Skip to main content

Apache Reverse Proxy and Firewall

Install apache2

sudo apt install apache2

Activate modules

sudo a2enmod headers rewrite proxy proxy_html proxy_http ssl vhost_alias

Apache Reverse Proxy Configuration

sudo vim /etc/apache2/sites-available/dms.yourdomain.de_httpd.conf
<VirtualHost YOURPUBLICIP:7080 127.0.0.1:7080>
       ServerName dms.yourdomain.de
       RewriteEngine On
       RewriteCond %{HTTPS} off
       RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>
<VirtualHost YOURPUBLICIP:7081 127.0.0.1:7081>
        ServerName dms.YOURDOMAIN.de
        ServerAdmin info@YOURDOMAIN.de
 
        ErrorLog ${APACHE_LOG_DIR}/error-sismics.log
        CustomLog ${APACHE_LOG_DIR}/access-sismics.log combined
 
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/YOURDOMAIN.de/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/YOURDOMAIN.de/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/YOURDOMAIN.de/chain.pem
 
        SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        SSLHonorCipherOrder On
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
        #Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff
        #Header set Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"
        Header unset X-Powered-By
        Header set Referrer-Policy "origin-when-cross-origin"
        Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure"
        Header set X-XSS-Protection "1; mode=block"
        Header always set Content-Security-Policy "upgrade-insecure-requests;" #upgrade unsafe gravatar icons to load from https instead of http
 
        # Requires Apache >= 2.4
        SSLCompression off
        #SSLUseStapling on
        #SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
        # Requires Apache >= 2.4.11
        SSLSessionTickets Off
 
        ProxyRequests Off
 
        # Auth changes in 2.4 - see http://httpd.apache.org/docs/2.4/upgrading.html#run-time
        <Proxy *>
                Require all granted
        </Proxy>
 
        ProxyPass / http://localhost:8080/dms/
        ProxyPassReverse / http://localhost:8080/dms/
        <Location />
             SSLRenegBufferSize 100000000
             Require all granted
       </Location>
 
       <Location "/api/app">
           AllowOverride None
           Order deny,allow
           Deny from All
       </Location>
  
       <Location ~ "/api/app/.*">
           AllowOverride None
           Allow from All
       </Location>
  
       RewriteEngine on
       RewriteCond %{REQUEST_FILENAME} !-d
       RewriteRule ^(.*)/$ /$1 [R=301,L]
</VirtualHost>

Firewall Blocking Rule

Block direct access to Jetty9 on Port 8080 (ingoing and outgoing TCP traffic) to allow access only on SSL secured domain. Use iptables or similar.

No comments to display

Back to top