Difference between revisions of "Apache Proxy"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
| Line 8: | Line 8: | ||
ProxyPass /.well-known/ ! | ProxyPass /.well-known/ ! | ||
</pre> | </pre> | ||
| + | Alternatively | ||
| + | <pre> | ||
| + | <VirtualHost *:80> | ||
| + | <Location "/.well-known/acme-challenge/"> | ||
| + | allow from all | ||
| + | </Location> | ||
| + | RewriteEngine On | ||
| + | RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/(.*)$ | ||
| + | RewriteCond %{HTTPS} off | ||
| + | RewriteRule ^/(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} | ||
| + | </VirtualHost> | ||
| + | |||
| + | </pre> | ||
<ref>https://certbot.eff.org/docs/using.html#webroot</ref> | <ref>https://certbot.eff.org/docs/using.html#webroot</ref> | ||
<pre> | <pre> | ||
Revision as of 15:37, 12 April 2019
Certbot Letsencrypt
In this case I am trying to use webroot verification to obtain a certificate for a running site behind a proxy. This is all done using docker containers. Still working on the specifics, but one issue I am running into is that SELinux on CentOS 7 doesn't like processes from containers hitting ZFS directories created by Docker. Will need to finish migrating these containers to VMs running on the CentOS 7 host.
I digress.
- Make sure you prevent the proxy from proxying the challenge[1] by adding the following to your vhost for the domain.
ProxyPass /.well-known/ !
Alternatively
<VirtualHost *:80>
<Location "/.well-known/acme-challenge/">
allow from all
</Location>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/(.*)$
RewriteCond %{HTTPS} off
RewriteRule ^/(.*)$ https://%{SERVER_NAME}%{REQUEST_URI}
</VirtualHost>
sudo docker run --rm --name certbot -v /proxy/sitefiles:/var/www/ -v /proxy/certs/letsencrypt:/etc/letsencrypt \ certbot/certbot certonly --agree-tos -m your@email.com --webroot -w /var/www/ -d your.domain.com
SSL Handshake with remote server favicon.ico
While trying to set an ssl proxy, I ran into an issue where the ssl handshake would not work with the stupid website icon.
Error during SSL Handshake with remote server returned by /favicon.ico
In this case it was ok to ignore the authenticity of the connection, restricted use case and something that I would normally not do[3]
SSLProxyEngine On SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off
Proxy vhost sample
Listen 8080 LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_html_module modules/mod_proxy_html.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so LoadModule proxy_scgi_module modules/mod_proxy_scgi.so LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_express_module modules/mod_proxy_express.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule cache_module modules/mod_cache.so LoadModule cache_disk_module modules/mod_cache_disk.so LoadModule ssl_module modules/mod_ssl.so <IfModule cache_disk_module modules> CacheRoot "/var/cache/httpd/" CacheEnable disk / CacheDirLevels 2 CacheDirLength 1 CacheMaxFileSize 52428800 </IfModule> <VirtualHost *:8080> CustomLog logs/access_log combined ErrorLog logs/error_log <IfModule proxy_module> SSLProxyEngine On SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPass "/" "https://michaelwiki.geekgalaxy.com/" ProxyPassReverse "/" "https://michaelwiki.geekgalaxy.com/" ProxyPreserveHost On </IfModule> </VirtualHost>
