Difference between revisions of "Apache Proxy"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
| Line 1: | Line 1: | ||
| + | ==Certbot Letsencrypt== | ||
| + | In this case I am trying to use webroot verification to obtain a certificate for a running site behind a proxy. This is all done using docker containers. Still working on the specifics, but one issue I am running into is that SELinux on CentOS 7 doesn't like processes from containers hitting ZFS directories created by Docker. Will need to finish migrating these containers to VMs running on the CentOS 7 host. | ||
| + | <br> | ||
| + | <br> | ||
| + | I digress. | ||
| + | *Make sure you prevent the proxy from proxying the challenge<ref>https://serverfault.com/questions/518355/how-to-exclude-an-url-for-apache-mod-proxy</ref> by adding the following to your vhost for the domain. | ||
| + | <pre> | ||
| + | ProxyPass /.well-known/ ! | ||
| + | </pre> | ||
| + | <ref>https://certbot.eff.org/docs/using.html#webroot</ref> | ||
| + | <pre> | ||
| + | sudo docker run --rm --name certbot -v /proxy/sitefiles:/var/www/ -v /proxy/certs/letsencrypt:/etc/letsencrypt \ | ||
| + | certbot/certbot certonly --agree-tos -m your@email.com --webroot -w /var/www/ -d your.domain.com | ||
| + | </pre> | ||
| + | |||
==SSL Handshake with remote server favicon.ico== | ==SSL Handshake with remote server favicon.ico== | ||
While trying to set an ssl proxy, I ran into an issue where the ssl handshake would not work with the stupid website icon. | While trying to set an ssl proxy, I ran into an issue where the ssl handshake would not work with the stupid website icon. | ||
Revision as of 09:54, 7 April 2019
Certbot Letsencrypt
In this case I am trying to use webroot verification to obtain a certificate for a running site behind a proxy. This is all done using docker containers. Still working on the specifics, but one issue I am running into is that SELinux on CentOS 7 doesn't like processes from containers hitting ZFS directories created by Docker. Will need to finish migrating these containers to VMs running on the CentOS 7 host.
I digress.
- Make sure you prevent the proxy from proxying the challenge[1] by adding the following to your vhost for the domain.
ProxyPass /.well-known/ !
sudo docker run --rm --name certbot -v /proxy/sitefiles:/var/www/ -v /proxy/certs/letsencrypt:/etc/letsencrypt \ certbot/certbot certonly --agree-tos -m your@email.com --webroot -w /var/www/ -d your.domain.com
SSL Handshake with remote server favicon.ico
While trying to set an ssl proxy, I ran into an issue where the ssl handshake would not work with the stupid website icon.
Error during SSL Handshake with remote server returned by /favicon.ico
In this case it was ok to ignore the authenticity of the connection, restricted use case and something that I would normally not do[3]
SSLProxyEngine On SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off
Proxy vhost sample
Listen 8080 LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_html_module modules/mod_proxy_html.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so LoadModule proxy_scgi_module modules/mod_proxy_scgi.so LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_express_module modules/mod_proxy_express.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule cache_module modules/mod_cache.so LoadModule cache_disk_module modules/mod_cache_disk.so LoadModule ssl_module modules/mod_ssl.so <IfModule cache_disk_module modules> CacheRoot "/var/cache/httpd/" CacheEnable disk / CacheDirLevels 2 CacheDirLength 1 CacheMaxFileSize 52428800 </IfModule> <VirtualHost *:8080> CustomLog logs/access_log combined ErrorLog logs/error_log <IfModule proxy_module> SSLProxyEngine On SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPass "/" "https://michaelwiki.geekgalaxy.com/" ProxyPassReverse "/" "https://michaelwiki.geekgalaxy.com/" ProxyPreserveHost On </IfModule> </VirtualHost>
