Apache SSL Configuration - apache

We are using apache tomcat 7.0 in our application. We need configure SSL but i want install the httpd apache on top the tomcat which would do ssl encryption and decryption. so it is possible have such configuration?

Yes, you can use mod_proxy_http to proxy HTTPS requests back to HTTP request to the Apache Tomcat server.
So if you want all traffic to be served over HTTPS do the following:
Make sure tomcat is running on port 8080 (and not 80), install apache2 httpd and then:
a2enmod proxy
a2enmod proxy_http
a2enmod ssl
a2enmod rewrite
create a file called mysite.conf with the following VirtualHost directives:
<VirtualHost *:443>
ServerName www.yourdomainname.com
SSLEngine on
SSLCertificateFile "/path/to/www.yourdomainname.com.cert"
SSLCertificateKeyFile "/path/to/www.yourdomainname.com.key"
ProxyPreserveHost On
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
<VirtualHost *:80>
ServerName www.yourdomainname.com
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=302]
</VirtualHost>
Finally
a2ensite mysite

Related

Apache reverse proxy for websockets

I'm using Apache on my server to proxy traffic on port 80 and 443 out to separate VM's running different websites and services. I'm having trouble setting up a proxy for MeshCentral which requires websockets. I'm using Debian 10 with Apache 2.4.38.
I can load MeshCentral, but once I login it tries to use websockets and I get the following error;
Firefox can’t establish a connection to the server at wss://example.com/control.ashx?auth=Uu7PBFNsswzzWoQaVNPH2N3ZwkWbx7DSsljaaY8cxthO5fcPVSz#sqLbGzyOpvxTxvfmV7WgwLdRklqLNYC5KQTjrZPCYDcNDvJ0AY7V8DGdUk68jK3sPfnc$Sl7rvhaQwR1xBukiZ8=. meshcentral.js:27:21
I've added the wstunnel proxy
a2enmod proxy_wstunnel
And setup HTTP and HTTPS proxies which work fine
/etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
ServerName example.com
ProxyPreserveHost On
ProxyPass "/" "http://192.168.200.11/"
ProxyPassReverse "/" "http://example.com/"
</VirtualHost>
/etc/apache2/sites-enabled/000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName example.com
RewriteEngine on
RewriteCond ${HTTP:UPGRADE} websocket [NC]
RewriteCond ${HTTP:CONNECTION} upgrade [NC]
RewriteRule /(.*) "wss://example.com/$1" [P]
ProxyPreserveHost On
ProxyPass "/" "https://192.168.200.11/"
ProxyPassReverse "/" "https://example.com/"
SSLProxyEngine On
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
</VirtualHost>
</IfModule>
I've restarted apache before I tried loading the page in firefox and also tried google-chrome, same error.
You can try with:
Ubuntu
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_wstunnel
Centos
Open the module configuration file for proxies.
sudo vi /etc/httpd/conf.modules.d/00-proxy.conf
All modules related to proxying are listed in this configuration file. Verify that the following lines exist and are uncommented.
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_wstunnel modules/mod_proxy_wstunnel.so
If you made any changes to the file, save them now.
Restart Apache Web Server to apply your changes.
sudo systemctl restart httpd
Configuration:
<VirtualHost *:443>
ServerName ws.serverlab.ca
RewriteEngine on
RewriteCond ${HTTP:Upgrade} websocket [NC]
RewriteCond ${HTTP:Connection} upgrade [NC]
RewriteRule .* "wss:/localhost:3000/$1" [P,L]
<Proxy balancer://backend-cluster>
BalancerMember http://server01:3000
BalancerMember http://server02:3000
BalancerMember http://server03:3000
</Proxy>
ProxyPass / balancer://backend-cluster/
ProxyPassReverse / balancer://backend-cluster/
ProxyRequests off
</VirtualHost>
ServerName ws.serverlab.ca
The hostname of the virtual web host that will handle the WebSocket connections.
RewriteEngine on
Used to set the status of the RewriteEngine to either on or off. To support WebSockets it must be turned on.
RewriteCond ${HTTP:Upgrade} websocket [NC]
A condition that must be matched in order for a request to be processed by the RewriteRule.
RewriteCond ${HTTP:Connection} upgrade [NC]
To something
RewriteRule . “wss:/ws-backend%{REQUEST_URI}” [P]*
Rewrite all incoming requests to use the wss protocol, and replace the destination hostname to that of a backend service.
Documentation from: How to Reverse Proxy Websockets with Apache 2.4

Apache reverse proxy by HTTP/2 will lost MIME-type and use default

English is not my native language, please excuse typing errors.
I configure Apache reverse proxy as follow, and it works fire.
ProxyRequests Off
SSLEngine On
SSLProxyEngine On
ProxyPass / https://example.com/
ProxyPassReverse / https://example.com/
And my website (PHP) support HTTP/2, so I want to proxy it by HTTP/2.
I enable mod_proxy, mod_proxy_http, mod_ssl, mod_http2, mod_proxy_http2 and others some modules. And set .php MIME-type as application/x-httpd-php.
AddType application/x-httpd-php .php
VirtualHost is follow:
<VirtualHost *:443>
DocumentRoot "/path/to/wwwroot/"
ServerName localhost:443
ProxyRequests Off
SSLEngine On
SSLProxyEngine On
ProxyPass / h2://example.com/
ProxyPassReverse / https://example.com/
# Cert
SSLCertificateFile ...
SSLCertificateKeyFile ...
</VirtualHost>
The different is ProxyPass / https://example.com/ to ProxyPass / h2://example.com/.
Response header Content-Type in Browser always get default MIME-type.
You can find example at phpMyAdmin Demo, filter whitelist.php in DevTools, this file Content-Type is text/javascript.
Proxy it by HTTP/2, the Content-Type
become application/x-httpd-php, it lost source MIME-type text/javascript.
And proxy it by HTTP/1.1, it works well.
How can I reslove this problem?
Thank you.
It’s an old question but I ran with same problem and decide to investigate.
I found a bug in http2 proxy.
It will be fixed in next HTTPD release (2.4.55)
Virtual Host file configuration:
<VirtualHost *:443>
ServerAdmin admin#test.com
ServerName example.com
ServerAlias www.example.com
ssl_certificate .....
ssl_certificate_key ..........
ProxyRequests Off Order deny, allow Allow from all
<Location />
ProxyPass http://example.com:8000/
ProxyPassReverse http://example.com:8000/
</Location>
</VirtualHost>
Next we need to enable a few Apache modules. To do this, issue the following commands:
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_balancer
sudo a2enmod lbmethod_byrequests
Apache will now need to be restarted with the command:
sudo service apache2 restart

HTTPS with redirection to other domain with apache virtual host

I would like to redirect a virtual host on my server to another domain, which is running on HTTPS. I also would like to only show the original url, hence using the P flag for proxy. Here is the current configuration :
RewriteEngine on
SSLProxyEngine on
RewriteCond %{HTTP_HOST} ^subdomain1\.domain1\.ext1$ [NC]
RewriteRule ^(.*) https://subdomain2.domain2.ext2$1 [L,R,P]
Should I generate a certificate on domain1 with certbot? What webroot should I associate? Should I include the one from domain2?
Currently, I have this in the error.log:
[Wed Jun 27 09:13:42.011549 2018] [ssl:error] [pid 19805] [remote IP2:443] AH01961: SSL Proxy requested for domain1.ext1:80 but not enabled [Hint: SSLProxyEngine]
[Wed Jun 27 09:13:42.011734 2018] [proxy:error] [pid 19805] AH00961: HTTPS: failed to enable ssl support for IP2:443 (subdomain2.domain2.ext2)
However SSLProxyEngine is set.
Finally, the best solution was to use mod_proxy instead of mod-rewrite.
The http version (redirecting to https)
<VirtualHost *:80>
ServerName domain1.ext1
ServerAlias subdomain1.domain1.ext1
SSLProxyEngine on
ProxyPass / https://subdomain2.domain2.ext2/
ProxyPassReverse / https://subdomain2.domain2.ext2/
ProxyPreserveHost Off
RewriteEngine on
RewriteCond %{SERVER_NAME} =subdomain1.domain1.ext1
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
The https version
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName domain1.ext1
ServerAlias subdomain1.domain1.ext1
SSLProxyEngine on
ProxyPass / https://subdomain2.domain2.ext2/
ProxyPassReverse / https://subdomain2.domain2.ext2/
ProxyPreserveHost Off
SSLCertificateFile /etc/letsencrypt/live/subdomain1.domain1.ext1/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/subdomain1.domain1.ext1/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
since you did not show your VirtualHost setup, here is how I would do it from scratch.
First setup a VirtualHost for port 443 on your first Apache server:
Listen *:443
<VirtualHost *:443>
ServerName www.domain1.com
ServerAlias domain1.com
SSLEngine On
[... all our SSL directives, like certs ...]
SSLProxyEngine on
RewriteEngine On
RewriteRule ^(.*) https://subdomain2.domain2.ext2/$1 [R=301,P]
</VirtualHost>
For your RewriteRule, L is not necessary when you use the P flag, it is implicit.
Your RewriteCond is not strictly required since if you are in this VirtualHost, you did ask for https://www.domain1.com or https://domain1.com. But if it is the top most VirtualHost for port 443 it could be used as the default VirtualHost for requests on port 443 as a whole, so it is not wrong either.
Then setup another VirtualHost for domain2, again on port 443, on another server:
Listen *:443
<VirtualHost *:443>
ServerName www.domain2.com
ServerAlias domain2.com
SSLEngine On
[... all our SSL directives, like certs ...]
DirectoryIndex ...
[ ... other configurations to publish your pages ...]
</VirtualHost>
The error you get says SSL is not turned on with port 80, which makes sense. If you ask for http://www.domain1.com this will sent to the matching VirtualHost on port 80, which is HTTP, hence no SSL. You should ask for https://www.domain1.com.
If you want to put both on 1 system, you will have a slight problem. You cannot have two VirtualHost with different domain names on the same IP and same port (443) for SSL. This is because Apache does not know which domain you want until after the certificates are negotiate. So the way to solve this is:
two servers, one per HTTPS domain.
One IP per HTTPS domain. You would do Listen IP1:443 and Listen IP2:443 and setup your VirtualHost using these as well.
One port per HTTPS domain. Your domain1 VirtualHost could use port 443 (the default for https://... requets). Your domain2 VirtualHost could use any other port since it will only be known to you and hidden from the clients. Your RewriteRule would use https://subdomain2.domain2.ext2:<THE PORT>/$1
But this is a long subject and you would need to do some research into running many HTTPS sites on the same server for all the details.

Redirecting http to https using ReWrite rule using AWS sends all requests to default webroot instead of using ProxyPass

I have an Apache webserver running on an AWS EC2 instance on port 80.
I have an ELB with a certificate. All requests are intercepted by the ELB and forwarded to my EC2 instance, where my webserver listens for any calls.
When any http traffic comes, I redirect it to https using the rule given below which is present in my http-vhosts.conf file:
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule .* https://%{HTTP:Host}%{REQUEST_URI} [L,R=permanent]
</VirtualHost>
Now in my http-vhosts.conf, I redirect any traffic coming to port 443(which is the default https port) using proxypass as shown below:
<VirtualHost *:443>
ServerName www.mywebsite.com
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
Now suppose I make a call to:
http://www.mywebsite.com
It is redirected to:
https://www.mywebsite.com
But this link now serves the index.html file present in my default webroot given in httpd.conf file, instead of redirecting it using ProxyPass.
Can someone please tell me where am I going wrong?
If you are terminating SSL on the ELB, and the communication between ELB and EC2 is only on port 80, then your proxy configuration will never get invoked.
To fix this, you have two options: The first one is to add the proxy config (the settings you have in the *:443 VirtualHost entry) to the *:80 entry.
The second option would be to add configure the ELB to talk to your EC2 instance on 443 as well as 80. You will need to install & configure SSL and an appropriate cert (self-signed will do).

Proxy reversing SSL server in Apache

I am struggling with proxy reversing an SSL server in Apache.
Right now I have many websites under many subdomains in one domain.
For example:
gitlab.mydomain.com
nextcloud.mydomain.com
plex.mydomain.com
All the websites use Letsencrypt certificates so they are HTTPS enabled.
The thing is, that so far no server running at my localhost was HTTPS. For example Plex is running as a standalone HTTP server on my localhost which I simply proxy reverse using Apache and in the internet it is secured with Letsencrypt.
Now I need to proxy reverse an already secured HTTP server. Namely Jenkins - it is running with Letsencrypt on my localhost for various reasons. I should also mention that the certificate used to encrypt it on localhost is the same as the certificate I use in Apache.
So my Jenkins is running on port 8443 and my Apache configuration for Jenkins is the following:
# Just to redirect HTTP to HTTPS
<VirtualHost *:80>
ServerName jenkins.mydomain.com
ServerAlias www.jenkins.mydomain.com
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
<Virtualhost *:443>
ServerName jenkins.mydomain.com
ServerAlias https://jenkins.mydomain.com
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
<Proxy https://localhost:8443/jenkins*>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /jenkins http://localhost:8443/jenkins nocanon
ProxyPassReverse /jenkins http://localhost:8443/jenkins
ProxyPassReverse /jenkins http://jenkins.mydomain.com/jenkins
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Ssl on
RewriteEngine on
RewriteRule "^/$" "/jenkins/" [R]
SSLEngine on
SSLCertificateFile path/to/fullchain.pem
SSLCertificateKeyFile path/to/privkey.pem
</Virtualhost>
However, with this configuration I get an error 502 (Proxy Error):
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /jenkins/.
Reason: Error reading from remote server
The 502 you're getting is because Apache isn't receiving a response from http://localhost:8443/jenkins. This is the first issue that needs to be resolved before anything else can work. Ensure that you are able to access Jenkins by utilizing cURL.
For example: curl http://localhost:8443/jenkins if no response then try curl https://localhost:8443/jenkins if no response there, then I'd take a look and see if Jenkins is configured properly.
There are a couple things I did notice that should be updated in your Virtual Host configuration.
ServerAlias https://jenkins.mydomain.com should be ServerAlias www.jenkins.mydomain.com as https:// should not be included in a ServerAlias directive, plus you may want to be able to get to the site using https://www.jenkins.mydomain.com since that's in the non-https directive. You also most likely will want to include a rewrite in your https virtual host that rewrites www.jenkins.mydomain.com to jenkins.mydomain.com.
You probably don't need the second ProxyPassReverse directive.