It seems that it is possible to get Apache server to Proxy and Manage SSL handshake on https requests and service them as 'http' thru another server behind it.
I have configured an apache server for ProxyPass using following configuration
SSLProxyEngine On
ProxyPass / http://localhost:8081/
ProxyPassReverse / http://localhost:8081/
I am able to get all all traffic to the apache server that is listening to port 8080 direct and serve by the localhost:8081 server so
http://localhost:8080/hi is being correctly served by http://localhost:8081/hi
However the following does not work :
http**s**://localhost:8080/hi to be served by http://localhost:8081/hi
Apache is trying to pass the https:// traffic to the 8081 server, without managing the SSL handshake.
Your Apache listener on port 8080 is an http listener, not an https listener. You can't handle both types of traffic on the same port. If you want to handle SSL traffic, you'll need to set up a new context on another port with SSLEngine On and all the other normal SSL configuration (certificate, key, etc).
This question has one version of this configuration.
Also this post.
Related
JS(Nuxt) website Frontend has SSL on Apache on Ubuntu.
Backend in Spring Boot on Tomcat runs on 8090 port. (Of course, it hasn't SSL on this port) and get Cors exception (From Backend side, I've fixed Cors) but get
XMLHttpRequest endpoint 'http://localhost:8090/api/v1/waiterList'. This request has been blocked; the content must be served over HTTPS.
After that, I try to create a subdomain like api.mydomain.com and get SSL. (https://api.mydomain.com) then forward port to 8090 like below
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:8090/
ProxyPassReverse / http://localhost:8090/
Port forwarded but now I get
503 Service Unavailable
How can Frontend connect to my API? (Preferred API also works with SSL)
I am not certain this is ready to be brought into a production environment.
Essentially, I have an SSL certificate for my public URL (https://*.example.com) but my ASP.NET Core 2.1 application (and a Kestrel service configured only on port 5000) has never been configured to use HTTPS.
In Apache I configured a virtual host to redirect requests from port 80 to 443, then another one for reverse-proxying port 443 (incoming) to 5000 on the backend:
# Force usage of https for public requests
<VirtualHost *:80>
ServerName aspnet01.example.com
Redirect / https://aspnet01.example.com
</VirtualHost>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
ServerName aspnet01.example.com
ServerAlias *.example.com
ErrorLog /opt/bitnami/apache2/logs/aspnet01_error.log
CustomLog /opt/bitnami/apache2/logs/aspnet01_access.log combined
</VirtualHost>
And on the firewall there are only two ports open, 80, 443 and 22 for server administration.
I'm wondering what are the risks on publishing my app this way, I trustfully rely on the fact that traffic from outside is encrypted and nobody is sniffing my internal network.
More generally, is it enough to put an old application (that doesn't use HTTPS) behind a reverse proxy, to consider it secure?
I'm using LAMP on Ubuntu 16.04. Thanks in advance.
The Kestrel app will only be as secure as your reverse proxy configuration and network is, but that's generally an acceptable way to handle security, as it reduces the overhead within your network between Kestrel and the reverse proxy.
Per Microsoft's documentation:
A reverse proxy:
Can limit the exposed public surface area of the apps that it hosts.
Provide an additional layer of configuration and defense.
Might integrate better with existing infrastructure.
Simplify load balancing and secure communication (HTTPS) configuration. Only the reverse proxy server requires an X.509
certificate, and that server can communicate with the app's servers on
the internal network using plain HTTP.
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?view=aspnetcore-3.1#when-to-use-kestrel-with-a-reverse-proxy
I need to test an application. It is a microservice which uses other APIs. To test it in isolation I want to use mock servers. The problem is that I can't configure the application under test to send requests to http mock server. It sends request using https protocol and port 443 only.However, there is no https-app running on that port. But it is possible to specify a proxy server. I tried to configure apache to run as an https proxy server. This server uses a self-signed certificate for localhost domain. But redirection does not works for https requests.
However, http requests get redirected succesfully if I run proxy server in http mode.
Here is the configiration for the proxy server:
<VirtualHost localhost:8098>
ProxyRequests Off
SSLEngine On
ProxyPass / http://localhost:3001
ProxyPassReverse / http://localhost:3001
SSLCertificateFile localhost.crt
SSLCertificateKeyFile localhost.key
</VirtualHost>```
I have this configuration:
HTTPS load balancer / SSL offloader on port 443
Apache httpd on port 80 (different IP), using ProxyPass, ProxyPassReverse to forward to...
multiple Glassfish domains listening on different ports
Problem: Neither Glassfish nor Apache is aware that the request is HTTPS. Redirects to URLs like "/index.jsp" are being rewritten in Glassfish as http://internal_ip/index.jsp, then ProxyPassReverse rewrites to http://public_ip/index.jsp. Problem is, I need that URL to be http*s*://public_ip/...
How do I fix that - is there some Glassfish configuration I can change, or Apache httpd.conf?
I see two solutions to that:
1) use your loadbalancer to manipulate apaches response (iRule in F5, flex for A10 loadbalancers etc.)
2) set up something on the loadbalancer to send another redirect to requests coming in via HTTP to use HTTPS
How can I set up a reverse proxy with mod_proxy without redirecting to another server or IP? This will be a virtual host environment. The reason I want to do this is so that mod_proxy handles the communication with the client's browser thereby freeing up web server processes to serve the next request instead of feeding the client's browser. This is especially important when using language modules such as mod_php with MPM Prefork. The flow that I'm trying to achieve is:
1. The traffic resolves to www.mydomain.com on port 80.
2. The proxy sends the request the web server.
3. The web server sends the answer back to the proxy and disconnects from the proxy.
4. The proxy feeds the client browser.
Once that is working I want to add nginx at the same IP address but for port 81 and proxy image requests to nginx on the same server. I do not want nginx handling the proxy nor do I want FCGI anything. I want my standard Apache mod_rewrite and .htaccess to work.
Thanks Tons!
Simply redirect to the localhost on a different port? Host your application on port 8080, and use mod_proxy to forward the requests:
ProxyPass /foo http://localhost:8080/foo
ProxyPassReverse /foo http://localhost:8080/foo
This may be helpful if you have application servers that are handling requests and you want multiple instances combined on a single machine. You can use one port per application server.
I don't know if it really would be faster than just using mod_php directly. Proxying requests also adds overhead.
Make sure you also use load these 2 modules
LoadModule proxy_module bin/mod_proxy.so
LoadModule proxy_http_module bin/mod_proxy_http.so
ProxyPass /TeamCity http://localhost/TeamCity
ProxyPassReverse /TeamCity http://localhost/TeamCity