Apache2 – ReverseProxy Configuration
In my scenario, I have a lot of different web servers that are usually bundled with another application like netdata or within a docker container.
And I don’t want to expose all different ports like 19999 for netdata etc. Therefore I usually proxy them and assign different host names to each of them.
So let’s get started, setting up a Reverse Proxy!
Edit: I do not recall all apache2 mods I installed and there are certainly improvements that can be made to my personal configuration.
MOD | Command |
mod_rewrite | sudo a2enmod rewrite |
mod_ssl | sudo a2enmod ssl |
mod_proxy | sudo a2enmod proxy |
mod_proxy_http | sudo a2enmod proxy_http |
mod_headers | sudo a2enmode headers |
Do not forget to reload/restart Apache2. Your terminal should let you know anyways if this is necessary.
Non-SSL Configuration
This configuration is only there to redirect clients from http
to https
.
<VirtualHost *:80> RewriteEngine On ProxyRequests Off ProxyPreserveHost On ServerName status.calucon.de <Proxy *> Require all granted </Proxy> ProxyPass "/" "http://localhost:19999/" connectiontimeout=5 timeout=30 keepalive=on ProxyPassReverse "/" "http://localhost:19999/" ErrorLog ${APACHE_LOG_DIR}/netdata-error.log CustomLog ${APACHE_LOG_DIR}/netdata-access.log combined RewriteCond %{SERVER_NAME} =status.calucon.de [NC] RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [NC,END,QSA,R=permanent] Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block" Header unset Access-Control-Allow-Origin Header always set Access-Control-Allow-Origin "status.calucon.de" </VirtualHost>
SSL Configuration
Here in this configuration, we define our ProxyPass
and ProxyPassReverse
.
These two lines (17 & 18) handle all communication between the client and the actual web server.
<IfModule mod_ssl.c> <VirtualHost *:443> RewriteEngine On ProxyRequests Off ProxyPreserveHost On ServerName status.calucon.de <Proxy *> #Require all granted Authtype Basic Authname "Password Required" AuthUserFile /etc/apache2/.htpasswd Require valid-user </Proxy> ProxyPass "/" "http://localhost:19999/" connectiontimeout=5 timeout=30 keepalive=on ProxyPassReverse "/" "http://localhost:19999/" ErrorLog ${APACHE_LOG_DIR}/netdata-error.log CustomLog ${APACHE_LOG_DIR}/netdata-access.log combined SSLCertificateFile /etc/letsencrypt/live/status.calucon.de/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/status.calucon.de/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block" Header unset Access-Control-Allow-Origin Header always set Access-Control-Allow-Origin "status.calucon.de" </VirtualHost> </IfModule>
Additionally, as I do not want anyone to see my server statistics, I added the <Proxy *>
tag in which I defined that whenever somebody tries to access any proxied location (identified by the asterisk) they must provide a valid Basic-Auth
Header (valid login credentials).