httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From A M <amm.pr...@gmail.com>
Subject Re: [users@httpd] Example Apache reverse proxy configuration for HTTPS frontend and several HTTP backends [SOLVED]
Date Mon, 09 Mar 2015 18:45:56 GMT
Thanks to the hints provided by Igor Cicimov, I was able to set up the
desired configuration.
Just in case someone might find it useful, am citing here the full recipe.

Cheers - Andy.



Given:
----------
1. Three public names, "apachefrontend.example.com", "appserver1.example.com
"
and "appserver2.example.com" are all pointing to the same IP defined with
three
identical "A" records inside DNS; an institutional firewall forwards ports
80
and 443 to a web server "www.backend" sitting on a private network behind
the firewall;

2. Two distinct hosts, "appserver1.backend" and "appserver2.backend" run
unmodifiable vendor-provided HTTP-only-based services of different kind;
they
are also situated on the "backend" private network and cannot be reached;

Goal:
-----------
Set up the "www.backend" as a reverse proxy for the two internal servers in
such a way that the outside connection passes via HTTPS while internal still
goes over a plain HTTP.

Receipe:
------------

The "www.backend" is a Centos 6.X host with a default httpd rpm installed.
One more RPM was added, mod_proxy_html:

# rpm -q httpd mod_proxy_html
httpd-2.2.15-39.el6.centos.x86_64
mod_proxy_html-3.1.2-6.el6.x86_64


Our first action was to generate the wildchar SSL cert and key for
"*.example.com" on the proxy host "www.backend" with the following command:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048  \
-keyout /etc/pki/tls/private/localhost.key -out
/etc/pki/tls/certs/localhost.crt

Then, to have a one-page view of the configuration we rename the default
"ssl.conf"
file from "/etc/httpd/conf.d/ssl.conf" into
"/etc/httpd/conf.d/ssl.conf.disab"
and copy a couple of relevant lines from there directly into the main config
file "/etc/httpd/conf/httpd.conf". The relevant part of the final file
"httpd.conf"
may be seen below. It includes the forced redirection of port 80 requests
to the
port 443 of the *right* backend server done with the help of "RewriteEngine"
followed by the  <VirtualHost *:443> sections (one per backend server) that
contain the corresponding SSL, Proxy, ProxyReverse and ProxyPreserveHost
directives).

....
# Proxy-related load pack
LoadModule headers_module    modules/mod_headers.so
LoadFile   /usr/lib64/libxml2.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so

# General SSL options transferred from ssl.conf for better viewing
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

NameVirtualHost *:80
NameVirtualHost *:443

# Decide which virtual host to address and enforce usage of port 443 on the
right proxy host
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>


# Our "Mother host", apachefrontend.example.com, is still available for
hosting of some web site
<VirtualHost *:443>
ServerName apachefrontend.example.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

# Appserver 1
<VirtualHost *:443>
ServerName appserver1.example.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

ProxyRequests Off
ProxyPass / http://appserver1.backend/
ProxyPassReverse / http://appserver1.backend/
ProxyPreserveHost On

</VirtualHost>


# Appserver 2
<VirtualHost *:443>
ServerName appserver2.example.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

ProxyRequests Off
ProxyPass / http://appserver2.backend/
ProxyPassReverse / http://appserver2.backend/
ProxyPreserveHost On

</VirtualHost>

Mime
View raw message