How to enable Apache SSL Reverse Proxy on HTTP application - apache

I've been having problems attempting to implement a reverse SSL proxy on Apache for an HTTP application on Ubuntu 14.04. As a baseline, the application works fine when I access it via port 8000 in the browser normally. For all intents and purposes, let's say the IP of my app is 192.141.56.11 (I do not have a domain name yet). The application runs with HTTP Basic Auth, I don't know if it's relevant. Basically I'm fishing for some glaring error here and would be grateful if you could help me out. Here is a log of my process:
I created my SSL cert and key and put them in the following locations:
/etc/apache/ssl/apache.crt (I performed chmod 644 here)
/etc/apache/ssl/apache.key (I performed chmod 400 here)
I then installed:
apt-get install apache2
a2enmod proxy
a2enmod ssl
a2enmod proxy_http
I then disabled the default config with:
a2dissite 000-default
I created the file "/etc/apache2/sites-available/redirect.conf"
I then created the file "/etc/apache2/sites-available/redirect.conf" and copied the text below:
<VirtualHost *:80>
Redirect "/" "https://192.141.56.11"
</VirtualHost>
After, I created the file "/etc/apache2/sites-available/reverse_proxy.conf" and copied below:
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache/ssl/apache.crt
SSLCertificateKeyFile /etc/apache/ssl/apache.key
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
and did:
service apache2 restart
I now attempt to access the UI of the application on another machine in the Chrome browser. When trying:
https://192.141.56.11
I get a general SSL connection error.
However, trying
http://192.141.56.11:8000
gives me the application, as if none of my config changed anything. However,
192.141.56.11:80
gives me an "Index Of" page with an html folder that says "Apache/2.4.7 (Ubuntu) Server at 192.141.56.11 Port 80"
192.141.56.11:443
gives me the same result except with "Apache/2.4.7 (Ubuntu) Server at 192.141.56.11 Port 443"
I've tried all manners of configurations but can't get what I want -- any ideas here?

EDIT: I tried https[:]//192.141.56.11 and got a more specific SSL error:
received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)
EDIT2: After running apache, I get this warning;
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
I suppose this is fine as I am using an IP and not a domain name.
EDIT3: It turns out I needed to do:
a2ensite reverse_proxy.conf.
Now https[:]//192.141.56.11 works but defaults to an apache page. working on this.
EDIT4: I had to do
a2dissite default-ssl.conf
Now It actually redirects to the app on https[:]//192.141.56.11!! But I can still access the app via port 8000, which is bad {still working on}
EDIT5: IN the end, I couldn't figure out how to block access to the original app via port 8000 on Apache. Instead, I just implemented iptables on the server so that it can only be accessed via HTTPS. This is probably not the correct method. but all I could think of.

Related

Can't access https version of WAMP site outside localhost

After setting up SSL on my 64-bit WAMP server on Windows 7, I tried to access the https version of the site. However, I get this error: ERR_SSL_PROTOCOL_ERROR
I've port forwarded, shut down my firewall, and made sure my certificate and key is valid (bought from a verified CA). Even if they weren't, Chrome would still provide a warning asking me if it's okay to proceed. Accessing the http version of the website works.
I tried accessing the same website from another computer on my network using its local IP and no luck. Same error. However, when I type https://mypublicdomain.com on the same PC I'm hosting the site from, it loads fine without any warnings from Chrome, says "Connection is secure." Same thing with https://localhost, it just warns me before visiting the website.
I've tried making a new <VirtualHost *:443> block in httpd-vhosts.conf with Require all granted, however it still seems to give the error on remote PCs trying to access the site on or off my network from my domain.
Any help would be greatly appreciated, thanks.
Apache version 2.4.23
I just figured it out. I had another <VirtualHost ...> block configured to the 443 port in my httpd-vhosts.conf that was causing the 443 port to not run under SSL at all becasue it did not have SSLEngine on in it. After deleting that block in that file, just leaving the port 80 one, it seems to be working. I also had to make sure that NameVirtualHost *:443 was directly above <VirtualHost _default_:443> in my httpd-ssl.conf file or else the whole setup would not work.

Create an SSL certificate for a Shiny server running on CentOS

I can't figure how to create an SSL certificate for a Shiny server that runs on a CentOS machine.
My end goal is to be able to access my app with HTTPS.
So instead of - HTTP://mydomain.com:3838/my-app/
To have something like - HTTPS://mydomain.com:3838/my-app/
Or even better - HTTPS://mydomain/my-app/
I tried my best with numerous tutorials but I'm not an expert in system administration and didn't have a lot of success.
Would really appreciate any help here!
# cat /etc/centos-release
CentOS Linux release 7.5.1804 (Core)
# shiny-server --version
Shiny Server v1.5.7.907
Thanks!
My answer in one word: letsencrypt.
Letsencrypt provides an executable that will grant you SSL certificates for all the domains your server handles. For this, it validates your machine by mounting a temporary web server and checks if can reach it with the domain names you provided.
There's more info in the official website. Once you have the certs, simply add them to nginx or Apache or whatever web server you are using.
UPDATE:
To forward http calls to your shiny web server you have to use Apache web server as a proxy, that means, that every call yo yourdomain:80, will be redirected to locahost:3838.
You have to edit your default conf. In ubuntu you can find it in this path: /etc/apache2/sites-enabled/000-default.conf
Then, in the conf file:
<VirtualHost *:80>
# These lines configures SSL
SSLEngine on
SSLCertificateFile /path/to/your/ssl.crt
SSLCertificateKeyFile /path/to/your/ssl.key
# These lines configure the proxy
ProxyPreserveHost On
ProxyPass / http://0.0.0.0:3838/
ProxyPassReverse / http://0.0.0.0:3838/
# This sets the domain name to listen for
ServerName yourdomain.com
</VirtualHost>
Then, restart apache and you're good to go.

Apache httpd.conf - route request to different port

I have a CentOs 7.1 with Apache httpd running on port 9000.
So if i type in my browser: http://192.168.56.101:9000/ I see the Apache Testing 123 Page.
I also have a GitLab Server running on port 8888, but this port is closed by the firewall.
I want that Apache redirects traffic to http://192.168.56.101:9000/gitlab internally to the GitLab server.
I have done this in my Apache config file /etc/httpd/conf/httpd.conf:
<VirtualHost *:9000>
ProxyPass /gitlab http://192.168.56.101:8888/users/sign_in
ProxyPassReverse /gitlab http://192.168.56.101:8888/users/sign_in
</VirtualHost>
When users browse to http://192.168.56.101:9000/gitlab the login page appears (css seems broken though), but when logging in this appears:
Not Found
The requested URL /users/sign_in was not found on this server.
Is this something that is configurable with Apache and if so how?
Do I need to use some sort of Url-Rewriting, if yes which and how to get started?
All the links in gitlab will presume you are pointing at the original server.
So you need to look at mod_proxy_html to also replace these links in the HTML:
https://httpd.apache.org/docs/2.4/mod/mod_proxy_html.html

Apache fresh installation ssl

I've installed Apache on CentOS and have not enabled SSL, and yet I get the following error.
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please. Hint:
https://192.168.1.50/ Apache/2.2.15 (CentOS) Server at 192.168.1.50
Port 443
The page I was testing it is a simple html page.
I did not make many changes to the fleshly installed Apache. The only things I edited are IPTABLES config file to allow LAN access on port 80 and the httpd.conf file to change document root.
I've installed Apache before(on Fedora), but didn't have this problem.
Thank you.
I managed to find the problem. I found a sll.conf file that contains all of the SSL configuration lines. The SSL was enabled by default, its weird. It is located in /etc/httpd/conf.d/ and a simple
<VirtualHost _default_:443>
SSLEngine off
</VirtualHost>
did the trick.

Specific Port Configuration on Apache

So I'm trying to develop a php website locally on my macbook. I'm using apache as my webserver, I have php and mysql installed, and I can use the php index file in my sites folder, but I would like to move all of my development over to a different.
I've been trying to configure apache to run on a different port, so far I've made these changes to my /etc/apache2/extras/httpd-vhost.conf
<VirtualHost *:2727>
ServerAdmin foobar#gmail.com
DocumentRoot "/Users/brianWheeler/Foobar"
ServerName local.foobar.com
</VirtualHost>
And i've edited my /etc/apache2/httpd.conf to say
listen 127.0.0.1:2727 http
I've started apache, but when I go to 127.0.0.1:2727 I get the google chrome page not found type thing.
I've run apachectl -t command to see whats wrong, and I just get this one error
httpd: Could not reliably determine the server's fully qualified domain name, using Foo-Bars-MacBook.local for ServerName
So my questions are, how do I configure the DocumentRoot/index page, and what kind of diagnostics can I run to see why this won't work?
-Brian
httpd: Could not reliably determine the server's fully qualified domain name, using Foo-Bars-MacBook.local for ServerName - this error possibly is not related with your problem.
most of my test server are giving this error but they are running with no problem.
please try to insert the line without ip and http,
listen 2727
edit: can you try following:
NameVirtualHost *:2727
Listen 2727