I need to set up a reverse proxy with Apache.
The remote website uses https and Web Socket Secure (wss).
I configured my Apache Web Server (version 2.2.22) in this way:
Listen 8443
<IfModule mod_websocket.c>
<IfModule mod_proxy.c>
SSLProxyEngine On
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
<Location />
ProxyPass https://10.0.3.100/
ProxyPassReverse https://10.0.3.100/
</Location>
<Location /dp/redirect>
ProxyPass https://10.0.3.100/
ProxyPassReverse https://10.0.3.100/
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:8443>
ServerAdmin webmaster#localhost
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
DocumentRoot /var/www
<Location />
ProxyPass https://10.0.3.100:8443/
ProxyPassReverse https://10.0.3.100:8443/
</Location>
<Location /dp/redirect>
ProxyPass https://10.0.3.100:8443/
ProxyPassReverse https://10.0.3.100:8443/
</Location>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
</IfModule>
</IfModule>
I patched my Apache with mod_websocket (http://www.amoss.me.uk/2013/06/apache-2-2-websocket-proxying-ubuntu-mod_proxy_wstunnel/). The problem is that the Web Sockets don't work with that configuration.
I need a way to configure Apache to redirect wss request on port 8443 to wss://remote.server:8443, while https request on port 8443 to https://remote.server:8443 (so I need a way to "understand" the protocol request and redirect with the same protocol to the remote server).
How can I do? Thank you very much.
Related
There are two URLs to the site. Externally it is https://example.com:543
and internally it is https://example.com.
External requests at port 543 are internally routed to port 443 and hence a single virtual host at port 443 but with multiple ProxyPass entries is being used.
The issue is at any given time only one of https://example.com:543 and https://example.com work by disabling one of the ProxyPass entries in the VirtualHost file. Can both co-exist and work ?
# ProxyPass / balancer://lbyourorganization/http://localhost/VirtualHostBase/https/example.com:443/ams/VirtualHostRoot/
# ProxyPassReverse / balancer://lbyourorganization/http://localhost/VirtualHostBase/https/example.com:443/ams/VirtualHostRoot/
ProxyPass / balancer://lbyourorganization/http://localhost/VirtualHostBase/https/example.com:543/ams/VirtualHostRoot/
ProxyPassReverse / balancer://lbyourorganization/http://localhost/VirtualHostBase/https/example.com:543/ams/VirtualHostRoot/
Below is the full virtual host config
<VirtualHost *:443>
ServerName example.com
ErrorLog /var/log/apache2/ssl_error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
TransferLog /var/log/apache2/ssl_access_log
LogLevel warn
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateChainFile /etc/apache2/ssl/example_com.ca-bundle
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog /var/log/apache2/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
# Balance load between 4 ZEO front-ends
<Proxy balancer://lbyourorganization>
BalancerMember http://127.0.0.1:8081/
BalancerMember http://127.0.0.1:8082/
BalancerMember http://127.0.0.1:8091/
BalancerMember http://127.0.0.1:8092/
# Use Pending Request Counting Algorithm (s. http://httpd.apache.org/docs/current/mod/mod_lbmethod_bybusyness.html).
# This will reduce latencies that occur as a result of long running requests temporarily blocking a ZEO client.
# You will need to install the separate mod_lbmethod_bybusyness module in Apache 2.4.
ProxySet lbmethod=bybusyness
</Proxy>
ProxyPass /balancer-manager !
# ProxyPass / balancer://lbyourorganization/http://localhost/VirtualHostBase/https/example.com:443/ams/VirtualHostRoot/
# ProxyPassReverse / balancer://lbyourorganization/http://localhost/VirtualHostBase/https/example.com:443/ams/VirtualHostRoot/
ProxyPass / balancer://lbyourorganization/http://localhost/VirtualHostBase/https/example.com:543/ams/VirtualHostRoot/
ProxyPassReverse / balancer://lbyourorganization/http://localhost/VirtualHostBase/https/example.com:543/ams/VirtualHostRoot/
</VirtualHost>
The easiest solution is to change the router configuration to point the external traffic to a different port than the internal traffic (say to 543 internally) and then to have two <VirtualHost> configs in Apache Httpd with the two different ProxyPass/ProxyPassReverse settings.
I am having trouble configuring my apache with a new subdomain.
Its a ubuntu server with apache2 and graphite, I have graphite working on port 80 (installed via apt-get)
Now the apache server currently serves a website (https://subdomain1.domain.com) and I would like to set up apache to serve the graphite app on https://subdomain2.domain.com (port 443). This is so subdomain1 can access the charts from graphite.
This is my apache2-graphite.conf
<VirtualHost *:80>
WSGIDaemonProcess _graphite processes=5 threads=5 display-name='%{GROUP}' inactivity-timeout=120 user=_graphite group=_graphite
WSGIProcessGroup _graphite
WSGIImportScript /usr/share/graphite-web/graphite.wsgi process-group=_graphite application-group=%{GLOBAL}
WSGIScriptAlias / /usr/share/graphite-web/graphite.wsgi
Alias /content/ /usr/share/graphite-web/static/
<Location "/content/">
SetHandler None
</Location>
ErrorLog ${APACHE_LOG_DIR}/graphite-web_error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/graphite-web_access.log combined
</VirtualHost>
and the /usr/share/graphite-web/graphite.wsgi :
import os, sys
os.environ['DJANGO_SETTINGS_MODULE'] = 'graphite.settings'
import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()
from graphite.logger import log
log.info("graphite.wsgi - pid %d - reloading search index" % os.getpid())
import graphite.metrics.search
I have tried changing the port and setting a ServerName and ServerAlias, and enabling SSL, but I havent been able to get this working.
Sample (not working):
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName graphite.<my_domain_here>
WSGIDaemonProcess _graphite processes=5 threads=5 display-name='%{GROUP}' inactivity-timeout=120 user=_graphite group=_graphite
WSGIProcessGroup _graphite
WSGIImportScript /usr/share/graphite-web/graphite.wsgi process-group=_graphite application-group=%{GLOBAL}
WSGIScriptAlias / /usr/share/graphite-web/graphite.wsgi
Alias /content/ /usr/share/graphite-web/static/
<Location "/content/">
SetHandler None
</Location>
ErrorLog ${APACHE_LOG_DIR}/graphite-web_error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/graphite-web_access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/public.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
SSLCACertificateFile /etc/apache2/ssl/ca.crt
</VirtualHost>
I found what I was doing incorrectly:
I added the subdomain to my /etc/hosts on my workstation and It worked!
Registered the subdomain with our web host and all OK now
Ill leave this here in case it helps someone else...
I have a Server which is running Debian 8.1 with Apache 2.4.10 and OpenSSL 1.0.1k.
I have a domain example.com with a few subdomains like www.example.com, cloud.example.com and db.example.com all pointet to the Server (A-Records).
All these subdomains have their own VirtualHosts with their own SSL-Certificates. Also if you send a HTTPS-Request with another domain or with the IP you'll get a page with a self-signed certificate.
Everything was running perfect until I rebootet my server.
Now when I request example.com (without a subdomain-prefix) I get the self-signed crt. The subdomains are working perfectly fine. I have the following vHost-Configs:
(because I only want HTTPS I have a Rewrite-Rule for all HTTP-Connections)
000-default.conf
<VirtualHost *:80>
ServerAdmin admin#example.com
RewriteEngine On
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin#example.com
DocumentRoot /var/www
<Directory /var/www>
AllowOverride All
Require all granted
</Directory>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
ErrorLog ${APACHE_LOG_DIR}/error.ssl.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.ssl.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/default/ca.crt
SSLCertificateKeyFile /etc/ssl/certs/default/ca.key
</VirtualHost>
</IfModule>
www.example.com.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName www.example.com
ServerAlias example.com
DocumentRoot /var/www/example
<Directory /var/www/example>
AllowOverride All
Require all granted
</Directory>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
ErrorLog ${APACHE_LOG_DIR}/error.ssl.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.ssl.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/www.example.com/ca.crt
SSLCertificateKeyFile /etc/ssl/certs/www.example.com/ca.key
SSLCertificateChainFile /etc/ssl/certs/www.example.com/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/www.example.com/ca.pem
</VirtualHost>
</IfModule>
cloud.example.com.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin admin#example.com
ServerName cloud.example.com
DocumentRoot /var/www/example
<Directory /var/www/example>
AllowOverride All
Require all granted
</Directory>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
ErrorLog ${APACHE_LOG_DIR}/error.ssl.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.ssl.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/www.example.com/ca.crt
SSLCertificateKeyFile /etc/ssl/certs/www.example.com/ca.key
SSLCertificateChainFile /etc/ssl/certs/www.example.com/sub.class1.server.ca.pem
SSLCACertificateFile /etc/ssl/certs/www.example.com/ca.pem
</VirtualHost>
</IfModule>
I really hope that somebody can help me!
The hostname was example (like the domain, but without .com) so I changed the hostname to some random typing and after a reboot everything worked fine again. When I changed my hostname back it kept working even after a reboot.
For me changing the order of VirtualHosts helped to solve the problem, by putting malfunctioning VirtualHost to the top in the conf file.
I know that similar questions have been asked over and over, however after looking at them I have still not been able to get my server working properly.
I have an SSL certificate installed on my server.
When i hit https://www.ashleyclarke.me -> all is good
when i hit http://www.ashleyclarke.me -> redirects to https://www.ashleyclarke.me
when i hit http://ashleyclarke.me -> redirects to https://www.ashleyclarke.me
My problem is when I hit https://ashleyclarke.me, I have tried to set a redirect but with no luck.
<VirtualHost *:443>
ServerAdmin me#ashleyclarke.me
ServerName www.ashleyclarke.me
ServerAlias ashleyclarke.me
DocumentRoot /var/www/ashleyclarke.me/public
<Directory /var/www/ashleyclarke.me/public>
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Order deny,allow
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/ashleyclarke.me-error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ashleyclarke.me-access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/ashleyclarke.me.crt
SSLCertificateKeyFile /etc/apache2/ssl/ashleyclarke.me.key
SSLCACertificateFile /etc/apache2/ssl/PositiveSSLCA2.crt
</VirtualHost>
<VirtualHost *:80>
ServerAdmin me#ashleyclarke.me
ServerName www.ashleyclarke.me
ServerAlias ashleyclarke.me
Redirect permanent / https://www.ashleyclarke.me
</VirtualHost>
Your advice is appreciated.
Just ran into a similar problem myself and found the answer here: https://stackoverflow.com/a/9945842/883960
SSL negotiation happens before the response from the server - so to actually do this you'll need an SSL certificate for ashleyclarke.me (without the www.) and setup a second :443 VirtualHost to just redirect.
I am running ubuntu as a testing server on my laptop. I am attempting to set up some of the test sites with self signed ssl certificates. I think I have everything correct except perhaps the apache 2 conf files.
When creating the cerificates I gave the common name as *.hr4.mdev. "mdev" is what I have arbitrarily called my local dev environment.
So I modified my existing conf file to listen on 443 instead on 80 (line 1) and I added lines 6, 7 and 8.
<VirtualHost *:443>
ServerAdmin myemail#mydomain.com
ServerName marino.hr4.mdev
ServerAlias *.marino.hr4.mdev
DocumentRoot /var/www/marino.hr4/htdocs
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
<Directory /var/www/marino.hr4/htdocs>
php_value include_path /var/www/marino.hr4/htdocs
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog /var/www/marino.hr4/logs/error.log
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel debug
CustomLog /var/www/marino.hr4/logs/access.log combined
</VirtualHost>
Now when I go to the site (https://marino.hr4.mdev) I am advised that "It works!" Which is reassuring on a certain level, but it is not the content that I expected to see.
Having referenced tremor's link, my conf file now looks like this:
<VirtualHost 192.168.73.128:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ServerAdmin bernard#theminery.com
ServerName marino.hr4.mdev
ServerAlias *.marino.hr4.mdev
DocumentRoot /var/www/marino.hr4/htdocs
<Directory /var/www/marino.hr4/htdocs>
php_value include_path /var/www/marino.hr4/htdocs
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog /var/www/marino.hr4/logs/error.log
# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel debug
CustomLog /var/www/marino.hr4/logs/access.log combined
</VirtualHost>
after restarting Apache I am asked to add a security exception, which is fine, but I am then kicked to another site I have set up on my machine.
Add NameVirtualHost directive, something like this perhaps?
NameVirtualHost *:443
Listen 443
Your apache server is obviously serving up it's default server "It works" instead of your website.
Here is some supporting information from apache: http://wiki.apache.org/httpd/NameBasedSSLVHosts
Edit:
Potentially move your virtual host to the first referenced vhost in the conf file, default is selected based on order.
So in the end I modified the ports.conf file and added 443 to the Listen directive, so now it reads:
Listen 80 443
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
listen 443
</IfModule>
I also changed the first line of my conf file from
<VirtualHost 192.168.73.128:443>
back to
<VirtualHost *:443>
Special thanks to tremor for pointing me in the right direction.