base64
Enable compression
Solve the firefox error: “The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.”
Edit /etc/httpd/conf/httpd.conf
vi /etc/httpd/conf/httpd.conf <IfModule mod_deflate.c> AddEncoding x-compress Z AddEncoding x-gzip gz tgz DeflateCompressionLevel 9 AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript # Setup custom deflate log DeflateFilterNote Input instream DeflateFilterNote Output outstream DeflateFilterNote Ratio ratio LogFormat '"%r" %{outstream}n/%{instream}n (%{ratio}n%%)' deflate #CustomLog logs/deflate.log deflate <Directory /> # Insert filter SetOutputFilter DEFLATE # Netscape 4.x has some problems... BrowserMatch ^Mozilla/4 gzip-only-text/html # Netscape 4.06-4.08 have some more problems BrowserMatch ^Mozilla/4\.0[678] no-gzip # MSIE masquerades as Netscape, but it is fine BrowserMatch \bMSIE !no-gzip !gzip-only-text/html # Don't compress images SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar|7z)$ no-gzip dont-vary # Make sure proxies don't deliver the wrong content Header append Vary User-Agent env=!dont-vary </Directory> </IfModule>
Edit your virtual host and change SetOutputFilter
vi /etc/httpd/conf.d/ssl.conf #SetOutputFilter proxy-html SetOutputFilter INFLATE;proxy-html;DEFLATE
Install mod_xml2enc, to fix character encoding
yum install httpd-devel libxml2-devel yum groupinstall "Development tools" wget http://apache.webthing.com/mod_proxy_html/mod_proxy_html.zip mkdir /root/mod_xml2enc cd /root/modxml2enc wget http://apache.webthing.com/svn/apache/filters/mod_xml2enc.c wget http://apache.webthing.com/svn/apache/filters/mod_xml2enc.h cd .. unzip mod_proxy_html.zip apxs -aic -I/usr/include/libxml2 /root/mod_xml2enc/mod_xml2enc.c apxs -aic -I/usr/include/libxml2 -I/root/mod_xml2enc /root/mod_proxy_html/mod_proxy_html.c vi /etc/httpd/conf/httpd.conf #Add libxml2.so before added lines by apxs in /etc/http/conf/httpd.conf LoadFile /usr/lib64/libxml2.so LoadModule xml2enc_module /usr/lib64/httpd/modules/mod_xml2enc.so LoadModule proxy_html_module /usr/lib64/httpd/modules/mod_proxy_html.so
Configure virtual host
ProxyHTMLCharsetOut *
apache_reverse_proxy_on_centos_6.5.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1