Difference between revisions of "SBN - Proxy Server Notes"

From The TinkerNet Wiki
Jump to navigation Jump to search
Line 70: Line 70:
  
 
  <Proxy "*">
 
  <Proxy "*">
   Require ip 192.168.0.1
+
   Order allow,deny
 +
  Allow from 192.168.0.1
 +
  Allow from 192.168.0.2
 
  </Proxy>
 
  </Proxy>
  
Simply replace '''192.168.0.1''' with the IP of the machine allowed to access this proxy.
+
Simply replace '''192.168.0.1''' & '''192.168.0.2''' with the IPs of the machines allowed to access this proxy.
  
 
==Upcoming tricks...==
 
==Upcoming tricks...==

Revision as of 13:02, 24 June 2020

Reverse Proxy (Outside Access to internal servers)

Start with a standard Web Server install...

We'll be basing our procedure on Configuring Apache To Proxy Connections

Enable the proxy modules:

  • sudo a2enmod proxy proxy_ajp proxy_http rewrite deflate headers proxy_balancer proxy_connect proxy_html

(possibly add mod_authz_host to the list...)

Create the virtual machine to point incoming connections at the internal server you want to proxy:

  • sudo vim /etc/apache2/apache2.conf

& add this (modified to suit) to the end of the file:

<VirtualHost *:80>
    ServerName MyServer.MyDomain.net
    Redirect permanent / https://MyServer.MyDomain.net/
</VirtualHost>

<VirtualHost _default_:443>
    ServerName MyServer.MyDomain.net
    ProxyRequests on
    SSLEngine On
    SSLProxyEngine On
    ProxyPreserveHost On

    ProxyPass / https://MyServer.MyDomain.net/
    ProxyPassReverse / https://MyServer.MyDomain.net/
SSLCertificateFile /etc/letsencrypt/live/MyServer.MyDomain.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/MyServer.MyDomain.net/privkey.pem
    <Proxy "*">
        Order allow,deny
        Allow from all
    </Proxy>
        ErrorLog /var/log/apache2/Proxy/MyServer_log
        CustomLog /var/log/apache2/Proxy/MyServer-access_log combined

</VirtualHost>

You will need to set up external DNS for MyServer.MyDomain.net (which is NOT the same as your normal webserver name as far as the outside world is concerned)

You may have noted that we're pointing at a set of cert files that need to be on the machine.

  • sudo mkdir /etc/letsencrypt/live/MyServer.MyDomain.net

& copy the certs from the internal server into this folder. (see CertGetter for information about getting certs for internal machines)

Also, 2 log files in a new folder...

  • sudo mkdir /var/log/apache2/Proxy

(this folder will be populated automgically when you restart Apache...)

Now, restart Apache:

  • sudo service apache2 restart

At this point, you should be able to browse to MyServer.MyDomain.net from outside your network.

Special considerations for the ESXi WebUI

ESXi uses WebSockets

Access Control by IP

You can control who can access your proxy via the <Proxy> control block as in the following example:

<Proxy "*">
  Order allow,deny
  Allow from 192.168.0.1
  Allow from 192.168.0.2
</Proxy>

Simply replace 192.168.0.1 & 192.168.0.2 with the IPs of the machines allowed to access this proxy.

Upcoming tricks...

  • Multi-Site Server Management from a Central Server

Further Reading