Apache2

From DarkWiki
Revision as of 08:42, 26 August 2018 by Apowney (talk | contribs) (Go away! configuration)
Jump to: navigation, search

Example configuration

Simple proxy

This example will receive HTTP requests headed towards HOSTNAME.darkmine.org, and will proxy them to the web server residing on 10.1.1.96 (port 3000). If URLs in the response have that internal IP (10.1.1.96:3000), they will be transformed to the "hostname.darkmine.org" version. 

<VirtualHost *:80>
        ServerName HOSTNAME.darkmine.org
        ServerAdmin webmaster@localhost
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        ProxyPass "/" "http://10.1.1.96:3000/"
        ProxyPassReverse "/" "http://10.1.1.96:3000/"
</VirtualHost>

Nagios proxy

To proxy Nagios3, there are several parts that need to be proxied. 

<VirtualHost *:80>
        ServerName nagios.darkmine.org
        ServerAdmin webmaster@localhost
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        ProxyPass /stylesheets/  http://10.1.1.97/nagios3/stylesheets/
        ProxyPassReverse /stylesheets/  http://10.1.1.97/nagios3/stylesheets/

        ProxyPass /images/  http://10.1.1.97/nagios3/images/
        ProxyPassReverse /images/  http://10.1.1.97/nagios3/images/

        ProxyPass /cgi-bin http://10.1.1.97/nagios3/cgi-bin
        ProxyPassReverse /cgi-bin http://10.1.1.97/nagios3/cgi-bin

        ProxyPass /js http://10.1.1.97/nagios3/js
        ProxyPassReverse /js http://10.1.1.97/nagios3/js

        ProxyPass /pnp4nagios3 http://10.1.1.97/pnp4nagios3
        ProxyPassReverse /pnp4nagios3 http://10.1.1.97/pnp4nagios3

        ProxyPass / http://10.1.1.97/nagios3/
        ProxyPassReverse / http://10.1.1.97/nagios3/

</VirtualHost>

Full HTTPS redirect

This configures a host to redirect all HTTP traffic to the HTTPS endpoint instead. 

<VirtualHost *:80>
        ServerName www.darkmine.org
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        <Location />
                RewriteEngine on
                RewriteCond %{HTTPS} off
                RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R]
        </Location>
</VirtualHost>
<VirtualHost *:443>
        ServerName www.darkmine.org
        ServerAdmin webmaster@localhost
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/www.darkmine.org/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.darkmine.org/privkey.pem
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Go away! configuration

Bots and hackers will brute-force scan for security holes at the IP level. As genuine people and tools don't use IP addresses, you can assume those that use them are not wanted. This script sends them away by redirecting any requests back to themselves. 

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        <Location />
                RewriteEngine on
                RewriteRule (.*) http://localhost%{REQUEST_URI} [R]
        </Location>
</VirtualHost>

Portainer

Portainer runs inside docker, and also uses web sockets. 

<VirtualHost *:80>
        ServerName portainer.darkmine.org
        ServerAdmin webmaster@localhost
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/portainer.darkmine.org combined

        RewriteEngine on
        RewriteCond %{SERVER_NAME} =portainer.darkmine.org
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName portainer.darkmine.org
        ServerAdmin webmaster@localhost
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/portainer.darkmine.org combined

        ProxyPass "/api/websocket/" "wss://172.17.0.1:9000/api/websocket/"
        ProxyPass "/" "http://localhost:9000/"
        #ProxyPassReverse "/" "http://localhost:9000/"

        <Location /api/websocket/>
                RequestHeader set Connection "upgrade"
                Header set Connection "Upgrade"
                RequestHeader setifempty Connection "Upgrade"
                Header set Upgrade "websocket"
                RequestHeader setifempty Upgrade "websocket"
                ProxyPass ws://172.17.0.1:9000/api/websocket/
        </Location>

        SSLCertificateFile /etc/letsencrypt/live/portainer.darkmine.org/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/portainer.darkmine.org/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Retrieved from ‘http://wiki.darkmine.org/index.php?title=Apache2&oldid=348