I am trying to restrict access to apache on one port (for example, 80) so that only the localhost can send requests (for example, for accessing APIs).
I have edited the /etc/apache2/ports.conf as
Listen 127.0.0.1:100
But when I call the API from localhost bash at one of the domains configured in apache, for example via
curl "https://www.example.com:100"
it returns
curl: (7) Failed to connect to www.example.com port 100: Connection refused
Why is it refusing even if the call is from localhost?
Related
I Have configured Both Apache and Wildfly to use AJP in order to achieve the Proxy so i can produce Access-logs
Acccess Logs are Enabled from management profile of Wildfly
Port is listening on 8009
Apache has a Virtual Host listening on port 80
configured with the ProxyPass command.
Access Pattern is configured
and the result is receiving logs that have been proxied but not the original client ip is diplayed but only the loopback of 127.0.0.1
So am asking about a way to reveal the client Ip that requests the Apache Server.
syntax is okay and %a does display the 127.0.0.1
Thanks!
I have tried multiple access patterns (%a,%h,{i,xxx}...
I have tried both X-Forward-For ,X-Forwarded-For on Apache PreserveHost On etc..
I have tried tcpdump the port 8009 receiving 0 packets on the monitoring
I have the following setup:
one public IP
2 different domain names pointing to the same IP above: domain1.com and domain2.com
2 different ssl certificates: one for domain1.com and one for domain2.com
2 physical machines on the same LAN (192.168.1.10 and 192.168.1.20) running Apache2 and debian 8.5
I tested both servers indipendently forwarding the 443 port traffic to either of the machines. They work nicely.
Now, I am forwarding all port 443 requests arriving to the public IP to the first server at 192.168.1.10 and I would like this server to act as a https server for https://domain1.com and redirect the requests for https://domain2.com to address 192.168.1.20
I have tried to configure a reverse proxy in the first machine. It does redirect the requests for domain2 to the machine at 192.168.1.20 BUT it serves the certificate for domain1.
How can I configure reverse proxy as to present the right certificate for each one of my servers?
thank you in advance.
julia
Easiest "solution" (well, workaround) would be to use a single certificate that contains both hostnames. If you cannot do that, then you need to configure Apache SNI, like so: SSL with Virtual Hosts Using SNI
As some suggested I tried to use the Apache2 reverse proxy.
This somehow works but you have to install all the certificates on the machine running Apache2. Thus the trafic on the lan is no longer https which does not satisfy my requirement.
The solution is to use haproxy. This package can be set up as a pass through for https. There are many examples of such applications on the internet. It does exactly what I am asking for: I can host many https servers on a lan behind a nat router with one single public IP. The trafic is sent by haproxy as https to the indicated server on the LAN. If anyone is interested, I will be glad to share my config file solving precisely the problem I set out in my question.
To Robert M:
here is my configuration to be added at the end of the default haproxy.cfg file:
frontend ft_https
mode tcp
option tcplog
bind *:443
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
acl domain1_com req.ssl_sni -m end domain1.com # all url ending with domain1.com
acl domain2_com req.ssl_sni -i www.domain2.com # exactly www.domain2.com
use_backend b_domain1_com if domain1_com
use_backend b_domain2_com if domain2_com
default_backend b_default
backend b_default
mode tcp
option tcplog
server srv_default 127.0.0.1:1443
backend b_domain1_com
mode tcp
option tcplog
server srv_domain1 192.168.1.10:1443
backend b_domain2_com
mode tcp
option tcplog
server srv_domain2 192.168.1.20:443
I had to change the https port for apache on the first server to 1443 because both haproxy and apache cannot bind to the same 443 port as they reside on the same machine, but it is transparent to the user.
I was using virtual box and have had httpd installed on it, the network was configured as 'nat' and I forward port 8080 of Host Machine to port 80 of Virtual Machine.
Then I tried to access the Website hosted on the virtual machine via curl localhost:8080 -vv, but I got Empty reply from server, instead if I use curl 127.0.0.1:8080 -vv then everything is ok, why would it be like this ?
It seems that it is possible to get Apache server to Proxy and Manage SSL handshake on https requests and service them as 'http' thru another server behind it.
I have configured an apache server for ProxyPass using following configuration
SSLProxyEngine On
ProxyPass / http://localhost:8081/
ProxyPassReverse / http://localhost:8081/
I am able to get all all traffic to the apache server that is listening to port 8080 direct and serve by the localhost:8081 server so
http://localhost:8080/hi is being correctly served by http://localhost:8081/hi
However the following does not work :
http**s**://localhost:8080/hi to be served by http://localhost:8081/hi
Apache is trying to pass the https:// traffic to the 8081 server, without managing the SSL handshake.
Your Apache listener on port 8080 is an http listener, not an https listener. You can't handle both types of traffic on the same port. If you want to handle SSL traffic, you'll need to set up a new context on another port with SSLEngine On and all the other normal SSL configuration (certificate, key, etc).
This question has one version of this configuration.
Also this post.
I am running a NodeJS app on apache and using mod_proxy to forward requests on 443 to the nodeJS app.
This works fine on port 80, but when I try to set it up for port 443, I get the following error in apache:
[error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
It appears that this error is caused because I am trying to listen on port 443 in apache but not providing an ssl certificate... but I dont need to as my NodeJS app is performing the SSL.
How can I tell apache to ignore this error?
What you are trying cannot work. A client connecting to port 443 will speak HTTPS/SSL - so the application that handles the connection needs to use SSL for connections on that port.