Apache proxypass https to https - apache

here is what I tired to do:
browser -internet-> https(Apache proxypass)-intranet->(Apache https)
both Apaches are installed the ssl certs.(startssl wide card,not self-signed)
Apache error log:
[client 192.168.2.157] SSL Proxy requested for test.xxx.com:443 but not enabled [Hint: SSLProxyEngine]
[error] proxy: HTTPS: failed to enable ssl support for 192.168.2.157:443 (test.xxx.com)
Then I tried use apache(on the internet) proxy to https://google.com
and the error log is the same.
However,https to http works.
browser -internet-> https(Apache proxypass)-intranet->(Apache http)
My config:
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/xxx_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/xxx_com.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class2.server.ca.pem
ProxyPreserveHost On
ProxyRequests Off
ProxyVia Off
AllowEncodedSlashes NoDecode
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / https://2w.xxx.com/
ProxyPassReverse / https://2w.xxx.com/
ServerName test.xxx.com
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
ErrorLog "/var/log/apache2/error-ssl.log"
</VirtualHost>
OR:
<VirtualHost *:443>
ProxyPass / https://google.com/
ProxyPassReverse / https://google.com/
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/xxx_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/xxx_com.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class2.server.ca.pem
ServerName test.xxx.com
</VirtualHost>
Seems like it's not possible for apache to handle https to https?
if apache does not support this how about nginx?

You should set "SSLProxyEngine On". The following is my example that may give you any idea.
<VirtualHost *:443>
SSLEngine On
SSLProxyEngine On
ServerName my.example.com:443
SSLCertificateFile "${SRVROOT}/conf/ssl/example.pem"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/example.key"
ErrorLog "|bin/rotatelogs.exe -l /var/logs/apache/example/error.%Y-%m-%d.log 86400"
CustomLog "|bin/rotatelogs.exe -l /var/logs/apache/example/ssl_request.%Y-%m-%d.log 86400" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ProxyRequests Off
ProxyPass / https://www.google.com/
<Location />
ProxyPassReverse /
Options FollowSymLinks
Require all granted
</Location>
</VirtualHost>

Related

Basic auth only for specific directory

I have a small envirnment where I have 3 services on one server and I want to put all three behind a reverse proxy.
Prometheus server running on port 9090
Prometheus Alert manager running on port 9093
Grafana running on port 3000
My current configuration is below
<VirtualHost *:80>
ServerName metrics.example.com
Redirect permanent / https://metrics.example.com/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName metrics.example.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl.crt/example.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/example.key
ErrorLog /var/log/apache2/metrics.example.com-error_log
CustomLog /var/log/apache2/metrics.example.com-access_log combined
<Location "/">
ProxyPreserveHost On
ProxyPass http://localhost:9090/
ProxyPassReverse http://localhost:9090/
</Location>
<Location "/alertmanager/">
ProxyPreserveHost On
ProxyPass http://localhost:9093/
ProxyPassReverse http://localhost:9093/
</Location>
<Location "/grafana/">
RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost On
ProxyPass http://localhost:3000/
ProxyPassReverse http://localhost:3000/
</Location>
# <Proxy *>
# AuthType Basic
# AuthName "Restricted Content"
# AuthUserFile /etc/apache2/.htpasswd
# Require valid-user
# </Proxy>
</VirtualHost>
For now everything works, but Prometheus and Alertmanager don't have own auth, Grafana does. If I uncomment section Grafana stops working. The goal is to protect both Prometheus and Alertmanager with basic auth but not the Grafana instance.
Is it possible (and how) to protect root ("/") directory and /alertmanager subdirectory but with omitting /grafana subdirectory in single vhost?

How to solve Apache Proxy Error 502 (Error Reading From Remote Server)

I never received proper instruction on using a proxy in apache, and have mainly been managing by myself so far. Could really use some help with this error.
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot ...
ServerName ...
SSLCertificateFile ...
SSLCertificateKeyFile ...
Include /etc/letsencrypt/options-ssl-apache.conf
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
<Proxy *>
Require all granted
</Proxy>
<Location /test1>
ProxyPass http://127.0.0.1:3001/
ProxyPassReverse http://127.0.0.1:3001
</Location>
<Location /test2>
ProxyPass http://127.0.0.1:3000/
ProxyPassReverse http://127.0.0.1:3000
</Location>
</VirtualHost>
</IfModule>
The issue is that I receive the above error code for /test2/ but not /test1/. Thanks to anyone who has advice.

Reverse Proxy with pgadmin and apache

I would like to setup the local pgadmin in server mode behind the reverse proxy. The reverse proxy and the pgadmin could be on the same machine. I tried to set up but it always fails.
Here is mypgadmin conf:
Listen 8080
<VirtualHost *:8080>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/pgadmin.crt
SSLCertificateKeyFile /etc/pki/tls/private/pgadmin.key
LoadModule wsgi_module modules/mod_wsgi.so
LoadModule ssl_module modules/mod_ssl.so
WSGIDaemonProcess pgadmin processes=1 threads=25
WSGIScriptAlias /pgadmin /usr/lib/python2.7/site-packages/pgadmin4-web/pgAdmin4.wsgi
<Directory /usr/lib/python2.7/site-packages/pgadmin4-web/>
WSGIProcessGroup pgadmin
WSGIApplicationGroup %{GLOBAL}
<IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Allow from ::1
</IfModule>
</Directory>
</VirtualHost>
and my reverse proxy conf
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
ErrorLog /var/log/httpd/reverse_proxy_error.log
CustomLog /var/log/httpd/reverse_proxy_access.log combined
SSLProxyEngine on
SSLProxyVerify require
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCACertificateFile "/etc/pki/tls/certs/ca-bundle.crt"
ProxyPreserveHost On
ProxyPass / https://localhost:8080/pgadmin
ProxyPassReverse / https://localhost:8080/pgadmin
</VirtualHost>
The httpd start but when I want to test it with
wget --no-check-certificate https://localhost/
it give me error 400
but the
wget --no-check-certificate https://localhost:8080/pgadmin
is working. Where is the problem in my config?
this work for me. I make pgadmin proxy to sub directory (https://localhost/pgadmin)
<VirtualHost *:80>
ServerName localhost
DocumentRoot "/var/www"
<Directory "/var/www">
AllowOverride all
</Directory
ProxyPass /ws/ ws://0.0.0.0:8888/
ProxyPass /phpmyadmin/ http://phpmyadmin/
<Location /pgadmin/>
ProxyPass http://pgadmin:5050/
ProxyPassReverse http://pgadmin:5050/
RequestHeader set X-Script-Name /pgadmin
RequestHeader set Host $http_host
</Location>
</VirtualHost>
Have you tried with latest version, I think it is fixed this commit Ref: LINK
Online Docs: https://www.pgadmin.org/docs/pgadmin4/dev/server_deployment.html
This config works,
use 0.0.0.0 for pgadmin docker, else use your ip
change port 5050 with your pgadmin port
<VirtualHost *:80>
ServerName pgadmin.yourdomain.com
RedirectMatch permanent ^/pgadmin4$ /pgadmin4/
ProxyPreserveHost On
ProxyPass / http://0.0.0.0:5050/
ProxyPassReverse / http://0.0.0.0:5050/
Header edit Location ^/ /pgadmin4/
Header always set X-Script-Name /pgadmin4
</VirtualHost>
Cofigure with SSL, replace yourdomain.com with valid SSL for your domain
<VirtualHost *:80>
ServerName pgadmin.yourdomain.com
RedirectMatch permanent ^/(.*)$ https://pgadmin.yourdomain.com/$1
</VirtualHost>
<VirtualHost *:443>
ServerName pgadmin.yourdomain.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
RedirectMatch permanent ^/pgadmin4$ /pgadmin4/
ProxyPreserveHost On
ProxyPass / http://0.0.0.0:5050/
ProxyPassReverse / http://0.0.0.0:5050/
Header edit Location ^/ /pgadmin4/
Header always set X-Script-Name /pgadmin4
</VirtualHost>

running jenkins behind apache2 on subdomain and different port

I am attempting to get a jenkins instance (running on http://localhost:8080/) to be visible at http://ci.domain.com:80/.
Current status:
* Browsing to ci.domain.com gives me the content of domain.com
* Browsing to ci.domain.com:8080 shows jenkins
* Browsing to domain.com:8080 shows jenkins
Ideal status:
* Browsing to ci.domain.com shows jenkins
* Browsing to ci.domain.com:8080 redirects to ci.domain.com
* Browsing to domain.com:8080 does whatever the server would do if there were nothing running on port 8080
My current apache site config (working as expected for shifting traffic to HTTPS) is as follows:
<VirtualHost *:8080>
ServerName ci.domain.com
ServerAlias ci
Redirect temp / http://ci.domain.com/
</VirtualHost>
<VirtualHost *:80>
ServerName ci.domain.com
ServerAlias ci
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
<Proxy http://localhost:8080/*>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
<VirtualHost *:80>
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/domain.com
Redirect permanent / https://domain.com/
</VirtualHost>
<VirtualHost *:443>
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/domain.com
<Directory /var/www/domain.com/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule mod_dir.c>
DirectoryIndex index.php index.pl index.cgi index.html index.xhtml $
</IfModule>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/fullchain.pem
<FilesMatch "\.(cgi|shtml|phtml_php)$">
SSLOptions +StdEnvVars
</FilesMatch>
</VirtualHost>
Any help is appreciated.

Redirect domain.com/path to another Apache Server

I have 3 Apache VM's running currently:
A) ProxyPass (Hosts Nothing)
B) Main Website
C) ZoneMinder Website
If you access example.com you get to the website, and can navigate around, but...
If I manually type http://example.com/zm trying to access zoneminder
It redirects http://example.com/zm in my remote browser to http://192.168.1.255:443/foo*
I can't seem to get my redirect working correctly, can anybody see what I am doing wrong?
Configs:
A) ProxyPass Server:
<VirtualHost *:80>
ServerName www.example.com
RedirectPermanent / http://example.com
</VirtualHost>
<VirtualHost *:80>
ServerName example.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://192.168.1.255:80/
ProxyPassReverse / http://192.168.1.255:80/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
B) Main Website
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/html
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/example.log
CustomLog ${APACHE_LOG_DIR}/example-access.log combined
</VirtualHost>
Got it working!
The setup:
Server A) Apache server that only serves proxypass and doesn't host anything
Server B) Apache server that hosts main domain.com
Server C) Apache server that hosts ZoneMinder # domain.com/zm
Server A Config:
<VirtualHost *:80>
ServerName domain.com
Redirect / https://www.domain.com/
</VirtualHost>
<VirtualHost *:443>
ServerName www.domain.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLProxyEngine On
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on
SSLEngine on
SSLCertificateFile /location of .crt
SSLCertificateKeyFile /location of .key
SSLCACertificateFile /location of .crt
ProxyPreserveHost on
ProxyPass /zm https://192.168.1.43:443/zm
ProxyPassReverse /zm https://192.168.1.43:443/zm
ProxyPass / https://192.168.1.42:443/
ProxyPassReverse / https://192.168.1.42:443/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
Notes: It is important to have the /zm come before the "/" catch all. I also noticed it FAILED if i used /zm/.
Server B Config:
<VirtualHost *:443>
ServerName www.domain.com
DocumentRoot /var/www/html
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/domain.log
CustomLog ${APACHE_LOG_DIR}/domain.log combined
SSLEngine on
SSLCertificateFile /location of .crt
SSLCertificateKeyFile /location of .key
SSLCACertificateFile /location of .crt
</VirtualHost>
Note: it is not necessary to have *:80 redirects or Server Alias as only correctly formatted requests are sent to this server via ProxyPass filtering beforehand.
Server C Config: (domain.com/zm)
<VirtualHost *:443>
ServerName www.domain.com
DocumentRoot /var/www/html
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/domain.log
CustomLog ${APACHE_LOG_DIR}/domain.log combined
SSLEngine on
SSLCertificateFile /location of .crt
SSLCertificateKeyFile /location of .key
SSLCACertificateFile /location of .crt
</VirtualHost>
Yes it is the same. It works so I am happy!
Note: All 3 servers have my SSL certs installed, but I did not touch default-ssl.conf.