I have an Apache web server (v2.4.43) behind my router and I want to restrict the access to it from outside. First, to allow only the https protocol (by redirect) and second, to enable the access just for one single client certificate.
How should I configure the web server for the second topic?
KI
For Apache 2.4, you would use the Require IP directive. So to only allow machines from single machine or the 192.168.0.0/24 network (range 192.168.0.0 - 192.168.0.255)
<VirtualHost *:80>
<Location />
Require ip 192.168.0.0/24
</Location>
...
</VirtualHost>
If you want to authorise certain certificates more specifically, you can check variable SSL variables (e.g. SSL_CLIENT_S_DN_*) and use it in an SSLRequire directive. Refer httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire
Related
I have an apache server with a bought domain.
I want to know if it is possible to redirect some web pages... For example
I have a NextCloud Server that I want to access by www.example.com/nextcloud
And a plex server I want to access by www.example.com/plex
PD: I don't have the possibilities of subdomains like www.plex.example.com because I didn't hire it when I bought the domain
Is this possible? How do I need to configure apache virtualhost? Thanks!
You mention that you want to access by www.example.com/nextcloud and by www.example.com/plex. I will therefore take for granted that you do not want the site address to change in your client's browser. So no redirection here. Redirection would change the address bar value.
Then the option you want is a reverse proxy. It will "hide" the fact that the client is being served pages by another site or application.
Assumptions:
You have system 1 with an Apache server that responds to http://www.example.com
You have system 2 with an application that responds to http://www.domain1.com/nextcloud.
You have system 3 with an a plex application that reponds to http://www.domain2.com/plex
Therefore on system 1, in the configuration file for your Apache (most probably httpd.conf), you will:
load the proxy modules
add these lines in your <VirtualHost>:
<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
[... SOME OTHER CONFIG ...]
ProxyPass "/nextcloud" "http://www.domain1.com/nextcloud"
ProxyPassReverse "/nextcloud" "http://www.domain1.com/nextcloud"
ProxyPass "/plex "http://www.domain2.com/plex"
ProxyPassReverse "/plex" "http://www.domain2.com/plex"
[... SOME OTHER CONFIG ...]
</VirtualHost>
Now domain1.com and domain2.com can be IP addresses, but using dns is so much better for flexibility. Adjust this sample as required.
Complete mod_proxy documentation: https://httpd.apache.org/docs/2.4/mod/mod_proxy.html
I have a server running both Apache and IIS. IIS is using port 80 and every domain name hosted on the server using iis works fine. Now i also have apache running and is listen on port 8080. Is is possible that i have a domain www.example.com and it uses Apache, but i do not have to type www.example.com:8080 to get the site , but i go on www.example.com to get the site. I can host php on iis and all that but i want to use Apache for that website. I am currently this on httpd.conf
<VirtualHost *>
DocumentRoot "${path}/data/localweb/example"
ServerName www.example.com
<Directory "${path}/data/localweb/example">
Options FollowSymLinks Indexes
AllowOverride All
Order allow,deny
Allow from all
#Deny from all
Require all granted
</Directory>
# Other directives here
</VirtualHost>
If you have the ability to use multiple IP address oh the web server you could bind the IIS site to one on port 80 and the Apache site to port 80 on the second. If it's a VM you can just add another virtual network interface, if it's a physical server you can add a new network card.
If you only have one IP address you could setup ARR+ URL rewrite to use the IIS server to act as a reverse proxy to the apache site.
I am trying to manage 2 domains with one server (running proxmox with several CT), I am using reverse proxy but seems to be wrong.. here's my configuration:
Let's say we have the main server running proxmox where I managed IPTables to redirect port 80 to the port 80 of my first container (CT01) and port 8109 to port 80 of my second container (CT02).
While using the port in my browser, everything is working well, and I am able to reach each container.
I bought 2 domain names, one for my private server (CT01) and another one for a business server (CT02). I associated both of the domain to my server address, and while typing one or another of them I am redirected to CT01 (normal, browser is running the address to the default port).
So now I tried to use reverse proxy in order to redirect to the desired server (DomainA -> CT01, DomainB -> CT02), I created 2 files in /var/apache2/sites-available/ :
/var/apache2/sites-available/domainA.com:
<VirtualHost *:80>
ServerName domainA.com
DocumentRoot /var/www/
</VirtualHost>
/var/apache2/sites-available/domainB.com:
<VirtualHost *:80>
ServerName domainB.com
ProxyPreserveHost On
ProxyRequests On
ProxyPass / http://x.y.z.h:8109/
ProxyPassReverse / http://x.y.z.h:8109/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
Then I runned a2ensite domainA.com and a2ensite domainB.com. I restarted my apache service.
But nothing have changed: both my domainA and domainB redirect me to the same container (CT01).
Any idea?
What i may suggest is doing a new CT just to host a proxy (nginx for example) that will route the requests to one or the other site depending of the Host: field value of the HTTP request. This may be a little bit overkill if it's just for two sites, but when you want to have more, it can be very useful. Plus the NGinx can be used to cache, etc.
Let me know if you are interested. I know a tutorial that you may follow, but it's in french : http://blog.ganbaranai.fr/2013/08/il-etait-une-fois-proxmox-derriere-une-ip-unique/
Hope it helps.
Regards,
We are using ProxyPass to redirect all "/r" requests to jboss on port 18080 as follows:
ProxyPreserveHost on
ProxyPass /r http://localhost:18080/redirectService/
ProxyPassReverse /r http://localhost:18080/redirectService/
But, that causes the IP address logged in jboss's access log as "127.0.0.1". Does somebody know how can we preserve the original IP from where the request came in HttpServletRequest? We want to acesss it from jboss servlet request in doGet()
You can get the original host from X-Forwarded-For header field.
The answer of JasonW is fine. But since apache httpd 2.4.6 there is a alternative: mod_remoteip
All what you must do is:
May be you must install the mod_remoteip package
Enable the module:
LoadModule remoteip_module modules/mod_remoteip.so
Add the following to your apache httpd config. Note that you must add this line not into the configuration of the proxy server. You must add this to the configuration of the proxy target httpd server (the server behind the proxy):
RemoteIPHeader X-Forwarded-For
# replace IP with the remote server you trust
RemoteIPInternalProxy 10.123.123.1/24
See at http://httpd.apache.org/docs/trunk/mod/mod_remoteip.html for more information and more options.
Security warning! Only do this for proxies you trust. Otherwise someone can fake their IP.
This has a more elegant explanation and more than one possible solutions. http://kasunh.wordpress.com/2011/10/11/preserving-remote-iphost-while-proxying/
The post describes how to use one popular and one lesser known Apache modules to preserve host/ip while in a setup involving proxying.
Use mod_rpaf module, install and enable it in the backend server and add following directives in the module’s configuration.
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1
(2017 edit) Current location of mod_rpaf: https://github.com/gnif/mod_rpaf
If you have the capability to do so, I would recommend using either mod-jk or mod-proxy-ajp to pass requests from Apache to JBoss. The AJP protocol is much more efficient compared to using HTTP proxy requests and as a benefit, JBoss will see the request as coming from the original client and not Apache.
If you are using Apache reverse proxy for serving an app running on a localhost port you must add a location to your vhost.
<Location />
ProxyPass http://localhost:1339/ retry=0
ProxyPassReverse http://localhost:1339/
ProxyPreserveHost On
ProxyErrorOverride Off
</Location>
To get the IP address have following options
console.log(">>>", req.ip);// this works fine for me returned a valid ip address
console.log(">>>", req.headers['x-forwarded-for'] );// returned a valid IP address
console.log(">>>", req.headers['X-Real-IP'] ); // did not work returned undefined
console.log(">>>", req.connection.remoteAddress );// returned the loopback IP address
So either use req.ip or req.headers['x-forwarded-for']
I am attempting to setup our servers to allow traffic over SSL. I am aware that SSL does not work with Name Virtual Host, but we have all of our Apache servers on virtual machines with dedicated private IPs. We have a primary virtual machine that has mod_proxy setup to route traffic to the appropriate VMs.
However, in order to route HTTPS traffic we need to have the certificate installed on the proxy as well as the VMs. We have a wildcard certificate that can be used across all of our hosts. Everything appears to work properly, but I receive the following in the Apache logs for the proxy:
[warn] Init: SSL server IP/port conflict: host1.example.com:443 (/etc/apache2/sites-enabled/host1:1) vs. host2.example.com:443 (/etc/apache2/sites-enabled/host2:1)
There is one of these error message for each host we have setup on the proxy. Our Virtual Host setup for the proxy is posted below:
<VirtualHost ipaddress:443>
ServerName host1.example.com
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / https://privateip:443/
ProxyPassReverse / https://privateip:443/
SSLProxyEngine on
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
</VirtualHost>
Is there any way that I can get this to work?
It sounds like Apache is warning you that you have multiple <VirtualHost> sections with the same IP address and port... as far as getting it to work without warnings, I think you would need to use something like Server Name Indication (SNI), a way of identifying the hostname requested as part of the SSL handshake. Basically it lets you do name-based virtual hosting over SSL, but I'm not sure how well it's supported by browsers. Other than something like SNI, you're basically limited to one SSL-enabled domain name for each IP address you expose to the public internet.
Of course, if you are able to access the websites properly, you'll probably be fine ignoring the warnings. These particular ones aren't very serious - they're mainly an indication of what to look at if you are experiencing problems
As far as I know, Apache supports SNI since Version 2.2.12
Sadly the documentation does not yet reflect that change.
Go for http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI until that is finished
You may be able to replace the:
VirtualHost ipaddress:443
with
VirtualHost *:443
You probably need todo this on all of your virt hosts.
It will probably clear up that message. Let the ServerName directive worry about routing the message request.
Again, you may not be able to do this if you have multiple ip's aliases to the same machine.
The VirtualHost would look like this:
NameVirtualHost IP_Address:443
<VirtualHost IP_Address:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt # Where "ca" is the name of the Certificate
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
ServerAdmin webmaster#example.com
DocumentRoot /var/www/html
ServerName www.example.com
ErrorLog logs/www.example.com-error_log
CustomLog logs/www.example.com-access_log common
</VirtualHost>
First you need NameVirtualHost ip:443 in you config file!
You probably have one with 80 at the end, but you will also need one with 443.
Second you need a *.domain certificate (wildcard) (it is possible to make one)
Third you can make only something.domain webs in one ip (because of the certificate)
You MUST add below part to enable NameVirtualHost functionality with given IP.
NameVirtualHost IP_Address:443
Apache doesn't support SSL on name-based virtual host, only on IP based Virtual Hosts.
Source: Apache 2.2 SSL FAQ question Why is it not possible to use Name-Based Virtual Hosting to identify different SSL virtual hosts?
Unlike SSL, the TLS specification allows for name-based hosts (SNI as mentioned by someone else), but Apache doesn't yet support this feature. It supposedly will in a future release when compiled against openssl 0.9.8.
Also, mod_gnutls claims to support SNI, but I've never actually tried it.