Difference between revisions of "SBN - Proxy Server Notes"
Jump to navigation
Jump to search
(Created page with "= Reverse Proxy (Outside Access to internal servers) = Start with a standard Web Server install... We'll be basing our procedure on [https://www.d...") |
|||
| Line 1: | Line 1: | ||
| − | = Reverse Proxy (Outside Access to internal servers) = | + | =Reverse Proxy (Outside Access to internal servers)= |
Start with a [[SBN - Web Server Notes|standard Web Server install]]... | Start with a [[SBN - Web Server Notes|standard Web Server install]]... | ||
| Line 7: | Line 7: | ||
Enable the proxy modules: | Enable the proxy modules: | ||
| − | * <code>sudo a2enmod proxy proxy_ajp proxy_http rewrite deflate headers proxy_balancer proxy_connect proxy_html</code> | + | *<code>sudo a2enmod proxy proxy_ajp proxy_http rewrite deflate headers proxy_balancer proxy_connect proxy_html</code> |
(possibly add <code>mod_authz_host</code> to the list...) | (possibly add <code>mod_authz_host</code> to the list...) | ||
| Line 13: | Line 13: | ||
Create the virtual machine to point incoming connections at the internal server you want to proxy: | Create the virtual machine to point incoming connections at the internal server you want to proxy: | ||
| − | * <code>sudo vim /etc/apache2/apache2.conf</code> | + | *<code>sudo vim /etc/apache2/apache2.conf</code> |
& add this (modified to suit) to the end of the file: | & add this (modified to suit) to the end of the file: | ||
| Line 46: | Line 46: | ||
You may have noted that we're pointing at a set of cert files that need to be on the machine. | You may have noted that we're pointing at a set of cert files that need to be on the machine. | ||
| − | * <code>sudo mkdir /etc/letsencrypt/live/MyServer.MyDomain.net</code> | + | *<code>sudo mkdir /etc/letsencrypt/live/MyServer.MyDomain.net</code> |
& copy the certs from the internal server into this folder. (see [[CertGetter]] for information about getting certs for internal machines) | & copy the certs from the internal server into this folder. (see [[CertGetter]] for information about getting certs for internal machines) | ||
| Line 52: | Line 52: | ||
Also, 2 log files in a new folder... | Also, 2 log files in a new folder... | ||
| − | * <code>sudo mkdir /var/log/apache2/Proxy</code> | + | *<code>sudo mkdir /var/log/apache2/Proxy</code> |
(this folder will be populated automgically when you restart Apache...) | (this folder will be populated automgically when you restart Apache...) | ||
| Line 58: | Line 58: | ||
Now, restart Apache: | Now, restart Apache: | ||
| − | * <code>sudo service apache2 restart</code> | + | *<code>sudo service apache2 restart</code> |
At this point, you should be able to browse to '''MyServer.MyDomain.net''' from outside your network. | At this point, you should be able to browse to '''MyServer.MyDomain.net''' from outside your network. | ||
| − | == Access Control by IP == | + | ==Access Control by IP== |
You can control who can access your proxy via the <Proxy> control block as in the following example: | You can control who can access your proxy via the <Proxy> control block as in the following example: | ||
| Line 72: | Line 72: | ||
Simply replace '''192.168.0.1''' with the IP of the machine allowed to access this proxy. | Simply replace '''192.168.0.1''' with the IP of the machine allowed to access this proxy. | ||
| − | == Upcoming tricks... == | + | ==Upcoming tricks...== |
| − | * Multi-Site Server Management from a Central Server | + | *Special considerations for the ESXi WebUI |
| + | *Multi-Site Server Management from a Central Server | ||
| − | == Further Reading == | + | ==Further Reading== |
| − | * [https://httpd.apache.org/docs/2.4/mod/mod_proxy.html Apache Module mod_proxy] | + | *[https://httpd.apache.org/docs/2.4/mod/mod_proxy.html Apache Module mod_proxy] |
| − | * [https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html Apache Module mod_authz_host] | + | *[https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html Apache Module mod_authz_host] |
Revision as of 17:31, 22 June 2020
Contents
Reverse Proxy (Outside Access to internal servers)
Start with a standard Web Server install...
We'll be basing our procedure on Configuring Apache To Proxy Connections
Enable the proxy modules:
sudo a2enmod proxy proxy_ajp proxy_http rewrite deflate headers proxy_balancer proxy_connect proxy_html
(possibly add mod_authz_host to the list...)
Create the virtual machine to point incoming connections at the internal server you want to proxy:
sudo vim /etc/apache2/apache2.conf
& add this (modified to suit) to the end of the file:
<VirtualHost *:80>
ServerName MyServer.MyDomain.net
Redirect permanent / https://MyServer.MyDomain.net/
</VirtualHost>
<VirtualHost _default_:443>
ServerName MyServer.MyDomain.net
ProxyRequests on
SSLEngine On
SSLProxyEngine On
ProxyPreserveHost On
ProxyPass / https://MyServer.MyDomain.net/
ProxyPassReverse / https://MyServer.MyDomain.net/
SSLCertificateFile /etc/letsencrypt/live/MyServer.MyDomain.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/MyServer.MyDomain.net/privkey.pem
<Proxy "*">
Order allow,deny
Allow from all
</Proxy>
ErrorLog /var/log/apache2/Proxy/MyServer_log
CustomLog /var/log/apache2/Proxy/MyServer-access_log combined
</VirtualHost>
You will need to set up external DNS for MyServer.MyDomain.net (which is NOT the same as your normal webserver name as far as the outside world is concerned)
You may have noted that we're pointing at a set of cert files that need to be on the machine.
sudo mkdir /etc/letsencrypt/live/MyServer.MyDomain.net
& copy the certs from the internal server into this folder. (see CertGetter for information about getting certs for internal machines)
Also, 2 log files in a new folder...
sudo mkdir /var/log/apache2/Proxy
(this folder will be populated automgically when you restart Apache...)
Now, restart Apache:
sudo service apache2 restart
At this point, you should be able to browse to MyServer.MyDomain.net from outside your network.
Access Control by IP
You can control who can access your proxy via the <Proxy> control block as in the following example:
<Proxy "*"> Require ip 192.168.0.1 </Proxy>
Simply replace 192.168.0.1 with the IP of the machine allowed to access this proxy.
Upcoming tricks...
- Special considerations for the ESXi WebUI
- Multi-Site Server Management from a Central Server
