In my scenario, I have a lot of different web servers that are usually bundled with another application like netdata or within a docker container.
And I don’t want to expose all different ports like 19999 for netdata etc. Therefore I usually proxy them and assign different host names to each of them.
So let’s get started, setting up a Reverse Proxy!
Edit: I do not recall all apache2 mods I installed and there are certainly improvements that can be made to my personal configuration.
| MOD | Command |
mod_rewrite | sudo a2enmod rewrite |
mod_ssl | sudo a2enmod ssl |
mod_proxy | sudo a2enmod proxy |
mod_proxy_http | sudo a2enmod proxy_http |
mod_headers | sudo a2enmode headers |
Do not forget to reload/restart Apache2. Your terminal should let you know anyways if this is necessary.
Non-SSL Configuration
This configuration is only there to redirect clients from http to https.
<VirtualHost *:80>
RewriteEngine On
ProxyRequests Off
ProxyPreserveHost On
ServerName status.calucon.de
<Proxy *>
Require all granted
</Proxy>
ProxyPass "/" "http://localhost:19999/" connectiontimeout=5 timeout=30 keepalive=on
ProxyPassReverse "/" "http://localhost:19999/"
ErrorLog ${APACHE_LOG_DIR}/netdata-error.log
CustomLog ${APACHE_LOG_DIR}/netdata-access.log combined
RewriteCond %{SERVER_NAME} =status.calucon.de [NC]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [NC,END,QSA,R=permanent]
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header unset Access-Control-Allow-Origin
Header always set Access-Control-Allow-Origin "status.calucon.de"
</VirtualHost>
SSL Configuration
Here in this configuration, we define our ProxyPass and ProxyPassReverse.
These two lines (17 & 18) handle all communication between the client and the actual web server.
<IfModule mod_ssl.c>
<VirtualHost *:443>
RewriteEngine On
ProxyRequests Off
ProxyPreserveHost On
ServerName status.calucon.de
<Proxy *>
#Require all granted
Authtype Basic
Authname "Password Required"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Proxy>
ProxyPass "/" "http://localhost:19999/" connectiontimeout=5 timeout=30 keepalive=on
ProxyPassReverse "/" "http://localhost:19999/"
ErrorLog ${APACHE_LOG_DIR}/netdata-error.log
CustomLog ${APACHE_LOG_DIR}/netdata-access.log combined
SSLCertificateFile /etc/letsencrypt/live/status.calucon.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/status.calucon.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header unset Access-Control-Allow-Origin
Header always set Access-Control-Allow-Origin "status.calucon.de"
</VirtualHost>
</IfModule>
Additionally, as I do not want anyone to see my server statistics, I added the <Proxy *> tag in which I defined that whenever somebody tries to access any proxied location (identified by the asterisk) they must provide a valid Basic-Auth Header (valid login credentials).