I am potentially planning to run asp.net core on linux behind an apache reverse proxy.
when running the asp.net core does it need to be running on https?
I can set apache https directive as follow - and when i access this from the browser it is working fine.
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
ServerName app.domain.com
ServerAlias *.app.domain.com
ErrorLog ${APACHE_LOG_DIR}helloapp-error.log
CustomLog ${APACHE_LOG_DIR}helloapp-access.log common
Are there any issues with this?
In my opinion, if you has enabled the https on the apache and just use http redirect between the apache and the kestrel server, you could use http. Like this:
Brower --->https ---> Apache --> http ---> kestrel.
This will not causing the security issue. HTTPS helps prevent intruders from tampering with the communications between your websites and your users' browsers. Since if someone hack your server to capture the http request, he could also get your server's all information.
Related
I am not certain this is ready to be brought into a production environment.
Essentially, I have an SSL certificate for my public URL (https://*.example.com) but my ASP.NET Core 2.1 application (and a Kestrel service configured only on port 5000) has never been configured to use HTTPS.
In Apache I configured a virtual host to redirect requests from port 80 to 443, then another one for reverse-proxying port 443 (incoming) to 5000 on the backend:
# Force usage of https for public requests
<VirtualHost *:80>
ServerName aspnet01.example.com
Redirect / https://aspnet01.example.com
</VirtualHost>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
ServerName aspnet01.example.com
ServerAlias *.example.com
ErrorLog /opt/bitnami/apache2/logs/aspnet01_error.log
CustomLog /opt/bitnami/apache2/logs/aspnet01_access.log combined
</VirtualHost>
And on the firewall there are only two ports open, 80, 443 and 22 for server administration.
I'm wondering what are the risks on publishing my app this way, I trustfully rely on the fact that traffic from outside is encrypted and nobody is sniffing my internal network.
More generally, is it enough to put an old application (that doesn't use HTTPS) behind a reverse proxy, to consider it secure?
I'm using LAMP on Ubuntu 16.04. Thanks in advance.
The Kestrel app will only be as secure as your reverse proxy configuration and network is, but that's generally an acceptable way to handle security, as it reduces the overhead within your network between Kestrel and the reverse proxy.
Per Microsoft's documentation:
A reverse proxy:
Can limit the exposed public surface area of the apps that it hosts.
Provide an additional layer of configuration and defense.
Might integrate better with existing infrastructure.
Simplify load balancing and secure communication (HTTPS) configuration. Only the reverse proxy server requires an X.509
certificate, and that server can communicate with the app's servers on
the internal network using plain HTTP.
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-3.1#when-to-use-kestrel-with-a-reverse-proxy
At the moment I try to get running a ASP.Net Core Application on my server. This server runs Debian 8, Apache 2 and Plesk 12. The Application runs at port 5000 and I wanted to add a reverse proxy to a specific subdomain to make the application available outside.
I have created a subdomain and added additional configuration as follows:
RewriteEngine On
ProxyPreserveHost On
ProxyRequests Off
ProxyErrorOverride Off
ProxyPass / http://localhost:5000/
ProxyPassReverse / http://localhost:5000/
When using this, I only get an error of the server when browsing stating
The server encountered an internal error or misconfiguration and was
unable to complete your request.
I searched Stackoverflow, ASP.Net Core documentation and other forums, which actually state to use my config (or a subset of this). Installing nginx is not an option because of other projects running on this server.
Do you have an idea what I am missing?
Thanks for your help!
I have a jsf 2.x web app serving incoming requests behind apache reverse proxy server. The app name is "foo" hosted on tomcat server in which fqdn is "fooweb.com" and the reverse proxy server's fqdn is "barweb.com".
So I created foo_conf file in the proxy server having following directive:
<VirtualHost *:4443>
ServerName barweb.com
ProxyPass /foo https://fooweb.com:8443/foo
ProxyPassReverse /foo https://fooweb.com:8443/foo
</VirtualHost>
Three scenarios I observed after restarting the proxy server:
If I don't go through reverse proxy server, I have access to resources by entering url of "https://fooweb.com/foo/faces/index.xhtml"
If I go through the proxy server entering url of "https://barweb.com/foo" the server returns "http status 404 - /foo/" to a client.
If I fully specify resource and pass to the proxy server such as "https://barweb.com/foo/faces/index.xhtml" then I have access to resources just fine.
What I would like to achieve is entering "https://barweb.com/foo" would properly points to "https://barweb.com/foo/faces/index.xhtml". I'd appreciate your advice and guidance on this matter. Thank you!
I have multiple applications running in Oracle APEX 5. They are served through ORDS and Weblogic 12.2. Then a web front end to serve the reverse proxy. It may sound dumb, but that's what we were tasked to do. I used mod_proxy to get the reverse proxy going, but I'm having issues hiding the application number. The original url is devapp101.cloud.com:7003/ords/f?p=101 . What I want users to navigate is devapex.cloud.com what I have is devapex.cloud.com/ords/f?p=101 . Here is the config I've got right now. What can I do to have users only use devapex.cloud.com?
###devapex.cloud.com
<VirtualHost *:80>
ServerAdmin admin#cloud.com
ServerName devapex.cloud.com
ErrorLog logs/devapex.error_log
CustomLog logs/devapex.access_log common
### re-direct to the appropriate server
ProxyPreserveHost On
#RequestHeader set WL-Proxy-SSL true
ProxyPass / http://devapp101.cloud.com:7003/
ProxyPassReverse / http://devapp101.cloud.com:7003/
</VirtualHost>
I've looked at mod_rewrite, but I'm not seeing how that can do what I want to happen. Please excuse my noobness here, but I've searched everywhere for this scenario, and I have not found it anywhere.
You need to configure 'Oracle WebLogic Server Proxy Plug-In' to proxy requests from web front end to WebLogic.
Check the document :
https://docs.oracle.com/middleware/1221/webtier/develop-plugin/toc.htm
What is your web front end to serve the reverse proxy?
Check the documents to match the middleware of your web front end.
(If 'Apache HTTP Server', check 'Configuring the Plug-In for Apache HTTP Server'.)
I'm running an Apache Server 2.2 to handle Jenkins and SonaType Nexus information (both installed as Windows Service). While SonatypeNexus runs perfectly Jenkins doesn't. To be more specific: I'can't log in Jenkins. Just for your notice: we are using LDAP to login, but this can't be the reason for login failure, as login from local host works.
If I try to log in Jenkins from localhost:8071 it works perfectly.
When I log in from another system via network (using https://myServer.com:8095/) I can browse and configure Jenkins, but I can't login. Whenever I try I get "redirected" to the page of Jenkins I was on before hitting the "login" button.
Security settings are set to "everyone can do anything" -> can't be the reason either.
Hint 0: As you maybe already noticed we are using https for for any request from the outside dedicated to the server. But within the server Apache only uses http to handle information -> could this lead to problems?
Hint 1: I only get "redirected" using correct login parameters. Using wrong ones is leading me to the "Invalid login information. Please try again." page.
Hint 2: Sonatype Nexus is running behind the same Apache Server and works great.
Potentional Reason: guess the reason why I can login via localhost, but not via network must be our Apache 2.2 server which is handling information wrong. By using localhost I can bypass Apache (-> works) but via network Apache gets used (-> don't work).
Any ideas how to fix this or at least what the reason could be?
Here are some settings from apache server (httpd-ssl.conf) that maybe could be useful:
<VirtualHost *:8095>
ServerName myServer.com
ServerAdmin admin#myServer.com
# Nexus via HTTPS.
ProxyPass /nexus http://localhost:8072/nexus
ProxyPassReverse /nexus http://localhost:8072/nexus
ProxyPassReverseCookiePath / /nexus
RequestHeader set X-Forwarded-Proto "https"
ErrorLog logs/nexus_error_ssl.log
CustomLog logs/nexus_access_ssl.log common
# Jenkins via HTTPS.
ProxyPass / http://localhost:8071/ nocanon
ProxyPassReverse / http://localhost:8071/
ProxyPassReverse / http://my.host.com/
# also tested second ProxyPassReverse with specific port
ProxyPassReverseCookiePath / /
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
ProxyRequests Off
AllowEncodedSlashes NoDecode
SSLEngine on
I'm not sure if i describe my solution correct, since my collegue found the answer and not me.
Since the Apache was handling https (incomming from jenkins) correctly (requests reached LDAP), but was unable to pass http information (incomming from LDAP) correctly (login was unable).
So he took a look at the http settings and configured the settings to enable http. This was leading to our goal -> we can login now, BUT it also leads towards another problem -> http is enabled and usable for users...
On this page, it hints that you might need to add another ProxyPassReverse to fix http links generated by Jenkins:
ProxyPassReverse / http://your.host.com:8095/
Also, it mentions that you should add
ProxyPreserveHost On
to your config. Please check the link for further information.