Apache2 – ReverseProxy Configuration

In my scenario, I have a lot of different web servers that are usually bundled with another application like netdata or within a docker container.

And I don’t want to expose all different ports like 19999 for netdata etc. Therefore I usually proxy them and assign different host names to each of them.

So let’s get started, setting up a Reverse Proxy!

Edit: I do not recall all apache2 mods I installed and there are certainly improvements that can be made to my personal configuration.

MODCommand
mod_rewritesudo a2enmod rewrite
mod_sslsudo a2enmod ssl
mod_proxysudo a2enmod proxy
mod_proxy_httpsudo a2enmod proxy_http
mod_headerssudo a2enmode headers

Do not forget to reload/restart Apache2. Your terminal should let you know anyways if this is necessary.

Non-SSL Configuration

This configuration is only there to redirect clients from http to https.

<VirtualHost *:80>
	RewriteEngine On
	ProxyRequests Off
	ProxyPreserveHost On
	
	ServerName status.calucon.de

	<Proxy *>
		Require all granted
	</Proxy>

	ProxyPass "/" "http://localhost:19999/" connectiontimeout=5 timeout=30 keepalive=on
	ProxyPassReverse "/" "http://localhost:19999/"

	ErrorLog ${APACHE_LOG_DIR}/netdata-error.log
	CustomLog ${APACHE_LOG_DIR}/netdata-access.log combined

	RewriteCond %{SERVER_NAME} =status.calucon.de [NC]
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [NC,END,QSA,R=permanent]

	Header always set X-Frame-Options "SAMEORIGIN"
	Header always set X-Content-Type-Options "nosniff"
	Header always set X-XSS-Protection "1; mode=block"
	Header unset Access-Control-Allow-Origin
	Header always set Access-Control-Allow-Origin "status.calucon.de"

</VirtualHost>

SSL Configuration

Here in this configuration, we define our ProxyPass and ProxyPassReverse.
These two lines (17 & 18) handle all communication between the client and the actual web server.

<IfModule mod_ssl.c>
<VirtualHost *:443>
	RewriteEngine On
	ProxyRequests Off
	ProxyPreserveHost On
	
	ServerName status.calucon.de

	<Proxy *>
		#Require all granted
		Authtype Basic
        Authname "Password Required"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
	</Proxy>

	ProxyPass "/" "http://localhost:19999/" connectiontimeout=5 timeout=30 keepalive=on
	ProxyPassReverse "/" "http://localhost:19999/"

	ErrorLog ${APACHE_LOG_DIR}/netdata-error.log
	CustomLog ${APACHE_LOG_DIR}/netdata-access.log combined
	
	SSLCertificateFile /etc/letsencrypt/live/status.calucon.de/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/status.calucon.de/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf

	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	Header always set X-Frame-Options "SAMEORIGIN"
	Header always set X-Content-Type-Options "nosniff"
	Header always set X-XSS-Protection "1; mode=block"
	Header unset Access-Control-Allow-Origin
	Header always set Access-Control-Allow-Origin "status.calucon.de"

</VirtualHost>
</IfModule>

Additionally, as I do not want anyone to see my server statistics, I added the <Proxy *> tag in which I defined that whenever somebody tries to access any proxied location (identified by the asterisk) they must provide a valid Basic-Auth Header (valid login credentials).

Leave a Comment