I have an Apache httpd v2.2 server (on Centos 6) set up as a forward proxy to get to a DMZ in a test lab environment. It is working, but I would like to restrict destinations to specific subnets, both IPv4 and IPv6. I've searched for a solution and have not been able to find and answer.
Here is the virtualhost segment of my httpd.conf file:
<VirtualHost 10.10.10.185:8080>
ProxyRequests On
ProxyVia On
ProxyBlock "10.20.30.30"
<Proxy *>
Order deny,allow
Allow from 10.1.0.0/24
Deny from all
</Proxy>
ErrorLog "/var/log/httpd/proxy-error.log"
CustomLog "/var/log/httpd/proxy-access.log" common
</VirtualHost>
The above config allows incoming connections from the 10.1.0.0/24 subnet. It does not allow connections specifically to 10.20.30.30 through the proxy. Instead of blocking that single address, I would like to specify a set of subnets that are allowed, and everything else be denied. For example, allow:
2001:1111:2222:301::0/64
2001:1111:2222:302::0/64
10.20.40.0/24
But block everything else from passing through the proxy. I understand that this would block any url that used a hostname instead of an IP address.
Thanks in advance for any help you can provide.
Regards,
Related
I have two apache servers at two separate IP addresses and one domain name (example.com) administer on godaddy.com. I want to use this single domain to point traffic to my two separate servers over ssl.
I set up the first server through a fios router with port forwarding and associated the public IP address with a DDNS address (xxx.ddns.net). My godaddy config looks like this:
Type Name Value
-------------------------------
A # 184.168.131.241
CNAME www xxx.ddns.net
Forwarding
------------
domain https://www.example.com
... and my apache ssl.conf file looks like this:
<VirtualHost *:443>
...
ServerName www.example.com
DocumentRoot /var/www/html
</VirtualHost>
This works fine, but now I want to set up a subdomain ('mysub') so that traffic directed to mysub.example.com gets handled by my second server available at a separate IP address (MY.2ND.IP.ADDR). I've tried all sorts of settings on godaddy and in the ssl.conf file, but to no avail. In particular, I've tried:
Setting godaddy so that traffic sent to subdomain mysub.example.com is redirected straight to MY.2ND.IP.ADDR; it's not at all clear to me if this is possible. (Godaddy has a form under the title "Forwarding" and a subsection therein called "subdomain", but setting that subdomain to mysub and setting "forward to" to http://MY.2ND.IP.ADDR doesn't seem to do anything; what is this 'subdomain' field in the godaddy interface supposed to be used for?)
Directing all traffic to the first server, and configuring apache to proxy traffic for the subdomain on to the second server.
I've tried adding another virtual host element to ssl.conf like so:
<VirtualHost MY.2ND.IP.ADDR:443>
ServerName mysub.example.com
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
ProxyPass http://MY.2ND.IP.ADDR
ProxyPassReverse http://MY.2ND.IP.ADDR
</Location>
</VirtualHost>
... but this doesn't work either.
In summary, what is the best way to direct traffic for a subdomain to a separate IP address using godaddy and/or apache configurations?
I am trying to manage 2 domains with one server (running proxmox with several CT), I am using reverse proxy but seems to be wrong.. here's my configuration:
Let's say we have the main server running proxmox where I managed IPTables to redirect port 80 to the port 80 of my first container (CT01) and port 8109 to port 80 of my second container (CT02).
While using the port in my browser, everything is working well, and I am able to reach each container.
I bought 2 domain names, one for my private server (CT01) and another one for a business server (CT02). I associated both of the domain to my server address, and while typing one or another of them I am redirected to CT01 (normal, browser is running the address to the default port).
So now I tried to use reverse proxy in order to redirect to the desired server (DomainA -> CT01, DomainB -> CT02), I created 2 files in /var/apache2/sites-available/ :
/var/apache2/sites-available/domainA.com:
<VirtualHost *:80>
ServerName domainA.com
DocumentRoot /var/www/
</VirtualHost>
/var/apache2/sites-available/domainB.com:
<VirtualHost *:80>
ServerName domainB.com
ProxyPreserveHost On
ProxyRequests On
ProxyPass / http://x.y.z.h:8109/
ProxyPassReverse / http://x.y.z.h:8109/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
Then I runned a2ensite domainA.com and a2ensite domainB.com. I restarted my apache service.
But nothing have changed: both my domainA and domainB redirect me to the same container (CT01).
Any idea?
What i may suggest is doing a new CT just to host a proxy (nginx for example) that will route the requests to one or the other site depending of the Host: field value of the HTTP request. This may be a little bit overkill if it's just for two sites, but when you want to have more, it can be very useful. Plus the NGinx can be used to cache, etc.
Let me know if you are interested. I know a tutorial that you may follow, but it's in french : http://blog.ganbaranai.fr/2013/08/il-etait-une-fois-proxmox-derriere-une-ip-unique/
Hope it helps.
Regards,
I have several named virtual hosts on the same apache server, for one of the virtual host I need to ensure only a specific set of IP addresses are allowed to access.
Please suggest the best way to do this. I have looked at mod_authz_hosts module but it does not look like I can do it inside virtual host.
The mod_authz_host directives need to be inside a <Location> or <Directory> block but I've used the former within <VirtualHost> like so for Apache 2.2:
<VirtualHost *:8080>
<Location>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
...
</VirtualHost>
Reference: https://askubuntu.com/questions/262981/how-to-install-mod-authz-host-in-apache
For Apache 2.4, you would use the Require IP directive. So to only allow machines from the 192.168.0.0/24 network (range 192.168.0.0 - 192.168.0.255)
<VirtualHost *:80>
<Location />
Require ip 192.168.0.0/24
</Location>
...
</VirtualHost>
And if you just want the localhost machine to have access, then there's a special Require local directive.
The local provider allows access to the server if any of the following conditions is true:
the client address matches 127.0.0.0/8
the client address is ::1
both the client and the server address of the connection are the same
This allows a convenient way to match connections that originate from the local host:
<VirtualHost *:80>
<Location />
Require local
</Location>
...
</VirtualHost>
If you are using apache 2.2 inside your virtual host you should add following directive (mod_authz_host):
Order deny,allow
Deny from all
Allow from 10.0.0.1
You can even specify a subnet
Allow from 10.0.0
Apache 2.4 looks like a little different as configuration.
Maybe better you specify which version of apache are you using.
In Apache 2.4, the authorization configuration syntax has changed, and the Order, Deny or Allow directives should no longer be used.
The new way to do this would be:
<VirtualHost *:8080>
<Location />
Require ip 192.168.1.0
</Location>
...
</VirtualHost>
Further examples using the new syntax can be found in the Apache documentation: Upgrading to 2.4 from 2.2
I keep running into an issue with Apache's mod_proxy where it won't forward any traffic. I'm using a Windows Azure virtual machine running Ubuntu 13.04 and have configured the proper HTTPS endpoint (port 443) for it. The proper Apache modules (proxy, ssl, etc.) are all installed, and the error logs show nothing, not even a warning to explain why this is happening. My VirtualHost setup is as follows:
<VirtualHost *:443>
RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost On
ServerName www.example.com
SSLEngine On
#SSLProxyEngine On
SSLCertificateFile /ssl/my.com.crt
SSLCertificateKeyFile /ssl/my.key
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
SSLRequireSSL
Order deny,allow
Allow from all
</Location>
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
I have Listen 443 and NameVirtualHost *:443 all set as well. My service on the other port is running fine as doing a wget responds with an HTTP 200 OK response and I can reach it by manually inputting the port number. I have disabled all firewalls (for testing) to no avail as well. However, whenever I try to reach the service from the outside world through mod_proxy (port 443), the request times out and I get the usual "website not available" browser error.
If it means anything, the app I am running on the other port I need to forward HTTPS traffic to is a Play Framework 2.1 application. I set the server up exactly as in their documentation but still have these problems, so I'm assuming it may have something to do with Azure.
Any ideas? Is there some other type of endpoint configuration that I need to do specific for Windows Azure virtual machines to support SSL/TLS?
So, apparently, I have no idea how or why - but the Azure Gods decided to shine upon my setup all of a sudden. Overnight, without so much as a reboot or anything, mod_proxy on Azure just started working. I have no idea what the issue was, or even if there was one in the first place, but apparently the problem lies with something in the Azure infrastructure.
Sorry I couldn't be of more help for others encountering similar issues, but just giving it time worked for some unknown reason.
I am trying to setup a server with multiple web applications which will all be served through apache VirtualHost (apache running on the same server). My main constrain is that each web application must use SSL encryption. After googling for a while and looking other questions on stackoverflow, I wrote the following configuration for the VirtualHost:
<VirtualHost 1.2.3.4:443>
ServerName host.domain.org
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://localhost:8443/
ProxyPassReverse / https://localhost:8443/
</VirtualHost>
Even though https://host.domain.org:8443 is accessible, https://host.domain.org is not, which defeats the purpose of my virtual host configuration. Firefox complains that even though it successfully connected to the server, the connection was interrupted. Chrome return an error 107: net::ERR_SSL_PROTOCOL_ERROR.
Finally I should also mention that the virtual host works perfectly fine when I do not use SSL.
How can I make this work ?
Thanks
You don't need to configure SSL in both Apache and Tomcat.
The easiest way to accomplish that is configure SSL just on Apache and proxy to tomcat using http.