Oracle Linux/HTTP Reverse Proxy

From r00tedvw.com wiki
Jump to: navigation, search

Contents

 [hide

Overview

This was done on a CentOS 6.9 x64 system.

Install Packages

~$ sudo yum update -y
 ~$ sudo yum install httpd openssh-server epel-release mod_ssl fail2ban-y

Configure SSH

~$ sudo vim /etc/ssh/sshd_config
...
Port 22
Port 2222
...
PermitRootLogin no

Configure fail2ban

Add the following under sshd to enable fail2ban for sshd. 

~$ sudo vim /etc/fail2ban/jail.conf
enabled = true
port    = ssh,2222

Check to make sure the jail is working: 

~$ sudo service fail2ban status
fail2ban-server (pid  24696) is running...
Status
|- Number of jail:	1
`- Jail list:	sshd

Configure iptables

With CentOS this is very simple: 

~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
~$ sudo iptables -A INPUT -i lo -j ACCEPT
~$ sudo iptables -A INPUT -s 10.0.0.0/8 -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "ICMP ECHO - Internal"
~$ sudo iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 22 -j ACCEPT -m comment --comment "SSH - Internal"
~$ sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT -m comment --comment "SSH ALT 2222 - Public"
~$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "HTTP - Public"
~$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "HTTPS - Public"

Configure HTTPD

Modules

Start by checking what modules are installed. 

~$ sudo httpd -M
Loaded Modules:
 core_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)....

Make sure that you see the following: 

rewrite_module (shared)
proxy_module (shared)
proxy_http_module (shared)

If they are not listed, you can enable them by uncommenting or adding them to the httpd.conf file. 

~$sudo vim /etc/httpd/conf/httpd.conf
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

Restart httpd for any changes to be implemented 

~$ sudo service httpd restart

Conf

Next is to configure the Conf file for the reverse proxy. This will include a rewrite rule for all HTTP traffic to be redirected to HTTPS.

$~ sudo vim /etc/httpd/conf.d/website.conf
# HTTP
<VirtualHost *:80>
        ServerName website.com

        #Logging
        LogLevel warn
        ErrorLog /var/log/httpd/website.com-error_log
        CustomLog /var/log/httpd/website.com-access_log combined

        #Redirect any HTTP request to HTTPS
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]

</VirtualHost>

# HTTPS
<VirtualHost *:443>
        ServerName website.com

        #Logging
        ErrorLog /var/log/httpd/website.com-error_log
        CustomLog /var/log/httpd/website.com-access_log combined

        #Reverse Proxy Configuration
        ProxyPreserveHost On
        ProxyPass / https://redirected.site.com:8081/
        ProxyPassReverse / https://redirected.site.com:8081/
        SSLProxyEngine On

        #SSL
        #SSLEngine On
        #SSLCertificateFile
        #SSLCertificateKeyFile
        #SSLCertificateChainFile

</VirtualHost>

Disable welcome page

Comment out all lines: 

~$ sudo vim /etc/httpd/conf.d/welcome.conf

Configure Let's Encrypt

Since I'm using CentOS 6, the certbot package is not available in the repos, so we need to download it manually. 

~$ sudo mkdir /opt/certbot
~$ sudo wget -O /opt/certbot/ https://dl.eff.org/certbot-auto
~$ sudo chmod a+x /opt/certbox/certbot-auto

Next is to create a symlink for ease of access. 

~$ sudo ln -s /opt/certbot/certbot-auto /usr/bin/certbot

Manually obtaining the certificate

This is not normally recommended, but at the time of this writing there is an issue with certbot that prevents it from controlling a domain using TLS-SNI validation, so I opted to do it manually.
You may need to run certbot by itself before the next step in order to register your email address. 

~$ certbot -d website.com --manual --preferred-challenges dns certonly

Are you OK with your IP being logged?
(Y)es/(N)o: y

Please deploy a DNS TXT record under the name
_acme-challenge.website.com with the following value:

4_rR8Uus8AqbceTtaqFd4DWl76039OiYgPtt6wCM7xA

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/website.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/website.com/privkey.pem
   Your cert will expire on 2018-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

HTTPD Config

Now that we have the corresponding SSL Certificate and private key, we can enable SSL in our HTTPD Config. 

$~ sudo vim /etc/httpd/conf.d/website.conf
...
        #SSL
        SSLEngine On
        SSLCertificateFile etc/letsencrypt/live/website.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/website.com/privkey.pem
        SSLCertificateChainFile etc/letsencrypt/live/website.com/fullchain.pem
Retrieved from "https://wiki.r00tedvw.com/index.php?title=Oracle_Linux/HTTP_Reverse_Proxy&oldid=1799"
Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki