Oracle Linux/HTTP Reverse Proxy
From r00tedvw.com wiki
(Difference between revisions)
(→Conf) |
(→Conf) |
||
| (12 intermediate revisions by one user not shown) | |||
| Line 4: | Line 4: | ||
=Install Packages= | =Install Packages= | ||
<nowiki>~$ sudo yum update -y | <nowiki>~$ sudo yum update -y | ||
| − | ~$ sudo yum install httpd openssh-server -y</nowiki> | + | ~$ sudo yum install httpd openssh-server epel-release mod_ssl fail2ban-y</nowiki> |
=Configure SSH= | =Configure SSH= | ||
| + | <nowiki>~$ sudo vim /etc/ssh/sshd_config | ||
| + | ... | ||
| + | Port 22 | ||
| + | Port 2222 | ||
| + | ... | ||
| + | PermitRootLogin no | ||
| + | </nowiki> | ||
| + | |||
| + | =Configure fail2ban= | ||
| + | Add the following under <code>sshd</code> to enable fail2ban for sshd. | ||
| + | <nowiki>~$ sudo vim /etc/fail2ban/jail.conf | ||
| + | enabled = true | ||
| + | port = ssh,2222</nowiki> | ||
| + | Check to make sure the jail is working: | ||
| + | <nowiki>~$ sudo service fail2ban status | ||
| + | fail2ban-server (pid 24696) is running... | ||
| + | Status | ||
| + | |- Number of jail: 1 | ||
| + | `- Jail list: sshd</nowiki> | ||
| + | |||
| + | =Configure iptables= | ||
| + | With CentOS this is very simple: | ||
| + | <nowiki>~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| + | ~$ sudo iptables -A INPUT -i lo -j ACCEPT | ||
| + | ~$ sudo iptables -A INPUT -s 10.0.0.0/8 -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "ICMP ECHO - Internal" | ||
| + | ~$ sudo iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 22 -j ACCEPT -m comment --comment "SSH - Internal" | ||
| + | ~$ sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT -m comment --comment "SSH ALT 2222 - Public" | ||
| + | ~$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "HTTP - Public" | ||
| + | ~$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "HTTPS - Public" | ||
| + | </nowiki> | ||
=Configure HTTPD= | =Configure HTTPD= | ||
| Line 29: | Line 59: | ||
<nowiki>~$ sudo service httpd restart</nowiki> | <nowiki>~$ sudo service httpd restart</nowiki> | ||
==Conf== | ==Conf== | ||
| − | Next is to configure the Conf file for the reverse proxy. This will include a rewrite rule for all HTTP traffic to be redirected to HTTPS. | + | Next is to configure the Conf file for the reverse proxy. This will include a rewrite rule for all HTTP traffic to be redirected to HTTPS.<br> |
| + | |||
<nowiki>$~ sudo vim /etc/httpd/conf.d/website.conf | <nowiki>$~ sudo vim /etc/httpd/conf.d/website.conf | ||
# HTTP | # HTTP | ||
| Line 43: | Line 74: | ||
RewriteEngine On | RewriteEngine On | ||
RewriteCond %{HTTPS} off | RewriteCond %{HTTPS} off | ||
| − | RewriteRule (.*) https://%{SERVER_NAME} | + | RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L] |
</VirtualHost> | </VirtualHost> | ||
| Line 57: | Line 88: | ||
#Reverse Proxy Configuration | #Reverse Proxy Configuration | ||
ProxyPreserveHost On | ProxyPreserveHost On | ||
| − | |||
ProxyPass / https://redirected.site.com:8081/ | ProxyPass / https://redirected.site.com:8081/ | ||
ProxyPassReverse / https://redirected.site.com:8081/ | ProxyPassReverse / https://redirected.site.com:8081/ | ||
| + | SSLProxyEngine On | ||
#SSL | #SSL | ||
| Line 68: | Line 99: | ||
</VirtualHost></nowiki> | </VirtualHost></nowiki> | ||
| + | |||
| + | ==Disable welcome page== | ||
| + | Comment out all lines: | ||
| + | <nowiki>~$ sudo vim /etc/httpd/conf.d/welcome.conf</nowiki> | ||
| + | |||
| + | =Configure Let's Encrypt= | ||
| + | Since I'm using CentOS 6, the certbot package is not available in the repos, so we need to download it manually. | ||
| + | <nowiki>~$ sudo mkdir /opt/certbot | ||
| + | ~$ sudo wget -O /opt/certbot/ https://dl.eff.org/certbot-auto | ||
| + | ~$ sudo chmod a+x /opt/certbox/certbot-auto</nowiki> | ||
| + | Next is to create a symlink for ease of access. | ||
| + | <nowiki>~$ sudo ln -s /opt/certbot/certbot-auto /usr/bin/certbot</nowiki> | ||
| + | ==Manually obtaining the certificate== | ||
| + | This is not normally recommended, but at the time of this writing there is an [https://community.letsencrypt.org/t/2018-01-11-update-regarding-acme-tls-sni-and-shared-hosting-infrastructure/50188 issue with certbot] that prevents it from controlling a domain using TLS-SNI validation, so I opted to do it manually.<br> | ||
| + | You may need to run <code>certbot</code> by itself before the next step in order to register your email address. | ||
| + | <nowiki>~$ certbot -d website.com --manual --preferred-challenges dns certonly | ||
| + | |||
| + | Are you OK with your IP being logged? | ||
| + | (Y)es/(N)o: y | ||
| + | |||
| + | Please deploy a DNS TXT record under the name | ||
| + | _acme-challenge.website.com with the following value: | ||
| + | |||
| + | 4_rR8Uus8AqbceTtaqFd4DWl76039OiYgPtt6wCM7xA | ||
| + | |||
| + | Before continuing, verify the record is deployed. | ||
| + | ------------------------------------------------------------------------------- | ||
| + | Press Enter to Continue | ||
| + | |||
| + | IMPORTANT NOTES: | ||
| + | - Congratulations! Your certificate and chain have been saved at: | ||
| + | /etc/letsencrypt/live/website.com/fullchain.pem | ||
| + | Your key file has been saved at: | ||
| + | /etc/letsencrypt/live/website.com/privkey.pem | ||
| + | Your cert will expire on 2018-05-06. To obtain a new or tweaked | ||
| + | version of this certificate in the future, simply run certbot | ||
| + | again. To non-interactively renew *all* of your certificates, run | ||
| + | "certbot renew"</nowiki> | ||
| + | |||
| + | ==HTTPD Config== | ||
| + | Now that we have the corresponding SSL Certificate and private key, we can enable SSL in our HTTPD Config. | ||
| + | <nowiki>$~ sudo vim /etc/httpd/conf.d/website.conf | ||
| + | ... | ||
| + | #SSL | ||
| + | SSLEngine On | ||
| + | SSLCertificateFile etc/letsencrypt/live/website.com/fullchain.pem | ||
| + | SSLCertificateKeyFile /etc/letsencrypt/live/website.com/privkey.pem | ||
| + | SSLCertificateChainFile etc/letsencrypt/live/website.com/fullchain.pem | ||
| + | </nowiki> | ||
Latest revision as of 18:23, 6 February 2018
Contents |
[edit] Overview
This was done on a CentOS 6.9 x64 system.
[edit] Install Packages
~$ sudo yum update -y ~$ sudo yum install httpd openssh-server epel-release mod_ssl fail2ban-y
[edit] Configure SSH
~$ sudo vim /etc/ssh/sshd_config ... Port 22 Port 2222 ... PermitRootLogin no
[edit] Configure fail2ban
Add the following under sshd to enable fail2ban for sshd.
~$ sudo vim /etc/fail2ban/jail.conf enabled = true port = ssh,2222
Check to make sure the jail is working:
~$ sudo service fail2ban status fail2ban-server (pid 24696) is running... Status |- Number of jail: 1 `- Jail list: sshd
[edit] Configure iptables
With CentOS this is very simple:
~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ~$ sudo iptables -A INPUT -i lo -j ACCEPT ~$ sudo iptables -A INPUT -s 10.0.0.0/8 -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "ICMP ECHO - Internal" ~$ sudo iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 22 -j ACCEPT -m comment --comment "SSH - Internal" ~$ sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT -m comment --comment "SSH ALT 2222 - Public" ~$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "HTTP - Public" ~$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "HTTPS - Public"
[edit] Configure HTTPD
[edit] Modules
Start by checking what modules are installed.
~$ sudo httpd -M Loaded Modules: core_module (static) mpm_prefork_module (static) http_module (static) so_module (static)....
Make sure that you see the following:
rewrite_module (shared) proxy_module (shared) proxy_http_module (shared)
If they are not listed, you can enable them by uncommenting or adding them to the httpd.conf file.
~$sudo vim /etc/httpd/conf/httpd.conf LoadModule rewrite_module modules/mod_rewrite.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so
Restart httpd for any changes to be implemented
~$ sudo service httpd restart
[edit] Conf
Next is to configure the Conf file for the reverse proxy. This will include a rewrite rule for all HTTP traffic to be redirected to HTTPS.
$~ sudo vim /etc/httpd/conf.d/website.conf
# HTTP
<VirtualHost *:80>
ServerName website.com
#Logging
LogLevel warn
ErrorLog /var/log/httpd/website.com-error_log
CustomLog /var/log/httpd/website.com-access_log combined
#Redirect any HTTP request to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]
</VirtualHost>
# HTTPS
<VirtualHost *:443>
ServerName website.com
#Logging
ErrorLog /var/log/httpd/website.com-error_log
CustomLog /var/log/httpd/website.com-access_log combined
#Reverse Proxy Configuration
ProxyPreserveHost On
ProxyPass / https://redirected.site.com:8081/
ProxyPassReverse / https://redirected.site.com:8081/
SSLProxyEngine On
#SSL
#SSLEngine On
#SSLCertificateFile
#SSLCertificateKeyFile
#SSLCertificateChainFile
</VirtualHost>
[edit] Disable welcome page
Comment out all lines:
~$ sudo vim /etc/httpd/conf.d/welcome.conf
[edit] Configure Let's Encrypt
Since I'm using CentOS 6, the certbot package is not available in the repos, so we need to download it manually.
~$ sudo mkdir /opt/certbot ~$ sudo wget -O /opt/certbot/ https://dl.eff.org/certbot-auto ~$ sudo chmod a+x /opt/certbox/certbot-auto
Next is to create a symlink for ease of access.
~$ sudo ln -s /opt/certbot/certbot-auto /usr/bin/certbot
[edit] Manually obtaining the certificate
This is not normally recommended, but at the time of this writing there is an issue with certbot that prevents it from controlling a domain using TLS-SNI validation, so I opted to do it manually.
You may need to run certbot by itself before the next step in order to register your email address.
~$ certbot -d website.com --manual --preferred-challenges dns certonly Are you OK with your IP being logged? (Y)es/(N)o: y Please deploy a DNS TXT record under the name _acme-challenge.website.com with the following value: 4_rR8Uus8AqbceTtaqFd4DWl76039OiYgPtt6wCM7xA Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/website.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/website.com/privkey.pem Your cert will expire on 2018-05-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"
[edit] HTTPD Config
Now that we have the corresponding SSL Certificate and private key, we can enable SSL in our HTTPD Config.
$~ sudo vim /etc/httpd/conf.d/website.conf
...
#SSL
SSLEngine On
SSLCertificateFile etc/letsencrypt/live/website.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/website.com/privkey.pem
SSLCertificateChainFile etc/letsencrypt/live/website.com/fullchain.pem
