I'm setting up the WAF with feature of reverse proxy, and have the config in /etc/apache2/sites-available/000-default.conf. then i have to setting the WAF as reverse proxy. Can i use redirect in exchange for proxy_pass? what is the difference between them?
I already setup the reverse proxy but always end up with my web application functional problem, but when i use redirect everything just work fine.
This is my 000-default.conf for reverse proxy:
<VirtualHost *:80>
ServerName https://mywebsite.com/
ProxyPass / https://10.10.123.32:443/
ProxyPassReverse / https://10.10.123.32:443/
ProxyPreserveHost on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSL ProxyCheckPeerExpire off
</VirtualHost>
-is that anything wrong with my reverse proxy config?
-and it's okay to use redirect as the replacement for proxy_pass setting?
-if that okay, whether the waf function will still run?
Thank you :)
ProxyPass instructs Apache to forward the request to the named backend server and forward the response to the client.
Redirect instructs Apache to respond directly to the client with a substitute URL.
It would rarely be effective for a WAF to send a redirect instead of acting as a proxy/gateway/middleman as the WAF would not really be in the loop for the traffic. Further, usually your client can't do anything with the direct address of what is likely an internal server.
Related
I've read a lot of questions and answers which seem exactly the same as mine, but I can't seem to get my setup to work. I have a VM running Apache with only HTTP support at 192.168.2.101:32773. I can access it on my local network as such just fine. I now am ready to expose it through my Apache web server that has Lets Encrypt setup to generate SSL certificates. So I added this to my server conf file:
<VirtualHost *:32773>
ServerName server.com
SSLEngine on
SSLProxyEngine On
SSLCertificateFile /etc/letsencrypt/live/server.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server.com/privkey.pem
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://192.168.2.101:32773/
ProxyPassReverse / http://192.168.2.101:32773/
</VirtualHost>
However, I get an ERR_SSL_PROTOCOL_ERROR when I try to load it up as https://server.com:32773. If I however change my address to http://server.com:32773, it loads just fine. Anything look wrong in this snippet? Thanks!
HTTP and HTTPS need to be on different ports. Typically HTTPS is served on port 443.
This is embarrassing... At some point I changed my port forward rules to point 32773 directly to 192.168.2.101 so I could validate that the rules were working at all. The above config worked as soon as I realized I wasn't even sending traffic to my Apache SSL enabled server.
I know, I know, Apache is not the best tool to use as HTTP proxy, however I need it on my server.
Here's my virtual host configuration:
<VirtualHost *:*>
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>
<VirtualHost *:80>
ServerName my.public.domain
Redirect / https://my.public.domain/
</VirtualHost>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:50001/
ProxyPassReverse / http://127.0.0.1:50001/
ServerName my.public.domain
ErrorLog ${APACHE_LOG_DIR}my-app-error.log
CustomLog ${APACHE_LOG_DIR}my-app-access.log common
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/my-cert/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my-cert/privkey.pem
</VirtualHost>
In UseUrls method i have http://localhost:50001 configured as main URL, and this is redirected by Apache to HTTPS #443.
It works as charm, however I see this in logs:
warn: Microsoft.AspNetCore.HttpsPolicy.HttpsRedirectionMiddleware[3]
Failed to determine the https port for redirect.
In my configuration Apache handles https traffic, BTW, I can't communicate my app with Apache locally over HTTPS, it just doesn't work. I also think it's pointless to encrypt local internal traffic.
Unfortunately my solution requires some hacking to work 100% properly - I need to provide my public site URL in my app configuration - otherwise the app doesn't know what it's external address is. I mean - I build some links manually, because this is the core of my question - I don't know where the framework would keep such information. For example NavigationManager thinks my site URL is "http://localhost:50001", so if I need absolute URL in my app I can't use NavigationManager directly, I need to "manually" create the URL in app.
Links generated by Identity have "http" instead of "https", but it works because apache redirects everything to https.
Is there a way (and HOW) to do it more properly - a mean to officially tell the AspNET.Core it has specific external URL?
Where you have ServerName my.public.domain, use the following:
For port 80:
ServerName http://my.public.domain:80
For port 443:
ServerName https://my.public.domain:443
Good day,
I have a Apache server (10.8.111.67), I configure it to ProxyPass to my app server http port (10.8.1.63), its work. The thing I do in httpd.conf is just as follow:
ProxyPass "/mfp" "http://10.8.1.63:9080/mfp"
ProxyPassReverse "/mfp" "http://10.8.1.63:9080/mfp"
However, I should proxy pass to https url instead of http.
I google around, found that I need to configure something in the ssl.conf, the following is what I plan to do:
<VirtualHost 10.8.111.67:80>
SSLEngine on
SSLCertificateFile ???
SSLCertificateKeyFile ???
ProxyPass "/mfp" "http://10.8.1.63:9080/mfp"
ProxyPassReverse "/mfp" "http://10.8.1.63:9080/mfp"
</VirtualHost>
I am not sure that what cert actually I should put for SSLCertificateFile, is it cert from app server? I can use openssl command to download it?
And for the SSLCertificateKeyFile, what file I should put inside? private key from app server? May I know how to generate the private key from web server? I run ssh-keygen, I got the id_rsa.pub and id_rsa.
Kindly advise.
Kindly notify me if I am doing something wrong.
You don't need to configure certificates in virtualhost just to proxy to a SSL backend.
To reverse proxy to a SSL backend you just need to make sure mod_ssl is loaded and that you have the directive: SSLProxyEngine on to let the reverse proxy do it to an SSL backend.
Loading certificates in virtualhost is for virtualhosts that will listen to SSL connections, mainly virtualhosts with 443 port.
So based in your description to reverse proxy to the SSL backend, aside from the mod_ssl module loaded what you want is:
<VirtualHost 10.8.111.67:80>
ServerName youshouldefinethisalways.example.com
SSLProxyEngine on
ProxyPass /mfp https://backend-server.example.com/mfp
ProxyPassReverse /mfp https://backend-server.example.com/mfp
</VirtualHost>
I am trying to return content with a web service. Behind an apache proxy if fails with "Operation insecure".
I read about adding an apache hook but it won't work for me. Setting the environment variable neither.
This is what I tried: how to make Mojolicious's url_for()->to_abs() return correct scheme (http or https) behind nginx
Maybe or webservice I have to do something else ? Also I use mojolicious lite.
Also the url_for is done in the template file .html.ep. I use it to call the web service from javascript.
I run Mojolicious 7.59 on Ubuntu 18.04. Thank you for you help
I solved it this way: the apache proxy must have some specific settings and also the mojo app must be in reverse proxy mode.
Apache Settings
Apache must know how to proxy the web services and it must tell mojo about the forwarding protocol.
I put all my webservices under the /ws/ and I added it to ProxyPass
My mojo app is at the same host at port 8080 so I proxy to localhost:8080.
It is very important to set the X-Forwarded-Proto
At /etc/apache2/sites-enabled/default-ssl.conf I changed this way:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /ws/ ws://localhost:8080/ws/ keepalive=On
ProxyPass / http://localhost:8080/ keepalive=On
ProxyPassReverse / http://localhost:8081/
RequestHeader set X-Forwarded-Proto "https"
Mojo Proxy
The mojolicious app must know it is in reverse proxy. If you are using hypnotoad it may not be necessary. When I did some tests with morbo I had to run it this way:
MOJO_REVERSE_PROXY=1 morbo script.pl
There is more documentation at https://mojolicious.org/perldoc/Mojolicious/Guides/Cookbook#Reverse-proxy
What I'm basically trying to accomplish is having my main website running a CMS written in Go. This will be located at www.example.com.
I also have applications written in PHP located in directories, such as www.example.com/clients/
How can I serve example.com/clients using Apache/PHP while serving example.com using Go built-in web server?
Via mod_proxy in Apache2, you can proxy different paths into different destinations at localhost or anywhere else accessible by your server, including within your local network (if your server can access it).
For this you would use ProxyPass (Apache2 Docs for ProxyPass, which is very useful reading) like the example below:
<VirtualHost *:80>
ServerName some.example.host.xyz
DocumentRoot /var/www/your-document-root
Alias /clients/ /var/www/clients/
ProxyPass /clients/ !
ScriptAlias /something-using-cgi/ /var/www/cgi-stuff/
ProxyPass /something-using-cgi/ !
ProxyPreserveHost On
ProxyPass / http://localhost:9876/
ProxyPassReverse / http://localhost:9876/
ProxyPass /elsewhere/ http://elsewhere.example.host.xyz:1234/
ProxyPassReverse /elsewhere/ http://elsewhere.example.host.xyz:1234/
</VirtualHost>
You'll want to be sure that you set your proxy security such that external users can't use your reverse proxy as a forward proxy, too. You can do that via ProxyRequests as described in the official Apache2 docs. The way I did this on a server is to put this in your server-wide config (you should verify on your own that this is secure enough):
# disables forward proxy
ProxyRequests Off
Andrew Gerrand has a good blog post about this for nginx but the principle is the same for Apache.
You want to set up Apache as a reverse proxy for requests coming in for the Go application.
For Apache you want to look at mod_proxy