This is an old revision of the document!
Reverse Proxy Installation auf Debian / Ubuntu
Als Grundlage für den Reverse Proxy wurde ein Ubuntu 16.04 aufgesetzt. Im folgenden werden alle Schritte nach der fertigen OS Installation zum einrichten des Proxys beschrieben.
Was ist ein Reverse Proxy? Grundsätzlich handelt es sich bei einem Proxy um eine Kommunikationsschnittstelle im Netzwerk, die Anfragen entgegennimmt und stellvertretend an einen Zielrechner weiterleitet. Ein Reverse Proxy wird nun aber meistens als zusätzliche Sicherheitskomponente vor einen oder mehrere Webserver geschaltet, um Anfragen aus dem Internet stellvertretend entgegen-zunehmen und an einen Backend-Server im Hintergrund weiterzuleiten.
Eine ausführlichere Beschreibung hier: Reverse-Proxy – Kernkomponente in Sicherheitsarchitekturen
Interessante Hardware für standalone Proxies
System Konfiguration
Schon zu Beginn wird dem Proxy-Server eine eigene fixe IP Adresse zugeteilt. Dies ist hierbei sehr wichtig, da der Traffic zu einem späteren Zeitpunkt von Port 80 HTTP und Port 443 HTTPS des Routers direkt an den Proxy per Portweiterleitung vermittelt wird.
# vim /etc/network/interfaces
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 iface eth0 inet static address 192.168.1.6 netmask 255.255.255.0 gateway 192.168.1.1 dns-nameservers 192.168.1.1
Nach erfolgreicher Speicherung, wird das System neugestartet.
# init 6
Installation der Grundkomponenten
Zu Beginn werden erst einmal alle Grundpakete, welche zum einrichten unseres Proxys gebraut werden installiert.
# apt-get install apache2 libapache2-mod-proxy-html libxml2-dev
Aktivierung der Proxy Komponenten aus dem Apache2 Paket.
# a2enmod proxy proxy_ajp proxy_http rewrite deflate headers proxy_balancer proxy_connect proxy_html xml2enc vhost_alias ssl
Nun wird Letsencript installiert, damit wir später damit auch unser eigenes SSL Zertifikat generieren können.
# apt-get install git-core
# cd /opt # git clone https://github.com/letsencrypt/letsencrypt
Konfigurieren der Virtual-Hosts
Nun wenn wir die Basis der gebrauchten Pakete installiert haben, können wir im nächsten Schritt die Virtual-Hosts unseres Reverse Proxys definieren. Bei diesem Schritt, ist es wichtig, dass wir anfangs nur die proxy_http.conf aktivieren, da in der proxy_https.conf bereits bei allen Virtual-Host der Zertifikatspfad angegeben ist, würde dies zu einem kritischen Fehler beim restarten des Webservers führen.
Bereinigen der Virtual-Hosts
Zuerst werden die Standart sites deaktiviert und gelöscht:
# a2dissite 000-default.conf # a2dissite default-ssl.conf # rm /etc/apache2/sites-available/000-default.conf # rm /etc/apache2/sites-available/default-ssl.conf
Hinzufügen der eigenen Virtual-Hosts
Nun werden alle nachfolgenden Virtual-Host-files, welche vom Proxy gebrauchten auf das System nach /etc/apache2/sites-available/ kopiert.
Stand letzte Sicherung der files vom 17.März 2017
- blackgate.org.conf
<VirtualHost *:80> # ServerName blackgate.org ServerName localhost # ServerAdmin michael.r467@gmail.com DocumentRoot /var/www/piwik # </VirtualHost>
- proxy_http.conf
#------------------------------------------------------------------------------------------------ # REDIRECTION FOR NON EXISTENT SUBDOMAINS #------------------------------------------------------------------------------------------------ <VirtualHost *:80> ServerName blackgate.org RewriteEngine On RewriteRule ^/?(.*) https://www.blackgate.org/$1 [R,L] </VirtualHost> #------------------------------------------------------------------------------------------------ <VirtualHost *:80> ServerName plexdash.com RewriteEngine On RewriteRule ^/?(.*) https://www.plexdash.com/$1 [R,L] </VirtualHost> #------------------------------------------------------------------------------------------------ # MAIN REDIRECTIONS #------------------------------------------------------------------------------------------------ <VirtualHost *:80> ServerName blackgate.org # ServerAdmin michael.r467@gmail.com ServerAlias www.blackgate.org ServerAlias su-login.blackgate.org ServerAlias serv.blackgate.org ServerAlias piwik.blackgate.org ServerAlias plexpy.blackgate.org ServerAlias plexdash.blackgate.org ServerAlias emby.blackgate.org ServerAlias stream.blackgate.org ServerAlias request.blackgate.org ServerAlias cloud.blackgate.org ServerAlias office.blackgate.org ServerAlias ucloud.blackgate.org ServerAlias wiki.blackgate.org ServerAlias index.blackgate.org ServerAlias xxx.blackgate.org ServerAlias test.blackgate.org RewriteEngine On RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] </VirtualHost> <VirtualHost *:80> ServerName plexdash.com # ServerAdmin michael.r467@gmail.com ServerAlias www.plexdash.com ServerAlias demo.plexdash.com ServerAlias get.plexdash.com RewriteEngine On RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] </VirtualHost> #------------------------------------------------------------------------------------------------ # WEITERE DIENSTE #------------------------------------------------------------------------------------------------ <VirtualHost *:80> ServerName 83.150.6.68 # ProxyPreserveHost On ProxyRequests off ProxyPass / http://www.google.ch/ ProxyPassReverse / http://www.google.ch/ </VirtualHost> <VirtualHost *:80> ServerName test.blackgate.org # ProxyPreserveHost On ProxyRequests off ProxyPass / http://192.168.1.21/ ProxyPassReverse / http://192.168.1.21/ # !!!Wenn ohne HTTPS erwünst ist. # <Proxy http://192.168.1.21/> # Require all granted # </Proxy> </VirtualHost>
- proxy_https_blackgate.conf
<IfModule mod_ssl.c> #------------------------------------------------------------------------------------------------ # MAIN SERVICES #------------------------------------------------------------------------------------------------ <VirtualHost *:443> ServerName www.blackgate.org # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem ProxyPass /error_docs ! ErrorDocument 503 /error_docs/ServiceUnavailable.html ProxyPass /netdata http://192.168.1.23:19999/ ProxyPassReverse /netdata http://192.168.1.23:19999/ ProxyPass / http://192.168.1.21/ ProxyPassReverse / http://192.168.1.21/ <Proxy http://192.168.1.23:19999/> Order deny,allow Allow from all </Proxy> <Proxy http://192.168.1.21/> Order deny,allow Allow from all </Proxy> </VirtualHost> <VirtualHost *:443> ServerName su-login.blackgate.org # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem RewriteEngine On RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteRule /(.*)ws://192.168.1.11:8080/guacamole/$1 [P,L] RewriteCond %{HTTP:Upgrade} !=websocket [NC] RewriteRule /(.*)http://192.168.1.11:8080/guacamole/$1 [P,L] ProxyPass / http://192.168.1.11:8080/guacamole/ flushpackets=On ProxyPassReverse / http://192.168.1.11:8080/guacamole/ ProxyPassReverseCookiePath /guacamole / <Proxy *> Order deny,allow Allow from all </Proxy> </VirtualHost> <VirtualHost *:443> ServerName serv.blackgate.org # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem ProxyPass / http://192.168.1.21:5066/ ProxyPassReverse / http://192.168.1.21:5066/ <Proxy http://192.168.1.21:5066/> Order deny,allow Allow from all </Proxy> </VirtualHost> <VirtualHost *:443> ServerName piwik.blackgate.org # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem ProxyPass / http://127.0.0.1/ ProxyPassReverse / http://127.0.0.1/ <Proxy http://127.0.0.1/> Order deny,allow Allow from all </Proxy> </VirtualHost> <VirtualHost *:443> ServerName emby.blackgate.org # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem ProxyPass / http://192.168.1.19:8096/ ProxyPassReverse / http://192.168.1.19:8096/ <Proxy http://192.168.1.19:8096/> Order deny,allow Allow from all </Proxy> </VirtualHost> #------------------------------------------------------------------------------------------------ # PLEX SERVICES #------------------------------------------------------------------------------------------------ <VirtualHost *:443> ServerName plexpy.blackgate.org # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem ProxyPass / http://192.168.1.23:8181/ ProxyPassReverse / http://192.168.1.23:8181/ <Proxy http://192.168.1.23:8181/> Order deny,allow Allow from all </Proxy> </VirtualHost> <VirtualHost *:443> ServerName plexdash.blackgate.org # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem ProxyPass / http://192.168.1.23/plexDash/ ProxyPassReverse / http://192.168.1.23/plexDash/ </VirtualHost> <VirtualHost *:443> ServerName request.blackgate.org # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem ProxyPass / http://192.168.1.23:3000/ ProxyPassReverse / http://192.168.1.23:3000/ <Proxy http://192.168.1.23:3000/> Order deny,allow Allow from all </Proxy> </VirtualHost> <VirtualHost *:443> ServerName stream.blackgate.org # ServerAdmin michael.r467@gmail.com Options -Includes -ExecCGI LimitRequestBody 512000 SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 +TLSv1.2 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" Header always set X-Frame-Options DENY FileETag None TraceEnable off Header set X-XSS-Protection "1; mode=block" Timeout 60 SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem <Location /:/websockets/notifications> ProxyPass wss://192.168.1.23:32400/:/websockets/notifications ProxyPassReverse wss://192.168.1.23:32400/:/websockets/notifications </Location> <Proxy *> Order deny,allow Allow from all </Proxy> ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On RequestHeader set Front-End-Https "On" ProxyPass / http://192.168.1.23:32400/ ProxyPassReverse / http://192.168.1.23:32400/ </VirtualHost> #------------------------------------------------------------------------------------------------ # CLOUD SERVICES #------------------------------------------------------------------------------------------------ <VirtualHost *:443> ServerName cloud.blackgate.org # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem ProxyPass /error_docs ! ErrorDocument 503 /error_docs/ServiceUnavailable.html ProxyPass / http://192.168.1.24/ retry=1 acquire=3000 Timeout=5400 Keepalive=On ProxyPassReverse / http://192.168.1.24/ <Proxy http://192.168.1.24/> Order deny,allow Allow from all </Proxy> </VirtualHost> <VirtualHost *:443> ServerName office.blackgate.org:443 # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem # Encode Slashes AllowEncodedSlashes On # No SSL-Cert validation! SSLProxyEngine On SSLProxyVerify None SSLProxyCheckPeerCN off SSLProxyCheckPeerName off # keep host name ProxyPreserveHost On ProxyPass / https://192.168.1.24:9980/ ProxyPassReverse / https://192.168.1.24:9980/ # static html, js, images, etc. served from loolwsd # loleaflet is the client part of LibreOffice Online ProxyPass /loleaflet https://192.168.1.24:9980/loleaflet retry=0 ProxyPassReverse /loleaflet https://192.168.1.24:9980/loleaflet # WOPI discovery URL ProxyPass /hosting/discovery https://192.168.1.24:9980/hosting/discovery retry=0 ProxyPassReverse /hosting/discovery https://192.168.1.24:9980/hosting/discovery # Main websocket ProxyPassMatch "/lool/(.*)/ws$" wss://192.168.1.24:9980/lool/$1/ws # Admin Console websocket ProxyPass /lool/adminws wss://192.168.1.24:9980/lool/adminws # Download as, Fullscreen presentation and Image upload operations ProxyPass /lool https://192.168.1.24:9980/lool ProxyPassReverse /lool https://192.168.1.24:9980/lool </VirtualHost> <VirtualHost *:443> ServerName ucloud.blackgate.org # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem ProxyPass / http://192.168.1.12/ retry=1 acquire=3000 Timeout=5400 Keepalive=On ProxyPassReverse / http://192.168.1.12/ <Proxy http://192.168.1.12/> Order deny,allow Allow from all </Proxy> </VirtualHost> #------------------------------------------------------------------------------------------------ # OTHER SERVICES #------------------------------------------------------------------------------------------------ <VirtualHost *:443> ServerName xxx.blackgate.org # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem ProxyPass / http://192.168.1.14/ retry=1 acquire=3000 Timeout=7200 Keepalive=On flushpackets=On ProxyPassReverse / http://192.168.1.14/ <Proxy http://192.168.1.14/> Order deny,allow Allow from all </Proxy> </VirtualHost> <VirtualHost *:443> ServerName index.blackgate.org # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem ProxyPass / http://192.168.1.7/ ProxyPassReverse / http://192.168.1.7/ </VirtualHost> <VirtualHost *:443> ServerName wiki.blackgate.org # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem ProxyPass / http://192.168.1.10/ ProxyPassReverse / http://192.168.1.10/ <Proxy http://192.168.1.10/> Order deny,allow Allow from all </Proxy> </VirtualHost> <VirtualHost *:443> ServerName test.blackgate.org # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem ProxyPass / http://192.168.1.26/ ProxyPassReverse / http://192.168.1.26/ </VirtualHost> <VirtualHost *:443> ServerName demo.blackgate.org # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem ProxyPass / http://google.ch/ ProxyPassReverse / http://google.ch/ <Proxy *> Order deny,allow Allow from all </Proxy> </VirtualHost> #<VirtualHost *:443> # ServerAlias *.blackgate.org # SSLEngine on # SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH # SSLProtocol All -SSLv2 -SSLv3 # Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" # SSLCertificateFile /etc/letsencrypt/live/blackgate.org/cert.pem # SSLCertificateKeyFile /etc/letsencrypt/live/blackgate.org/privkey.pem # SSLCertificateChainFile /etc/letsencrypt/live/blackgate.org/chain.pem # RewriteEngine On # Redirect 301 / https://www.blackgate.org #</VirtualHost> </IfModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
- proxy_https_plexdash.conf
#------------------------------------------------------------------------------------------------ # MAIN SERVICES #------------------------------------------------------------------------------------------------ <VirtualHost *:443> ServerName www.plexdash.com # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/plexdash.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/plexdash.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/plexdash.com/chain.pem ProxyPass /error_docs ! ErrorDocument 503 /error_docs/ServiceUnavailable.html ProxyPass / http://192.168.1.22/ ProxyPassReverse / http://192.168.1.22/ <Proxy http://192.168.1.22/> Order deny,allow Allow from all </Proxy> </VirtualHost> <VirtualHost *:443> ServerName demo.plexdash.com # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/plexdash.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/plexdash.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/plexdash.com/chain.pem ProxyPass /error_docs ! ErrorDocument 503 /error_docs/ServiceUnavailable.html ProxyPass /netdata http://192.168.1.23:19999/ ProxyPassReverse /netdata http://192.168.1.23:19999/ ProxyPass / http://192.168.1.22/_pD-demo/ ProxyPassReverse / http://192.168.1.22/_pD-demo/ <Proxy http://192.168.1.23:19999/> Order deny,allow Allow from all </Proxy> <Proxy http://192.168.1.22/> Order deny,allow Allow from all </Proxy> </VirtualHost> <VirtualHost *:443> ServerName dev.plexdash.com # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/plexdash.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/plexdash.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/plexdash.com/chain.pem ProxyPass /error_docs ! ErrorDocument 503 /error_docs/ServiceUnavailable.html ProxyPass /netdata http://192.168.1.23:19999/ ProxyPassReverse /netdata http://192.168.1.23:19999/ ProxyPass / http://192.168.1.22/_pD-dev/ ProxyPassReverse / http://192.168.1.22/_pD-dev/ <Proxy http://192.168.1.23:19999/> Order deny,allow Allow from all </Proxy> <Proxy http://192.168.1.22/> Order deny,allow Allow from all </Proxy> </VirtualHost> <VirtualHost *:443> ServerName get.plexdash.com # ServerAdmin michael.r467@gmail.com SSLEngine on SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLCertificateFile /etc/letsencrypt/live/plexdash.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/plexdash.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/plexdash.com/chain.pem ProxyPass /error_docs ! ErrorDocument 503 /error_docs/ServiceUnavailable.html ProxyPass / http://192.168.1.22/_buy/ ProxyPassReverse / http://192.168.1.22/_buy/ <Proxy http://192.168.1.22/> Order deny,allow Allow from all </Proxy> </VirtualHost>
- letsencript_dummy.conf
<VirtualHost *:80> ServerName blackgate.org # ServerAdmin michael.r467@gmail.com ServerAlias www.blackgate.org ServerAlias su-login.blackgate.org ServerAlias serv.blackgate.org ServerAlias piwik.blackgate.org ServerAlias plexpy.blackgate.org ServerAlias plexdash.blackgate.org ServerAlias emby.blackgate.org ServerAlias stream.blackgate.org ServerAlias request.blackgate.org ServerAlias cloud.blackgate.org ServerAlias office.blackgate.org ServerAlias ucloud.blackgate.org ServerAlias wiki.blackgate.org ServerAlias index.blackgate.org ServerAlias xxx.blackgate.org ServerAlias test.blackgate.org DocumentRoot /var/www/html # </VirtualHost>
Aktivieren der dummy.conf
Für den nächsten Schritt, müssen wir die letsencript_dummy.conf aktivieren. Alle anderen sites bleiben deaktiviert.
# a2ensite letsencript_dummy.conf
LetsEncript Konfigurieren
Im ersten Schritt, wird nun zuerst ein neues Zertifikat für die Domäne “blackgate.org” und deren Sub-Domains des Reverse Proxys generiert. Die Key-size setzen wir hier für eine bessere Sicherheit auf 4096 anstatt den herkömmlichen 2048 Bit!
# cd /opt/letsencrypt/
# ./letsencrypt-auto certonly --rsa-key-size 4096 -d blackgate.org -d xxx.blackgate.org -d cloud.blackgate.org -d su-login.blackgate.org -d plexpy.blackgate.org -d wiki.blackgate.org -d serv.blackgate.org -d www.blackgate.org -d stream.blackgate.org -d emby.blackgate.org -d request.blackgate.org -d index.blackgate.org -d ucloud.blackgate.org -d ilo3.blackgate.org -d plexdash.blackgate.org -d test.blackgate.org
Nach erfolgreichem Durchlauf und der Meldung, dass das Zertifikat erfolgreich unter: /etc/letsencrypt/live/blackgate.org/cert.pem erstellt wurde, kann mit dem nächsten Schritt weitergefahren werden.
Automatisiertes Key Update
Da das Letsencript Zertifikat nur eine Gültigkeit von drei Wochen hat, wird hier eine automatische Aktualisierung des Zertifikates empfohlen. Dies wird über einen neuen Crontab Eintrag erreicht.
# vim /etc/crontab
# /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) 0 12 * * 6 root /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log #
Scharf schalten der Proxy Konfiguration
Wenn bis hierhin alles funktioniert hat; kann nun die proxy_dummi.conf deaktiviert werden und der eigentliche Proxy scharf geschalten werden.
# a2dissite letsencript_dummy.conf # a2ensite blackgate.org.conf # a2ensite proxy_http.conf # a2ensite proxy_https_blackgate.conf
# service apache2 reload
Der “proxy_https_plexdash.conf” darf erst angeschalten werden, wenn für diesen auch Zertifikate vorhanden sind. (Andernfalls Zertifikat Pfad in dieser conf Datei anpassen.)
Zusätzliche Konfigurationen
Alle hier gemachten Konfigurationsänderungen, haben keinen direkten Einfluss auf die Proxy Funktion. Sie dienen legindlich der Sicherheit und der personalisierung.
Härten des Apache-Proxys
Zum härten des Apache2 Webservers werden wir nun die security.conf Konfigurationsdatei folgendermassen anpassen:
# vim /etc/apache2/conf-enabled/security.conf
- security.conf
# ServerTokens ServerTokens Prod ServerSignature Off # Allow TRACE method TraceEnable Off # Setting this header will prevent other sites from embedding pages from this # site as frames. This defends against clickjacking attacks. # Requires mod_headers to be enabled. # Header set X-Frame-Options: "sameorigin"
# service apache2 reload
Eigene ErrorPages definieren
Um eigene ErrorPages unter einem Apache Reverse Proxy einzubinden muss folgendes snipped in der Hauptkonfigurationsdatei von Apache2 nach dem letzten </Directory> Eintrag eingetragen werden:
- snippet
Alias /error_docs /var/www/error_pages ProxyPass /error_docs ! ErrorDocument 400 /error_docs/BadRequest.html ErrorDocument 401 /error_docs/Unauthorized.html ErrorDocument 403 /error_docs/Forbidden.html ErrorDocument 404 /error_docs/NotFound.html ErrorDocument 500 /error_docs/ServerError.html ErrorDocument 503 /error_docs/server_offline.html
# vim /etc/apache2/apache2.conf
Nach dem speichern, werden anschliessend die besagten ErrorDocs (Gleiche Namensgebung wie oben; z.B: BadRequest.html) nach /var/www/error_pages kopiert.
ErrorPages:
# chown -R www-data:www-data /var/www/error_pages/
# service apache2 reload
Zusätzliche Sub-Domains hinzufügen
Sollen weitere Sub-Domain zu den bestehenden hinzugefügt werden wird folgendermassen vorgegangen:
- Anpassen der proxy-sites und neuer Sub-Domain Namen erfassen.
# vim /etc/apache2/sites-available/proxy_http.conf # vim /etc/apache2/sites-available/proxy_https.conf
- Zum letsencript Binary wechseln und den letzten certonly Befehl (Suchen mit CTRL + R) mit der am Schluss neu angehängter Domain z.B. “-d NEU-DOM.DOMAIN.COM” ausführen.
# cd /opt/letsencrypt/ # ./letsencrypt-auto certonly --rsa-key-size 4096 -d blackgate.org -d xxx.blackgate.org -d cloud.blackgate.org -d su-login.blackgate.org -d plexpy.blackgate.org -d wiki.blackgate.org -d serv.blackgate.org -d www.blackgate.org -d stream.blackgate.org -d emby.blackgate.org -d request.blackgate.org -d index.blackgate.org -d ucloud.blackgate.org -d proxy.blackgate.org -d plexdash.blackgate.org -d test.blackgate.org -d piwik.blackgate.org
- Zum Schluss muss noch der Apache Service neu geladen werden, damit das neue Zertifikat angezogen wird.
# service apache2 reload