Difference between revisions of "Apache2"
From DarkWiki
(→Nagios proxy) |
|||
| (6 intermediate revisions by the same user not shown) | |||
| Line 18: | Line 18: | ||
===Nagios proxy=== | ===Nagios proxy=== | ||
| + | |||
| + | To proxy [https://www.nagios.org/ Nagios3], there are several parts that need to be proxied. | ||
<pre> | <pre> | ||
| Line 45: | Line 47: | ||
</VirtualHost> | </VirtualHost> | ||
| + | </pre> | ||
| + | |||
| + | ===Full HTTPS redirect=== | ||
| + | |||
| + | This configures a host to redirect all HTTP traffic to the HTTPS endpoint instead. | ||
| + | |||
| + | <pre> | ||
| + | <VirtualHost *:80> | ||
| + | ServerName www.darkmine.org | ||
| + | ServerAdmin webmaster@localhost | ||
| + | DocumentRoot /var/www/html | ||
| + | ErrorLog ${APACHE_LOG_DIR}/error.log | ||
| + | CustomLog ${APACHE_LOG_DIR}/access.log combined | ||
| + | <Location /> | ||
| + | RewriteEngine on | ||
| + | RewriteCond %{HTTPS} off | ||
| + | RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R] | ||
| + | </Location> | ||
| + | </VirtualHost> | ||
| + | <VirtualHost *:443> | ||
| + | ServerName www.darkmine.org | ||
| + | ServerAdmin webmaster@localhost | ||
| + | SSLEngine on | ||
| + | SSLCertificateFile /etc/letsencrypt/live/www.darkmine.org/fullchain.pem | ||
| + | SSLCertificateKeyFile /etc/letsencrypt/live/www.darkmine.org/privkey.pem | ||
| + | <FilesMatch "\.(cgi|shtml|phtml|php)$"> | ||
| + | SSLOptions +StdEnvVars | ||
| + | </FilesMatch> | ||
| + | <Directory /usr/lib/cgi-bin> | ||
| + | SSLOptions +StdEnvVars | ||
| + | </Directory> | ||
| + | DocumentRoot /var/www/html | ||
| + | ErrorLog ${APACHE_LOG_DIR}/error.log | ||
| + | CustomLog ${APACHE_LOG_DIR}/access.log combined | ||
| + | </VirtualHost> | ||
| + | </pre> | ||
| + | |||
| + | ===Go away! configuration=== | ||
| + | |||
| + | Bots and hackers will brute-force scan for security holes at the IP level. As genuine people and tools don't use IP addresses, you can assume those that use them are not wanted. This script sends them away by redirecting any requests back to themselves. | ||
| + | |||
| + | <pre> | ||
| + | <VirtualHost *:80> | ||
| + | ServerAdmin webmaster@localhost | ||
| + | <Location /> | ||
| + | RewriteEngine on | ||
| + | RewriteRule (.*) http://localhost%{REQUEST_URI} [R] | ||
| + | </Location> | ||
| + | </VirtualHost> | ||
| + | </pre> | ||
| + | |||
| + | ===Portainer=== | ||
| + | |||
| + | Portainer runs inside docker, and also uses web sockets. | ||
| + | |||
| + | <pre> | ||
| + | <VirtualHost *:80> | ||
| + | ServerName portainer.darkmine.org | ||
| + | ServerAdmin webmaster@localhost | ||
| + | ErrorLog ${APACHE_LOG_DIR}/error.log | ||
| + | CustomLog ${APACHE_LOG_DIR}/portainer.darkmine.org combined | ||
| + | |||
| + | RewriteEngine on | ||
| + | RewriteCond %{SERVER_NAME} =portainer.darkmine.org | ||
| + | RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] | ||
| + | </VirtualHost> | ||
| + | |||
| + | <IfModule mod_ssl.c> | ||
| + | <VirtualHost *:443> | ||
| + | ServerName portainer.darkmine.org | ||
| + | ServerAdmin webmaster@localhost | ||
| + | ErrorLog ${APACHE_LOG_DIR}/error.log | ||
| + | CustomLog ${APACHE_LOG_DIR}/portainer.darkmine.org combined | ||
| + | |||
| + | ProxyPass "/" "http://localhost:9000/" | ||
| + | ProxyPassReverse "/" "http://localhost:9000/" | ||
| + | |||
| + | <Location /api/websocket/> | ||
| + | RequestHeader set Connection "upgrade" | ||
| + | Header set Connection "Upgrade" | ||
| + | RequestHeader setifempty Connection "Upgrade" | ||
| + | Header set Upgrade "websocket" | ||
| + | RequestHeader setifempty Upgrade "websocket" | ||
| + | ProxyPass ws://172.17.0.1:9000/api/websocket/ | ||
| + | </Location> | ||
| + | |||
| + | SSLCertificateFile /etc/letsencrypt/live/portainer.darkmine.org/fullchain.pem | ||
| + | SSLCertificateKeyFile /etc/letsencrypt/live/portainer.darkmine.org/privkey.pem | ||
| + | Include /etc/letsencrypt/options-ssl-apache.conf | ||
| + | </VirtualHost> | ||
| + | </IfModule> | ||
| + | </pre> | ||
| + | |||
| + | ===Add OIDC authentication check=== | ||
| + | |||
| + | After installing and enabling auth_openidc: | ||
| + | |||
| + | <pre> | ||
| + | OIDCProviderMetadataURL https://oauth.rabora.com/auth/realms/rabora/.well-known/openid-configuration | ||
| + | OIDCClientID <INSERT_CLIENT_ID_HERE> | ||
| + | OIDCClientSecret <INSERT_CLIENT_SECRET_HERE> | ||
| + | OIDCCryptoPassphrase <INSERT_RANDOM_STRING_HERE> | ||
| + | OIDCRedirectURI https://logs.darkmine.org/auth/redirect | ||
| + | OIDCResponseType code | ||
| + | OIDCScope "openid" | ||
| + | OIDCSSLValidateServer Off | ||
| + | OIDCPassClaimsAs environment | ||
| + | OIDCClaimPrefix USERINFO_ | ||
| + | OIDCPassIDTokenAs payload | ||
| + | |||
| + | <Location /> | ||
| + | AuthType openid-connect | ||
| + | Require valid-user claim realm_access.roles:darkmine_admin | ||
| + | </Location> | ||
</pre> | </pre> | ||
Latest revision as of 15:15, 16 February 2021
Contents
Example configuration
Simple proxy
This example will receive HTTP requests headed towards HOSTNAME.darkmine.org, and will proxy them to the web server residing on 10.1.1.96 (port 3000). If URLs in the response have that internal IP (10.1.1.96:3000), they will be transformed to the "hostname.darkmine.org" version.
<VirtualHost *:80>
ServerName HOSTNAME.darkmine.org
ServerAdmin webmaster@localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyPass "/" "http://10.1.1.96:3000/"
ProxyPassReverse "/" "http://10.1.1.96:3000/"
</VirtualHost>
Nagios proxy
To proxy Nagios3, there are several parts that need to be proxied.
<VirtualHost *:80>
ServerName nagios.darkmine.org
ServerAdmin webmaster@localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyPass /stylesheets/ http://10.1.1.97/nagios3/stylesheets/
ProxyPassReverse /stylesheets/ http://10.1.1.97/nagios3/stylesheets/
ProxyPass /images/ http://10.1.1.97/nagios3/images/
ProxyPassReverse /images/ http://10.1.1.97/nagios3/images/
ProxyPass /cgi-bin http://10.1.1.97/nagios3/cgi-bin
ProxyPassReverse /cgi-bin http://10.1.1.97/nagios3/cgi-bin
ProxyPass /js http://10.1.1.97/nagios3/js
ProxyPassReverse /js http://10.1.1.97/nagios3/js
ProxyPass /pnp4nagios3 http://10.1.1.97/pnp4nagios3
ProxyPassReverse /pnp4nagios3 http://10.1.1.97/pnp4nagios3
ProxyPass / http://10.1.1.97/nagios3/
ProxyPassReverse / http://10.1.1.97/nagios3/
</VirtualHost>
Full HTTPS redirect
This configures a host to redirect all HTTP traffic to the HTTPS endpoint instead.
<VirtualHost *:80>
ServerName www.darkmine.org
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Location />
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R]
</Location>
</VirtualHost>
<VirtualHost *:443>
ServerName www.darkmine.org
ServerAdmin webmaster@localhost
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.darkmine.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.darkmine.org/privkey.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Go away! configuration
Bots and hackers will brute-force scan for security holes at the IP level. As genuine people and tools don't use IP addresses, you can assume those that use them are not wanted. This script sends them away by redirecting any requests back to themselves.
<VirtualHost *:80>
ServerAdmin webmaster@localhost
<Location />
RewriteEngine on
RewriteRule (.*) http://localhost%{REQUEST_URI} [R]
</Location>
</VirtualHost>
Portainer
Portainer runs inside docker, and also uses web sockets.
<VirtualHost *:80>
ServerName portainer.darkmine.org
ServerAdmin webmaster@localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/portainer.darkmine.org combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =portainer.darkmine.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName portainer.darkmine.org
ServerAdmin webmaster@localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/portainer.darkmine.org combined
ProxyPass "/" "http://localhost:9000/"
ProxyPassReverse "/" "http://localhost:9000/"
<Location /api/websocket/>
RequestHeader set Connection "upgrade"
Header set Connection "Upgrade"
RequestHeader setifempty Connection "Upgrade"
Header set Upgrade "websocket"
RequestHeader setifempty Upgrade "websocket"
ProxyPass ws://172.17.0.1:9000/api/websocket/
</Location>
SSLCertificateFile /etc/letsencrypt/live/portainer.darkmine.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/portainer.darkmine.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Add OIDC authentication check
After installing and enabling auth_openidc:
OIDCProviderMetadataURL https://oauth.rabora.com/auth/realms/rabora/.well-known/openid-configuration OIDCClientID <INSERT_CLIENT_ID_HERE> OIDCClientSecret <INSERT_CLIENT_SECRET_HERE> OIDCCryptoPassphrase <INSERT_RANDOM_STRING_HERE> OIDCRedirectURI https://logs.darkmine.org/auth/redirect OIDCResponseType code OIDCScope "openid" OIDCSSLValidateServer Off OIDCPassClaimsAs environment OIDCClaimPrefix USERINFO_ OIDCPassIDTokenAs payload <Location /> AuthType openid-connect Require valid-user claim realm_access.roles:darkmine_admin </Location>
