Configuring an Apache reverse proxy server with LetsEncrypt SSL certificates

From Mana zināšanu grāmata

Basic Proxying

Whether or not you have any experience configuring apache virtualhosts, setting up a basic proxy is a piece of cake. You’ll have to enable a couple modules on your server

a2enmod proxy proxy_http proxy_ajp rewrite deflate headers proxy_balancer proxy_connect proxy_html

Disable the default site

a2dissite 000-default

Now you can make the choice, you can either create a virtual site for each service you proxy, or put them all in a single apache site. I prefer one for each internal service, so I will create a new site configuration

vim /etc/apache2/sites-available/webservice-eden-localdomain.conf

Inside this site configuration, create a new virtualhost listening on port 80. For more information on configuring a virtualhost, see the apache docs. There are a ton of different configuration options

<Virtualhost *:80>

Give this virtualhost a ServerName matching your target domain name

ServerName 'webservice.acabey.xyz'

Now the actual proxying (if you don’t use an internal DNS, just use the static IP of your server)

ProxyPreserveHost On 
ProxyPass / 'http://webservice.eden.localdomain/' 
ProxyPassReverse / http://webservice.eden.localdomain

Your basic, insecure virtualhost should look something like this

< VirtualHost *:80 > 
ServerName 'webservice.acabey.xyz'
ProxyPreserveHost On
ProxyPass / 'http://webservice.eden.localdomain/'
ProxyPassReverse / http://webservice.eden.localdomain
< /VirtualHost >

 

Internal SSL (Optional)

Of course, you notice that there is absolutely no SSL/TLS going on here, which is no bueno. Solid security in a reverse proxy system should look like this

Internet ←→ Reverse Proxy (LetsEncrypt SSL) ←→ Internal Service (self-signed SSL)

Ideally, you should set up an internal, self-signed CA that you add to all the machines on your internal network, and use a certificate signed by this CA on your internal webserver. From there, the only things you have to change are the ProxyPass directives in your virtualhost to https rather than http.

Configuring LetsEncrypt

To really step up your security game, we will use LetsEncrypt to establish SSL with our internet users.

There are countless guides on how to use LetsEncrypt, but to keep it brief (assuming a Debian/ Ubuntu system)

apt install python-letsencrypt-apache
sudo letsencrypt --apache -d webservice.acabey.xyz

In the interactive window, be sure to Allow both HTTP and HTTPS connections, we will fix this in a second. Go back into your apache site config and notice that you should now have a virtualhost listening on port 443.

 

Before we continue with that, you should first redirect http to https. Go to the virtualhost listening on port 80 and cut your proxying directives down to the new 443 virtualhost. In place of this, just add a permanent redirect to the https enabled site

Redirect Permanent / https://webservice.acabey.xyz/
Remove the Alias directive

Proxying SSL

Although you are very, very close, there is some magic when it comes to proxying SSL traffic. In the 443 virtualhost, add a global location section, which we will use to apply some headers

< Location "/" >
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Ssl on
RequestHeader set X-Url-Scheme https
< /Location >

Make sure that your original proxy settings are in the 443 virtualhost. By the end, your site apache site configuration should look something like this:

File:Reverse-proxy-config-orig.png

Retrieved from "https://wiki.virusstyle.synology.me/index.php?title=Configuring_an_Apache_reverse_proxy_server_with_LetsEncrypt_SSL_certificates&oldid=39"