Oracle Linux/HTTP Reverse Proxy
| Line 4: | Line 4: | ||
=Install Packages= | =Install Packages= | ||
<nowiki>~$ sudo yum update -y | <nowiki>~$ sudo yum update -y | ||
| − | ~$ sudo yum install httpd openssh-server epel-release mod_ssl -y</nowiki> | + | ~$ sudo yum install httpd openssh-server epel-release mod_ssl fail2ban-y</nowiki> |
=Configure SSH= | =Configure SSH= | ||
| Line 14: | Line 14: | ||
PermitRootLogin no | PermitRootLogin no | ||
</nowiki> | </nowiki> | ||
| + | |||
| + | =Configure fail2ban= | ||
| + | Add the following under <code>sshd</code> to enable fail2ban for sshd. | ||
| + | <nowiki>~$ sudo vim /etc/fail2ban/jail.conf | ||
| + | enabled = true | ||
| + | port = ssh,2222</nowiki> | ||
=Configure iptables= | =Configure iptables= | ||
Revision as of 02:39, 5 February 2018
Contents |
Overview
This was done on a CentOS 6.9 x64 system.
Install Packages
~$ sudo yum update -y ~$ sudo yum install httpd openssh-server epel-release mod_ssl fail2ban-y
Configure SSH
~$ sudo vim /etc/ssh/sshd_config ... Port 22 Port 2222 ... PermitRootLogin no
Configure fail2ban
Add the following under sshd to enable fail2ban for sshd.
~$ sudo vim /etc/fail2ban/jail.conf enabled = true port = ssh,2222
Configure iptables
With CentOS this is very simple:
~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ~$ sudo iptables -A INPUT -i lo -j ACCEPT ~$ sudo iptables -A INPUT -s 10.0.0.0/8 -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "ICMP ECHO - Internal" ~$ sudo iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 22 -j ACCEPT -m comment --comment "SSH - Internal" ~$ sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT -m comment --comment "SSH ALT 2222 - Public" ~$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "HTTP - Public" ~$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "HTTPS - Public"
Configure HTTPD
Modules
Start by checking what modules are installed.
~$ sudo httpd -M Loaded Modules: core_module (static) mpm_prefork_module (static) http_module (static) so_module (static)....
Make sure that you see the following:
rewrite_module (shared) proxy_module (shared) proxy_http_module (shared)
If they are not listed, you can enable them by uncommenting or adding them to the httpd.conf file.
~$sudo vim /etc/httpd/conf/httpd.conf LoadModule rewrite_module modules/mod_rewrite.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so
Restart httpd for any changes to be implemented
~$ sudo service httpd restart
Conf
Next is to configure the Conf file for the reverse proxy. This will include a rewrite rule for all HTTP traffic to be redirected to HTTPS.
$~ sudo vim /etc/httpd/conf.d/website.conf
# HTTP
<VirtualHost *:80>
ServerName website.com
#Logging
LogLevel warn
ErrorLog /var/log/httpd/website.com-error_log
CustomLog /var/log/httpd/website.com-access_log combined
#Redirect any HTTP request to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]
</VirtualHost>
# HTTPS
<VirtualHost *:443>
ServerName website.com
#Logging
ErrorLog /var/log/httpd/website.com-error_log
CustomLog /var/log/httpd/website.com-access_log combined
#Reverse Proxy Configuration
ProxyPreserveHost On
ProxyPass / http://redirected.site.com:8081/
ProxyPassReverse / http://redirected.site.com:8081/
#SSL
#SSLEngine On
#SSLCertificateFile
#SSLCertificateKeyFile
#SSLCertificateChainFile
</VirtualHost>
Disable welcome page
Comment out all lines:
~$ sudo vim /etc/httpd/conf.d/welcome.conf
Configure Let's Encrypt
Since I'm using CentOS 6, the certbot package is not available in the repos, so we need to download it manually.
~$ sudo mkdir /opt/certbot ~$ sudo wget -O /opt/certbot/ https://dl.eff.org/certbot-auto ~$ sudo chmod a+x /opt/certbox/certbot-auto
Next is to create a symlink for ease of access.
~$ sudo ln -s /opt/certbot/certbot-auto /usr/bin/certbot
Manually obtaining the certificate
This is not normally recommended, but at the time of this writing there is an issue with certbot that prevents it from controlling a domain using TLS-SNI validation, so I opted to do it manually.
You may need to run certbot by itself before the next step in order to register your email address.
~$ certbot -d website.com --manual --preferred-challenges dns certonly Are you OK with your IP being logged? (Y)es/(N)o: y Please deploy a DNS TXT record under the name _acme-challenge.website.com with the following value: 4_rR8Uus8AqbceTtaqFd4DWl76039OiYgPtt6wCM7xA Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/website.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/website.com/privkey.pem Your cert will expire on 2018-05-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
HTTPD Config
Now that we have the corresponding SSL Certificate and private key, we can enable SSL in our HTTPD Config.
$~ sudo vim /etc/httpd/conf.d/website.conf
...
#SSL
SSLEngine On
SSLCertificateFile etc/letsencrypt/live/website.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/website.com/privkey.pem
SSLCertificateChainFile etc/letsencrypt/live/website.com/fullchain.pem
