Apache Reverse Proxy and Firewall
Install apache2
sudo apt install apache2
Activate modules
sudo a2enmod headers rewrite proxy proxy_html proxy_http ssl vhost_alias
Apache Reverse Proxy Configuration
sudo vim /etc/apache2/sites-available/dms.yourdomain.de_httpd.conf
<VirtualHost YOURPUBLICIP:7080 127.0.0.1:7080>
ServerName dms.yourdomain.de
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>
<VirtualHost YOURPUBLICIP:7081 127.0.0.1:7081>
ServerName dms.YOURDOMAIN.de
ServerAdmin info@YOURDOMAIN.de
ErrorLog ${APACHE_LOG_DIR}/error-sismics.log
CustomLog ${APACHE_LOG_DIR}/access-sismics.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/YOURDOMAIN.de/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/YOURDOMAIN.de/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/YOURDOMAIN.de/chain.pem
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
#Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
#Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"
Header unset X-Powered-By
Header set Referrer-Policy "origin-when-cross-origin"
Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure"
Header set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "upgrade-insecure-requests;" #upgrade unsafe gravatar icons to load from https instead of http
# Requires Apache >= 2.4
SSLCompression off
#SSLUseStapling on
#SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
ProxyRequests Off
# Auth changes in 2.4 - see http://httpd.apache.org/docs/2.4/upgrading.html#run-time
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://localhost:8080/dms/
ProxyPassReverse / http://localhost:8080/dms/
<Location />
SSLRenegBufferSize 100000000
Require all granted
</Location>
<Location "/api/app">
AllowOverride None
Order deny,allow
Deny from All
</Location>
<Location ~ "/api/app/.*">
AllowOverride None
Allow from All
</Location>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [R=301,L]
</VirtualHost>
Firewall Blocking Rule
Block direct access to Jetty9 on Port 8080 (ingoing and outgoing TCP traffic) to allow access only on SSL secured domain. Use iptables or similar.
No comments to display
No comments to display