Difference between revisions of "SBN - Proxy Server Notes"

From The TinkerNet Wiki
Jump to navigation Jump to search
 
(9 intermediate revisions by the same user not shown)
Line 11: Line 11:
 
(possibly add <code>mod_authz_host</code> to the list...)
 
(possibly add <code>mod_authz_host</code> to the list...)
  
Create the virtual machine to point incoming connections at the internal server you want to proxy:
+
Create the virtual host to point incoming connections at the internal server you want to proxy:
  
*<code>sudo vim /etc/apache2/apache2.conf</code>
+
*[[WebServer - Proxy VirtualHost Configuration|Proxy VirtualHost Configuration]]
 +
*See also:  [[WebServer - Name-based Virtual Host Support|Name-based Virtual Host Support]]
  
& add this (modified to suit) to the end of the file:
+
You may have noted while setting up the '''VirtualHost''' that we're pointing at a set of [[NetMan - SSL Certs|cert files]] that need to be on '''both''' machines.  I would suggest that you obtain the certs on the main web server & copy them to the machine being proxied as this will (to some extent) simplify updating them.
  
<VirtualHost *:80>
+
* [[NetMan - SSL Certs#Installing on a Webserver that will be proxied|Installing on a Webserver that will be proxied]]
    ServerName MyServer.MyDomain.net
 
    Redirect permanent / https://MyServer.MyDomain.net/
 
</VirtualHost>
 
 
<VirtualHost _default_:443>
 
    ServerName MyServer.MyDomain.net
 
    ProxyRequests on
 
    SSLEngine On
 
    SSLProxyEngine On
 
    ProxyPreserveHost On
 
 
    # Redirect HTTPS traffic
 
    ProxyPass / https://MyServer.MyDomain.net/
 
    ProxyPassReverse / https://MyServer.MyDomain.net/
 
 
    SSLCertificateFile /etc/letsencrypt/live/MyServer.MyDomain.net/fullchain.pem
 
    SSLCertificateKeyFile /etc/letsencrypt/live/MyServer.MyDomain.net/privkey.pem
 
    <Proxy "*">
 
        Order allow,deny
 
        Allow from all
 
    </Proxy>
 
        ErrorLog /var/log/apache2/Proxy/MyServer_log
 
        CustomLog /var/log/apache2/Proxy/MyServer-access_log combined
 
 
</VirtualHost>
 
 
 
You will need to set up external DNS for '''MyServer.MyDomain.net''' (which is NOT the same as your normal webserver name as far as the outside world is concerned)
 
 
 
You may have noted that we're pointing at a set of cert files that need to be on the machine.
 
 
 
*<code>sudo mkdir /etc/letsencrypt/live/MyServer.MyDomain.net</code>
 
 
 
& copy the certs from the internal server into this folder. (see [[CertGetter]] for information about getting certs for internal machines)
 
  
 
Also, 2 log files in a new folder...
 
Also, 2 log files in a new folder...
Line 56: Line 24:
 
*<code>sudo mkdir /var/log/apache2/Proxy</code>
 
*<code>sudo mkdir /var/log/apache2/Proxy</code>
  
(this folder will be populated automgically when you restart Apache...)
+
(this folder will be populated automagically when you restart Apache...)
  
 
Now, restart Apache:
 
Now, restart Apache:
Line 62: Line 30:
 
*<code>sudo service apache2 restart</code>
 
*<code>sudo service apache2 restart</code>
  
At this point, you should be able to browse to '''MyServer.MyDomain.net''' from outside your network.
+
At this point, you should be able to browse to '''Proxy.foo.bar''' from outside your network.
  
 
==Special considerations for the ESXi WebUI==
 
==Special considerations for the ESXi WebUI==
Line 82: Line 50:
 
[http://httpd.apache.org/docs/2.2/howto/access.html#host Reference]
 
[http://httpd.apache.org/docs/2.2/howto/access.html#host Reference]
  
In theory, You could also replace the IP addresses with hostnames (or partial hostnames). '''BUT''', those hostnames need to be visible accross the internet...
+
In theory, You could also replace the IP addresses with hostnames (or partial hostnames). '''BUT''', those hostnames need to be visible across the internet...
  
 
==Upcoming tricks...==
 
==Upcoming tricks...==
  
 +
*Access control by User Login
 +
**[https://httpd.apache.org/docs/2.4/howto/auth.html Apache Authentication and Authorization]
 
*Multi-Site Server Management from a Central Server
 
*Multi-Site Server Management from a Central Server
  
Line 92: Line 62:
 
*[https://httpd.apache.org/docs/2.4/mod/mod_proxy.html Apache Module mod_proxy]
 
*[https://httpd.apache.org/docs/2.4/mod/mod_proxy.html Apache Module mod_proxy]
 
*[https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html Apache Module mod_authz_host]
 
*[https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html Apache Module mod_authz_host]
 +
*[https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html Apache Reverse Proxy Guide]

Latest revision as of 20:59, 15 July 2020

Reverse Proxy (Outside Access to internal servers)

Start with a standard Web Server install...

We'll be basing our procedure on Configuring Apache To Proxy Connections

Enable the proxy modules:

  • sudo a2enmod proxy proxy_ajp proxy_http rewrite deflate headers proxy_balancer proxy_connect proxy_html

(possibly add mod_authz_host to the list...)

Create the virtual host to point incoming connections at the internal server you want to proxy:

You may have noted while setting up the VirtualHost that we're pointing at a set of cert files that need to be on both machines. I would suggest that you obtain the certs on the main web server & copy them to the machine being proxied as this will (to some extent) simplify updating them.

Also, 2 log files in a new folder...

  • sudo mkdir /var/log/apache2/Proxy

(this folder will be populated automagically when you restart Apache...)

Now, restart Apache:

  • sudo service apache2 restart

At this point, you should be able to browse to Proxy.foo.bar from outside your network.

Special considerations for the ESXi WebUI

ESXi uses WebSockets

Access Control by IP / HostName

You can control who can access your proxy via the <Proxy> control block as in the following example:

<Proxy "*">
  Order deny,allow
  Deny from all
  Allow from 192.168.0.1
  Allow from 192.168.0.2
</Proxy>

Simply replace 192.168.0.1 & 192.168.0.2 with the IPs of the machines allowed to access this proxy.

Reference

In theory, You could also replace the IP addresses with hostnames (or partial hostnames). BUT, those hostnames need to be visible across the internet...

Upcoming tricks...

Further Reading