SSL Reverse Proxy Setup
Setting up SSL Reverse Proxy on your LAN
Setting up Reverse Proxy is the least expensive way of directing traffic to a number of web sites hosted inside your LAN via port 80 (HTTP), 443 (HTTPS) or any other port you want to use.
As one of my colleagues once said: “The price is right when using Linux and tools it provides”.
My task was to provide SSL (HTTPS) connection to Reverse Proxy and then the traffic was going to go without any encryption (via HTTP) to the end server. Picture tells a 1000 words so here is what is should look like:
Obviously you can use this setup in many different infrastructure layouts. I used it to connect physical boxes behind the NAT router. Reverse Proxy is setup in the VM environment.
OK, let’s get on with the business.
Steps we are going to cover here are:
- Install and setup Apache2
- Install and setup OpenSSL
- Create new digital certificate
- Test the connection
I always have one VM setup for pretty much all different OSes that are available on the market. Of course licensing is always an issue and this document is not going to cover that, so I’ll leave it to you to resolve it.
Assuming you never installed Ubuntu Linux go to this URL for install steps: https://help.ubuntu.com/community/GraphicalInstall
Once installed you need to run updates. Start Terminal by pressing Alt+F2 on your keyboard and then type Gnome-terminal. Click on Run button to start Terminal.
Type the following command in the Terminal window to run updates
sudo apt-get update
When prompted enter the password for the account you are using (assuming it has correct access rights)
Next step is to install those updates:
sudo apt-get upgrade
To install Apache:
sudo apt-get install apache2
Once Apache is installed you will need to add self-signed SSL key. The following command provides it:
sudo apt-get install openssl
Next step is to create new digital certificate.
sudo mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
sudo openssl genrsa -des3 -out server.key 1024
You will be promted to enter bunch of questions all related to provide more details for the SSL key. Also, make sure to write the passphrase down so you won't forget it.
sudo openssl req -new -key server.key -out server.csr
sudo openssl x509 -req -days 1000 -in server.csr -signkey server.key -out server.crt
Important things is to make sure that your FQDN (https://whatever.yourdomain.com in this this case) is properly entered, otherwise the SSL key will not be trusted on the remote computer that is calling the FQDN.
sudo openssl rsa -in server.key -out server.key.insecure
sudo mv server.key server.key.secure
sudo mv server.key.insecure server.key
OK, so now we need to setup Apache server properly so it calls the right moddules. To do so we need to modify httpd.conf file:
sudo nano /etc/apache2/httpd.conf
Modify the following text to fit your needs and paste it into httpd.conf file. Take a look at the image above to understand better what you need to modify. Make sure you enter your FQDN correctly:
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule cache_module /usr/lib/apache2/modules/mod_cache.so
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
LoadModule proxy_connect_module /usr/lib/apache2/modules/mod_proxy_connect.so
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
Servername whatever.yourdomain.com
NameVirtualHost whatever.yourdomain.com:443
<VirtualHost whatever.yourdomain.com:443>
RewriteEngine On
RequestHeader set Front-End-Https "On"
ProxyPreserveHost On
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
ProxyPass / http://server1.yourdomain.com/
ProxyPassReverse / http://server1.yourdomain.com/
CacheDisable *
</VirtualHost>
Press Ctrl+X to save the changes.
Restart Apache
sudo /etc/init.d/apache2 restart
Test the connection in your browser.
That should do it.
Email us if you have any questions and/or comments.
Thanks!