Oracle Linux/HTTP Reverse Proxy

From r00tedvw.com wiki
Jump to: navigation, search

Contents

Overview

This was done on a CentOS 6.9 x64 system.

Install Packages

~$ sudo yum update -y
 ~$ sudo yum install httpd openssh-server epel-release mod_ssl fail2ban-y

Configure SSH

~$ sudo vim /etc/ssh/sshd_config
...
Port 22
Port 2222
...
PermitRootLogin no

Configure fail2ban

Add the following under sshd to enable fail2ban for sshd.

~$ sudo vim /etc/fail2ban/jail.conf
enabled = true
port    = ssh,2222

Check to make sure the jail is working:

~$ sudo service fail2ban status
fail2ban-server (pid  24696) is running...
Status
|- Number of jail:	1
`- Jail list:	sshd

Configure iptables

With CentOS this is very simple:

~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
~$ sudo iptables -A INPUT -i lo -j ACCEPT
~$ sudo iptables -A INPUT -s 10.0.0.0/8 -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "ICMP ECHO - Internal"
~$ sudo iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 22 -j ACCEPT -m comment --comment "SSH - Internal"
~$ sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT -m comment --comment "SSH ALT 2222 - Public"
~$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "HTTP - Public"
~$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "HTTPS - Public"

Configure HTTPD

Modules

Start by checking what modules are installed.

~$ sudo httpd -M
Loaded Modules:
 core_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)....

Make sure that you see the following:

rewrite_module (shared)
proxy_module (shared)
proxy_http_module (shared)

If they are not listed, you can enable them by uncommenting or adding them to the httpd.conf file.

~$sudo vim /etc/httpd/conf/httpd.conf
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

Restart httpd for any changes to be implemented

~$ sudo service httpd restart

Conf

Next is to configure the Conf file for the reverse proxy. This will include a rewrite rule for all HTTP traffic to be redirected to HTTPS.

$~ sudo vim /etc/httpd/conf.d/website.conf
# HTTP
<VirtualHost *:80>
        ServerName website.com

        #Logging
        LogLevel warn
        ErrorLog /var/log/httpd/website.com-error_log
        CustomLog /var/log/httpd/website.com-access_log combined

        #Redirect any HTTP request to HTTPS
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]

</VirtualHost>

# HTTPS
<VirtualHost *:443>
        ServerName website.com

        #Logging
        ErrorLog /var/log/httpd/website.com-error_log
        CustomLog /var/log/httpd/website.com-access_log combined

        #Reverse Proxy Configuration
        ProxyPreserveHost On
        ProxyPass / https://redirected.site.com:8081/
        ProxyPassReverse / https://redirected.site.com:8081/
        SSLProxyEngine On

        #SSL
        #SSLEngine On
        #SSLCertificateFile
        #SSLCertificateKeyFile
        #SSLCertificateChainFile

</VirtualHost>

Disable welcome page

Comment out all lines:

~$ sudo vim /etc/httpd/conf.d/welcome.conf

Configure Let's Encrypt

Since I'm using CentOS 6, the certbot package is not available in the repos, so we need to download it manually.

~$ sudo mkdir /opt/certbot
~$ sudo wget -O /opt/certbot/ https://dl.eff.org/certbot-auto
~$ sudo chmod a+x /opt/certbox/certbot-auto

Next is to create a symlink for ease of access.

~$ sudo ln -s /opt/certbot/certbot-auto /usr/bin/certbot

Manually obtaining the certificate

This is not normally recommended, but at the time of this writing there is an issue with certbot that prevents it from controlling a domain using TLS-SNI validation, so I opted to do it manually.
You may need to run certbot by itself before the next step in order to register your email address.

~$ certbot -d website.com --manual --preferred-challenges dns certonly

Are you OK with your IP being logged?
(Y)es/(N)o: y

Please deploy a DNS TXT record under the name
_acme-challenge.website.com with the following value:

4_rR8Uus8AqbceTtaqFd4DWl76039OiYgPtt6wCM7xA

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/website.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/website.com/privkey.pem
   Your cert will expire on 2018-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

HTTPD Config

Now that we have the corresponding SSL Certificate and private key, we can enable SSL in our HTTPD Config.

$~ sudo vim /etc/httpd/conf.d/website.conf
...
        #SSL
        SSLEngine On
        SSLCertificateFile etc/letsencrypt/live/website.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/website.com/privkey.pem
        SSLCertificateChainFile etc/letsencrypt/live/website.com/fullchain.pem

Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Ubuntu
Oracle Linux
AWS
Windows
OpenVPN
Grafana
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
MetaSploit
Zoneminder
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
Toolbox