Reverse Proxy Configuration

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Reverse Proxy Configuration

John Welsby

Hi everyone, I am looking for some help configuring Apache Web Server as a reverse proxy.

A little background: I have a Debian 9 (stretch) server at my home, running Nextcloud on Apache2. I have a static IP from my ISP, and a domain I own is pointed to it. I have forwarded ports 80 and 443 on my router to the LAN IP of my Debian server. Everything is configured and working, and I can access my Nextcloud instance at https://mydomain.com

What I would like – and tell me if I'm barking up the wrong tree here – is a secure way of accessing different services on my home network from the internet. According to the material I have found, a reverse proxy is a good way of doing this.

Put simply, I would like to be able to access my Nextcloud server at https://nextcloud.mydomain.com and the ability to add other services (on the same or different machines), such as https://email.mydomain.com or https://bittorrent.mydomain.com

Can someone help me with the configuration required to do this? Also, does it defeat the purpose if the reverse proxy and the services I want to access are on the same machine?

I have checked the documentation at https://httpd.apache.org/docs/2.4/vhosts/examples.html and there is a brief section on using virtual_host and mod_proxy together, but not enough detail for me to create my own configs.

Here is my current Nextcloud configuration:


<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    DocumentRoot /var/www/nextcloud
    CustomLog /var/log/apache2/nc-access.log combined
    ErrorLog  /var/log/apache2/nc-error.log
    SSLEngine on
    #SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateFile /home/john/ssl/certificate.crt
    #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    SSLCertificateKeyFile /home/john/ssl/private.key
    <IfModule mod_rewrite.c>
      RewriteEngine On
      #RewriteBase /
      RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
      RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
    </IfModule>
  </VirtualHost>
  <Directory /var/www/nextcloud/>
    Options +FollowSymlinks
    AllowOverride All
    <IfModule mod_dav.c>
      Dav off
    </IfModule>
    LimitRequestBody 0
    SSLRenegBufferSize 10486000
  </Directory>
</IfModule>


Any help is much appreciated.

~John

Reply | Threaded
Open this post in threaded view
|

Re: Reverse Proxy Configuration

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

John,

On 5/24/19 07:19, John Welsby wrote:

> Hi everyone, I am looking for some help configuring Apache Web
> Server as a reverse proxy.
>
> A little background: I have a Debian 9 (stretch) server at my
> home, running Nextcloud on Apache2. I have a static IP from my ISP,
> and a domain I own is pointed to it. I have forwarded ports 80 and
> 443 on my router to the LAN IP of my Debian server. Everything is
> configured and working, and I can access my Nextcloud instance at
> https://mydomain.com <https://mydomain.com/>
>
> What I would like – and tell me if I'm barking up the wrong tree
> here – is a secure way of accessing different services on my home
> network from the internet. According to the material I have found,
> a reverse proxy is a good way of doing this.
>
> Put simply, I would like to be able to access my Nextcloud server
> at https://nextcloud.mydomain.com <https://nextcloud.mydomain.com/>
> and the ability to add other services (on the same or different
> machines), such as https://email.mydomain.com
> <http://email.mydomain.com/> or https://bittorrent.mydomain.com
> <https://bittorrent.mydomain.com/>
>
> Can someone help me with the configuration required to do this?
> Also, does it defeat the purpose if the reverse proxy and the
> services I want to access are on the same machine?
>
> I have checked the documentation at
> https://httpd.apache.org/docs/2.4/vhosts/examples.html and there is
> a brief section on using virtual_host and mod_proxy together, but
> not enough detail for me to create my own configs.
>
> Here is my current Nextcloud configuration:
>
>
> <IfModule mod_ssl.c> <VirtualHost _default_:443> DocumentRoot
> /var/www/nextcloud CustomLog /var/log/apache2/nc-access.log
> combined ErrorLog  /var/log/apache2/nc-error.log SSLEngine on
> #SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
> SSLCertificateFile /home/john/ssl/certificate.crt
> #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
> SSLCertificateKeyFile /home/john/ssl/private.key <IfModule
> mod_rewrite.c> RewriteEngine On #RewriteBase / RewriteCond
> %{HTTP_HOST} ^www\.(.*)$ [NC] RewriteRule ^(.*)$ <a href="https://%1/$1">https://%1/$1
> [R=301,L] </IfModule> </VirtualHost> <Directory
> /var/www/nextcloud/> Options +FollowSymlinks AllowOverride All
> <IfModule mod_dav.c> Dav off </IfModule> LimitRequestBody 0
> SSLRenegBufferSize 10486000 </Directory> </IfModule>
>
>
> Any help is much appreciated.

It isn't clear whether you need proxying at all. What are the other
"services' and where are they running? For example if you are running
your email service from httpd, then you don't need a proxy, just s
VirtualHost will get the job done.

Proxying local services is a completely legitimate use-case.

In general, using mod_proxy is the way to go for proxying HTTP(S).
Have a look at the documentation for mod_proxy which can do both
forward- and reverse-proxying using a number of protocols. You are
probably interested in mod_proxy_http which proxys (you guessed it)
HTTP. mod_proxy is a kind of "parent module" which also requires that
you enable a protocol-specific module as well, so you'd need to enable
both mod_proxy *and* mod_proxy_http for example.

Most mod_proxy configurations start with something simple like this:

<VirtualHost *:443>
  ServerName email.mydomain.com

  SSLEngine on
  (Other TLS configuration)

  ProxyPass / http://localhost:8888/
  ProxyPassReverse / http://localhost:8888/
</VirtualHost>

The above would be appropriate if your email were hosted locally (to
the httpd server) over cleartext HTTP on port 8888. If it's elsewhere
on your network, then:

  ProxyPass / <a href="http://ip-or-local-hostname:port/">http://ip-or-local-hostname:port/
  ProxyPassReverse / <a href="http://ip-or-local-hostname:port/">http://ip-or-local-hostname:port/

If you want to use HTTPS on your local network segment (which I would
highly recommend), then you'll need to use https:// URLs and probably
configure some certificate trust using e.g. directives like
SSLProxyCACertificateFile in mod_ssl.

To get DNS working, you'll need to register email.mydomain.com,
nextcloud.mydomain.com, bittorrent.mydomain.com, etc. all as pointing
to the IP address of your router (probably) and then port-forward from
the router to the main http reverse-proxy, as you have things, now.
Remember to set a ServerName for each of your VirtualHosts and the
appropriate TLS key and certificate material for each one.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzslxkACgkQHPApP6U8
pFie+w/+LUfg82VVb3XTmVAEE+3PoSjhrjnF7k5LCUc5t9pvChu31GXbpntSm9Dj
LQXz+4rgLmofByq9pjANFAPYc9yeybBhqIlOZiQUzE5jWbTZElMpD9EcW1Og55j9
WuhSF1UjqJ33qYV/kmrW+UFGWKGV0gB84Zh2yC2UgyV6dWw9HM+rnarjkt6yy/eR
CgGPKMQjSBt2L3vnDe5d/pKaMAM6s4hQnBOuvW3WgT0rWFRrgd/XZhpIp9xV+0It
AzC3v7lXoUhqQBsKaY0ibOYctQSLd9paldYiJ8Z8NU6O9XGs7yL8zaq1CaX1qK46
DXKVL0tDMrvInwi3mx2vvTTKCj9L/wjZOTpM64sfoax3CbPRGMRmMumZZiwMl2Eh
yuepTmk+1yvyebnuKbJKjEbpmVB1FrWjQrfSbgFGYnRWS6HLLDdDPfjeP344y/GM
M3Ic7eoaHwCRhbXmkVQHPY/s+IHsKAUnwSz1tc/QfX3xOoxRxMzD9kuZ6X0Zh9s1
d+0apa2XBjmiDZMXYGTqCwRUEit3goV2u0XE0xZC2J4PoN9Vgz0vHH/m6DQjseqf
8GqA4qxPyPytcrYsoN85ruYxXfIM6G0zYLRo3N47DCWX8L90/rQIy4AZV5eN6Lg6
WpQRXN7zn+nPl6IISg/B/DsTgWOLIvw1Piy4yW+LnU0b2QncwPg=
=dG4R
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]