Friday, 19 August 2016

Setting up a reverse proxy on RHEL / CentOS 7

Install apache and the relevant SSL modules with:

yum update && yum install httpd mod_ssl

We should also ensure the 'mod_proxy' module is installed so that we can serve up our backend.

Typically you should not need to install the module as it comes bundled with the standard httpd package on RHEL - although to enable it we must make a few configuration changes to the httpd.conf file:

vi /etc/httpd/conf/httpd.conf

In some cases there might be an include statement to conf.modules.d - so we might need to edit the following file instead:

vi /etc/httpd/conf.modules.d/00-proxy.conf

And ensure the following lines have been uncommented:

LoadModule proxy_module modules/
LoadModule proxy_balancer_module modules/
LoadModule proxy_http_module modules/

Proceed by reloading the server:

sudo systemctl restart httpd

We should create a directory to hold our certificate and key:

mkdir -p /etc/httpd/ssl

then move our public and private key into the newly created directory.

and finally ensure they are locked down with:

chmod -R 400 /etc/httpd/ssl

We can now create our virtual host:

vi /etc/httpd/conf.d/
chmod 644 /etc/httpd/conf.d/

And add the following:

<VirtualHost *:443>

ProxyPreserveHost On

ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

SSLEngine on
SSLCertificateFile /etc/httpd/ssl/ssl_cert.pem
SSLCertificateKeyFile /etc/httpd/ssl/ssl_cert.key

# The location of the HTML files, and access control information
DocumentRoot /var/www/html/
<Directory /var/www/html/>
Options -Indexes
Order allow,deny
Allow from all

Note: If your backend is using https you will also need to ensure the SSLProxyEngine directive is set to: 'On'.

Test the configuration with:

apachectl configtest

Also keep in mind that if you have SELinux turned on you may need to either compile the nesasery rules to allow apache to access the local web server running on tcp/8080 ( or disable it (although strongly discouraged.)

Proceed by restarting the server:

sudo systemctl httpd restart

Ensure the appropriate DNS records are setup and attempt to access your site - verifying the request is hitting the server listening on localhost tcp/8080.



Post a Comment