This tutorial describes how to set up apache2(version>2.4.47) on UNIX/Linux to do the following:
- Handle TLS towards the clients.
- Require client TLS certificates.
- Proxy both http and websocket connections.
Of course you don't have to require client certificates, this is just an example.
Further explanation can be found further down the page.
Prerequisites:
- We are running REI3 as an unprivileged user on the loopback interface(localhost/127.0.0.1) port 5554.
- We have put our certificates etc in /etc/examplecom/certs
- We have enabled apache's mod_ssl, mod_proxy and mod_proxy_http.
- Consult the apache httpd documentation as to which ciphers and protocols to require.
Here's an example apache virtualhost .conf file(the first columnt is just line numbers for reference):
1 <IfModule mod_ssl.c>
2 <VirtualHost rei3.example.com:443>
3 ServerAdmin rei3admin@example.com
4 ServerName rei3.example.com
5
6 DocumentRoot /var/www/html
7
8 LimitRequestLine 256000
9
10 ErrorLog ${APACHE_LOG_DIR}/rei3-error.log
11 CustomLog ${APACHE_LOG_DIR}/rei3-access.log combined
12 LogLevel warn
13
14 # Enable/Disable SSL for this virtual host.
15 SSLEngine on
16 SSLCACertificateFile /etc/examplecom/apache2/certs/example-com-local-ca.pem
17 SSLCertificateFile /etc/examplecom/apache2/certs/rei3-example-com-peer.pem
18 SSLCertificateKeyFile /etc/bdk/examplecom/private/rei3-example-com-peer-key.pem
19 SSLProtocol <what you allow>
20 SSLCipherSuite <what ciphers you require>
21 SSLHonorCipherOrder off
22 SSLSessionTickets off
23
24 # Require client certificate.
25 SSLVerifyClient require
26 SSLVerifyDepth 1
27
28 # Reverse proxy to localhost:5554.
29 SSLProxyEngine on
30 SSLProxyVerify none
31 SSLProxyCheckPeerCN off
32 SSLProxyCheckPeerName off
33 SSLProxyCheckPeerExpire off
34 ProxyPreserveHost On
35 ProxyRequests off
36 ProxyPass "/" "https://localhost:5554/" upgrade=websocket timeout=1800
37 ProxyPassReverse "/" "https://localhost:5554/"
38 </VirtualHost>
39 </IfModule>
Specific settings explained:
Line 8: This allows cvs exports and imports in REI3 to work better.
Line 16: This tells apache which CA cert to use for client cert auth.
Line 19: Disallows anything below TLSv1.2 and sets allowed ciphers.
Line 25: This makes apache require a client certificate.
Line 26: This tells apache to ONLY accept Private-CA-issued certs(depth=1, no intermediate CA's allowed). In this case it'll be example.com's own root CA.
Line 30-33: Tells apache to not care about REI3's certificates.
Line 36: This tells apache to do reverse proxying, and enable websockets with a timeout of 30 minutes.
Line 37: This tells apache to ensure that if REI3 uses relative URLs, they will be translated to FQDN URLs.