Oracle Linux/HTTP Reverse Proxy

From r00tedvw.com wiki
(Difference between revisions)
Jump to: navigation, search
Line 69: Line 69:
 
         ProxyPreserveHost On
 
         ProxyPreserveHost On
  
 +
        SSLProxyEngine On
 
         ProxyPass / https://redirected.site.com:8081/
 
         ProxyPass / https://redirected.site.com:8081/
 
         ProxyPassReverse / https://redirected.site.com:8081/
 
         ProxyPassReverse / https://redirected.site.com:8081/

Revision as of 00:23, 5 February 2018

Contents

Overview

This was done on a CentOS 6.9 x64 system.

Install Packages

~$ sudo yum update -y
 ~$ sudo yum install httpd openssh-server epel-release mod_ssl -y

Configure SSH

Configure iptables

With CentOS this is very simple:

~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
~$ sudo iptables -A INPUT -i lo -j ACCEPT
~$ sudo iptables -A INPUT -s 10.0.0.0/8 -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "ICMP ECHO - Internal"
~$ sudo iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 22 -j ACCEPT -m comment --comment "SSH - Internal"
~$ sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT -m comment --comment "SSH ALT 2222 - Public"
~$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "HTTP - Public"
~$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "HTTPS - Public"

Configure HTTPD

Modules

Start by checking what modules are installed.

~$ sudo httpd -M
Loaded Modules:
 core_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)....

Make sure that you see the following:

rewrite_module (shared)
proxy_module (shared)
proxy_http_module (shared)

If they are not listed, you can enable them by uncommenting or adding them to the httpd.conf file.

~$sudo vim /etc/httpd/conf/httpd.conf
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

Restart httpd for any changes to be implemented

~$ sudo service httpd restart

Conf

Next is to configure the Conf file for the reverse proxy. This will include a rewrite rule for all HTTP traffic to be redirected to HTTPS.

$~ sudo vim /etc/httpd/conf.d/website.conf
# HTTP
<VirtualHost *:80>
        ServerName website.com

        #Logging
        LogLevel warn
        ErrorLog /var/log/httpd/website.com-error_log
        CustomLog /var/log/httpd/website.com-access_log combined

        #Redirect any HTTP request to HTTPS
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]

</VirtualHost>

# HTTPS
<VirtualHost *:443>
        ServerName website.com

        #Logging
        ErrorLog /var/log/httpd/website.com-error_log
        CustomLog /var/log/httpd/website.com-access_log combined

        #Reverse Proxy Configuration
        ProxyPreserveHost On

        SSLProxyEngine On
        ProxyPass / https://redirected.site.com:8081/
        ProxyPassReverse / https://redirected.site.com:8081/

        #SSL
        #SSLEngine On
        #SSLCertificateFile
        #SSLCertificateKeyFile
        #SSLCertificateChainFile

</VirtualHost>

Disable welcome page

Comment out all lines:

~$ sudo vim /etc/httpd/conf.d/welcome.conf

Configure Let's Encrypt

Since I'm using CentOS 6, the certbot package is not available in the repos, so we need to download it manually.

~$ sudo mkdir /opt/certbot
~$ sudo wget -O /opt/certbot/ https://dl.eff.org/certbot-auto
~$ sudo chmod a+x /opt/certbox/certbot-auto

Next is to create a symlink for ease of access.

~$ sudo ln -s /opt/certbot/certbot-auto /usr/bin/certbot

Manually obtaining the certificate

This is not normally recommended, but at the time of this writing there is an issue with certbot that prevents it from controlling a domain using TLS-SNI validation, so I opted to do it manually.
You may need to run certbot by itself before the next step in order to register your email address.

~$ certbot -d website.com --manual --preferred-challenges dns certonly

Are you OK with your IP being logged?
(Y)es/(N)o: y

Please deploy a DNS TXT record under the name
_acme-challenge.website.com with the following value:

4_rR8Uus8AqbceTtaqFd4DWl76039OiYgPtt6wCM7xA

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/website.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/website.com/privkey.pem
   Your cert will expire on 2018-05-06. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Open Source Products
Ubuntu
Ubuntu 22
Mac OSX
Oracle Linux
AWS
Windows
OpenVPN
Grafana
InfluxDB2
TrueNas
MagicMirror
OwnCloud
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
Plex Media Server
MetaSploit
Zoneminder
ShinobiCE
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
Politics
Volkswagen
Covid
NCDMV
Toolbox