Apache HTTPS reverse proxy setup scheme

Source: Internet
Author: User
Tags install openssl openssl rsa openssl windows openssl x509 vars

By setting up an Apache server to complete the
https://10.6.177.66 content access, later after learning to understand, we actually need in their Apache server, create a https://10.6.177.66 reverse proxy. Let's start by describing what a reverse proxy would look for:
I. The concept of reverse proxy
The reverse proxy, which is commonly referred to as Web server acceleration, is a way to reduce the load on the actual Web server by adding a high-speed Web caching server (i.e., a Web reverse proxy server) between the busy Web server and the Internet.
Web server Acceleration (reverse proxy) is an acceleration feature for Web servers. It acts as a proxy cache, but not for browser users, but for one or more specific Web servers (this is the origin of the reverse proxy name). Implement a reverse proxy (as shown), as long as you place the reverse proxy cache device in front of one or more Web servers. When an Internet user accesses a Web server, the IP address resolved by the DNS server is the IP address of the reverse proxy server, not the IP address of the original Web server, at which point the reverse proxy Server device acts as a Web server. The browser can connect to it without having to directly connect to the Web server. As a result, a large amount of Web service workloads are offloaded to the reverse proxy service. Not only can prevent the external network host directly and the Web server direct communication brings the security hidden danger, but also can greatly reduce the burden of the Web server, improve the access speed.
Two. Win+apache Implementing SSL
First, go to http://hunter.campbus.com/to download the same apache_xxx-xxxopenssl_xxx-win32.zip as your own Apache version.
I'm using a apache_2.0.59,
Installation program Address: Http://apache.justdn.org/httpd/binaries/win32/apache_2.0.59-win32-x86-no_ssl.msi
Apache_2.0.59-openssl_0.9.8c-win32.zip Address:
Http://209.61.202.80/apache/Apache_2.0.59-Openssl_0.9.8c-Win32.zip).
After extracting the 5 files found in mod_ssl.so (modules directory), ssl.conf,ssl.default.conf (conf directory, where default.conf as Backup), Libeay32.dll, Ssleay32.dll (these 2 are all in the bin directory). Copy them all to the corresponding directory under your own APAHCE.
###############################################################################
Next, change the settings file
For httpd.conf and ssl.conf, if your server does not have a domain name, then servername will fill in the IP.
For example: ServerName 172.18.42.123:80 (httpd.conf)
ServerName 172.18.42.123:443 (ssl.conf)

Open httpd.conf:
Locate the #loadmodule ssl_module modules/mod_ssl.so and remove the previous ' # ' so that the SSL module is loaded at startup.
  
Open ssl.conf:
Find #, and #, the front of the ' # ' is removed, or start Apache will add parameters, trouble.
The following settings:
Sslmutex Default
Sslcertificatefile CONF/SERVER.CRT (Location of server certificate)
Sslcertificatekeyfile Conf/server.key (location of the server private key)
Sslcacertificatefile CONF/CA.CRT (the location of the CA root certificate, required for client authentication)
The above file is placed in the Conf directory.
DocumentRoot "xxxxx" (point to the document directory for SSL encryption authentication, e.g. "F:/http")
Sslverifyclient require (remove the previous ' # ' sign, required for client authentication)
Sslverifydepth 1 (Remove the previous ' # ' number, change 10 to 1, required for client authentication)
  
##############################################################################
Now, we're going to make a certificate.
Go to openvpn.net to download and install OpenVPN.
Http://openvpn.net/release/openvpn-2.0.9-install.exe
This is a virtual personal network production tool, he can perfect in win (LINUX,BSD) under the production of root, server, client certificate.
After installation, start-Program-Accessories-command prompt, into the OpenVPN Easy-rsa directory, such as:
C:\Program Files\openvpn\easy-rsa>
Input: Init-config return
will produce several files, switch them out, open the Vars.bat file, modify the Key_country (Country 2 letters), Key_province (province 2 letters), key_city (city), key_org (organization), Key_ Email (e-mail) These parameters, exempt from the back of the production certificate
  
Repeated input trouble. Save the exit and continue using the command prompt.
Enter the following two commands in turn, of course, respectively:
VARs
Clean-all (These two are preparatory work)
  
####################################################################################
1. Establish the CA root certificate
Enter BUILD-CA carriage return (this is the establishment of the CA root certificate)
And then show:
Ai:/usr/share/openvpn/easy-rsa #./build-ca
Generating a 1024x768 bit RSA private key
............++++++
...........++++++
Writing new private key to ' Ca.key '
-----
You is about to being asked to enter information that'll be incorporated into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some Blan K
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country name (2 letter code) [KG]: Country Name 2 characters, the default parameter is what we have just modified.
State or province name (full name) [NA]: Province, States 2-letter
Locality name (eg, city) [BISHKEK]: Town Name
Organization name (eg, company) [Openvpn-test]: Organization name
Organizational unit name (eg, section) []: unit name in the organization
Common name (eg, your name or your server ' s hostname) []: This is the key, you should enter the domain name of the issuing root certificate unit
, but because it is a root certificate, it doesn't matter how you fill it. Only server certificates need to be carefully populated.
email address [[email protected]: e-mail
  
OK, the CA root certificate is finished! In the keys directory, its name is called Ca.crt,ca's private key is Ca.key
  
  
#######################################################################
2. Create the server certificate:
At the command prompt, enter
Build-key-server Server Carriage return
You will see something very similar to the above, but be aware
Here's common name (eg, your name or your server ' s hostname) []: This is the real key. You should enter the domain name of the server, such as www.xxx.com.
If you do not have a domain name, you should fill in the IP, corresponding to the settings in httpd.conf and ssl.conf,
ServerName 172.18.42.123:80 (httpd.conf)
ServerName 172.18.42.123:443 (ssl.conf)
That is, fill in: 172.18.42.123
  
Next see a challenge password []: Fill not fill casually
An optional company name []: No filling
  
Sign the certificate? [y/n] Knock y to enter. The server certificate is signed and authenticated with the CA root certificate.
1 out 1 certificate requests certified,commit? [y/n] Knock y enter, confirm.
  
All right, build up the SERVER.CRT (certificate) and Server.key (private key) in the keys directory ################################################################## #####
3. Create a client certificate:
At the command prompt, enter
Build-key Client1 Enter
is a national provincial and municipal organizations and so on, Comman name is also casually filled.
And then:
A challenge password []: Do not fill in the random
An optional company name []: No filling
  
Sign the certificate? [y/n] Knock y to enter. The client certificate is signed and authenticated with the CA root certificate.
1 out 1 certificate requests certified,commit? [y/n] Knock y enter, confirm.
  
All right, build it. CLIENT1.CRT (client certificate) and Client1.key (private key) in the keys directory
  
Wait, the. CRT client certificate is not available and must be converted to a. pfx format file!!
So, at the command prompt, enter
OpenSSL enter
See openssl>;
Re-enter:
Pkcs12-export–in keys/client1.crt-inkey keys/client1.key-out keys/client1.pfx Enter,
See Enter export password: You will be asked to establish the output password for the client certificate
Verifying-enter Export password confirm again, OK!
######################################################################## put CA.CRT and SERVER.CRT under the keys directory, Server.key are copied to the Apache conf directory, (ssl.conf need) Ca.key to keep it, find a suitable place to store up.
  
  
#########################################################################
Client Installation Certificate
Open Internet Explorer (IE), tools-internet Options-Content-certificates, click on ' Personal ' and tap import to import the client certificate client1.pfx into a personal group (don't forget the extension is PFX). You also need to enter the output password you just created to import it.
Next, click on ' Trusted Root Certification authorities ' and import to import the CA root certificate ca.crt into a trusted root certification authority.
#########################################################################
Okay, restart Apache, open IE,
Enter https://172.18.42.123 or domain name in the address bar, pop-up window to select a personal digital certificate.
Click to select and then OK.
If the server certificate common name is filled in correctly, you can go directly to the website, see the lower right corner of the small lock (reliable SSL128 bit).
If the common name of the server certificate is not filled in correctly, a ' security alert ' box will pop up, telling you 3:
1. The security certificate is issued by a trusted site
(if it is issued by a site that is not trusted, then your CA root certificate ca.crt is not imported into the Trusted root certification authority of IE)
  
2. The date of the security certificate is valid
(This date by default is 10, you can adjust the changes in the openssl.cnf in the OpenVPN Easy-rsa directory, and then re-create a set of certificates (Openssl.cnf looks like a shortcut to Dial-Up networking, to use Notepad, WordPad to open the changes))

3. "The name on the security certificate is invalid or does not match the site name"
This is the common name of the server certificate is incorrect, but it doesn't matter, someone seems willing to do so. I don't want to see this warning box annoying.
  
Even if there is a security alert, you can still access the website and see the small lock in the lower right corner (reliable SSL128 bit)
  
  
#################################
Finally, success! Use it.
Three. Setting up the reverse proxy
Modify the Conf\httpd.conf file
Start two modules first
LoadModule Proxy_module modules/mod_proxy.so
LoadModule Proxy_http_module modules/mod_proxy_http.so
Then at the end of the file add
Sslproxyengine on
Proxyrequests OFF
proxypass/https://10.6.177.66
proxypassreverse/https://10.6.177.66

OK, restart Apache, enter https://172.18.42.123, what effect, you can try to know!

Apache makes HTTP and HTTPS reverse proxies

The first is the environment configuration such as the library,

If it is compiled, the./configure additional--enable-proxy parameter to compile the proxy module in.

Then/usr/sbin/httpd-l, show

Loaded Modules:core.cmod_access.cmod_auth.cmod_include.cmod_log_config.cmod_env.cmod_setenvif.cmod_proxy.cproxy _connect.cproxy_ftp.cproxy_http.cprefork.chttp_core.c .....
A module with a proxy prefix indicates that the proxy is already enabled.
If it is installed, enable the appropriate module in the config file http.conf

LoadModule Proxy_module modules/mod_proxy.so

LoadModule Proxy_http_module modules/mod_proxy_http.so

Can be displayed by/usr/sbin/httpd-d Dump_modules.

Loaded Modules:

......

Proxy_module (Shared)
Proxy_http_module (Shared)
Proxy_connect_module (Shared)

You can do it.

You can now start configuring the virtual host--

Such as:

<virtualhost *:80>serveradmin [email protected]servername www.b.orgProxyRequests off<proxy *>order deny, Allowallow from all</proxy>proxypass/http://127.0.0.1:9000/proxypassreverse/http://127.0.0.1:9000/</ Virtualhost>


Point the www.b.org this URL to the htttp://127.0.0.1:9000 address.

Such access to www.b.org, the returned data will be from the http://127.0.0.1:9000

Configure HTTPS access, which is SSL encrypted access:

The first thing to do is to turn on Apache's SSL access, and follow http://blog.csdn.net/ownfire/article/details/7686746 's written configuration.

Namevirtualhost *:443 or Namevirtualhost www.abc.net:443

<virtualhost www.abc.net:443>
ServerName www.abc.net
Sslengine on
Sslproxyengine on
Sslcertificatefile/etc/httpd/conf/server.crt
Sslcertificatekeyfile/etc/httpd/conf/server.key

Proxyrequests OFF
<proxy *>order Deny,allowallow from all</proxy>

Proxypass/test HTTPS://127.0.0.1/
Proxypassreverse/test HTTPS://127.0.0.1/
</VirtualHost>

The access to the Https://www.abc.net/test site is directed to HTTPS://127.0.0.1/, Sslcertificatefile and Sslcertificatekeyfile are the key files used to generate SSL when they are configured.

enable SSL access under Apache, i.e. HTTPS

A compiled command-line program under OpenSSL windows:

Http://downloads.sourceforge.net/gnuwin32/openssl-0.9.8h-1-bin.zip

Lamp Turn on SSL

First, you need to install the OpenSSL and Apache SSL modules to perform:

Yum Install OpenSSL mod_ssl-y

, the next configuration method is similar to the following:

Wamp Turn on SSL


1. #修改httpd. conf file
LoadModule Ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
#去掉上面两行前的 "#"
2. #修改conf/extra/httpd-ssl.conf
Sslcertificatefile "D:/WAMP/APACHE2/BIN/SERVER.CRT"
Sslcertificatekeyfile "D:/wamp/apache2/bin/server.key"
3. #修改为你生成证书的文件位置
DocumentRoot the value of the "E:/www" #修改 DocumentRoot is consistent with the documentroot of the httpd.conf file.
4. #解决APACHE无法启动
68:sslmutex "File:d:/programfiles2003/wamp/wamp/apache2/logs/ssl_mutex"
#修改为68: Sslmutex Default
5. Replace all Apache paths in the-ssl.conf file with the path of your Apache #把httpd

#到此配置文件修改完毕

Second, the method of certificate generation
#命令行中进入apache/bin directory, perform the following:

OpenSSL req-config. /conf/openssl.cnf-new-out Server.csr-keyout Server.pem

Where OPENSSL.CNF is an Apache-brought OpenSSL profile that references the full path to the file

Enter two password, any password, and then go to the return, skip the following input

#签发证书

OpenSSL rsa-in server.pem-out Server.key

Enter the password you just made

#生成密钥文件
OpenSSL x509-in server.csr-out server.crt-req-signkey server.key-days 365
#生成证书文件

Copy the SERVER.KEY,SERVER.CRT to the Conf folder


Re-launch Apache

OK, congratulations. You can use HTTPS to access your root directory normally.

Of course we also need SSL for the virtual host

It is necessary to configure the virtual host file, in the file specifically write a listening 443 port of the virtual host, for example:

<virtualhost woosau:443>
Documentroot/home/ownfire/www/woosau
ServerName Woosau
Sslengine on
Sslcertificatefile/etc/httpd/conf/server.crt
Sslcertificatekeyfile/etc/httpd/conf/server.key
</VirtualHost>

Because the host name is Woosau, you also write a virtual hostname rule

Namevirtualhost woosau:443

Okay, here we go, so we can access Https://woosau.

Apache mod_rewrite URI rewrite http to https

One: Purpose

This article is intended to provide an approach to how to use Apache rewrite rules to resolve some common URL rewriting methods, through common
Examples give users some basic methods and clues for using rewrite rules.

Two: Why do I need to use rewrite rules?
A Web site, if it is a long-term need to be placed on the Internet to provide services, there is bound to be constantly updated and maintained, such as pro
to other servers for maintenance, reorganize the directory structure, transform URLs and even change to new domain names, etc.
In order for customers to be unaffected by this, the best way is to use Apache Rewrite Rule (overriding
Rules).

Three: The scope of the rewrite rule
1) can be used in Apache Master config file httpd.conf
2) can be used in the virtual host configuration defined in the httpd.conf
3) You can use the span profile in the base directory. htaccess

Four: Application conditions for rewrite rules
Only when a user's Web request is eventually directed to the Apache background of a Web server, the Web server accepts
Incoming request, depending on the profile, whether the request is a master configuration or a virtual host, based on the user's request in the browser
URI to pair the rewrite rule and pair it according to the actual request path. Rewrite rules in htaccess. Finally put the request
Content is returned to the user, there are two possible types of responses:

1) external redirection (Redirect) of the content of the browser request to another URL.
Ask the browser to make a request again with a new Uri (r=301 or r=302, temporary or permanent redirect)
such as: A site has a formal URL and alias URL, the alias URL to redirect to the regular URL, or the site change
into a new domain.
REDIRECT the old domain name to the new domain name (Redirect)

2) may also be sent back to the customer by the Apache internal Sub-request agent to generate new content [P,l]
This is Apache internally according to the rewritten URI inside the request content through the proxy module and send back the content to the customer, while the customer
-Side browser and
It is not known that the URI in the browser will not be overridden. But the actual content is obtained by Apache based on the URI of the rewrite rule.
such as: Apache running on the corporate firewall to start this proxy rewrite rule, agent on the internal network segment of the Web services
The request of the device.

Five: How does the rewrite rule work?
We assume that you have compiled mod_rewrite into a module when compiling Apache, and that you are sure that your httpd.conf has
LoadModule Rewrite_module libexec/mod_rewrite.so
And there are addmodule in the
Addmodule mod_rewrite.c
You can use rewrite rules.
When an external request comes to Apache,apache call the definition in the rewrite rule to override the request specified by the user's browser
URI, the last overridden URI is sent by the browser for another request if it is a redirect, and if the proxy overrides
After the URI to the proxy module to request the final content (contents), and finally send back to the browser.

Six: When to use the rewrite rule definition in. htaccess?
If you do not have administrator rights on the server where your site content resides, or if your site is placed on the ISP's server
On hosting and so on, you can't overwrite the master profile, but you can make the directory where your Web site content resides
Have write permission, then you can set your own. htaccess
The document achieves the same purpose. But you need to make sure that the main profile in the directory where your site is located is defined in the following
Capacity:

Options Indexes FollowSymLinks
AllowOverride All

Otherwise, your. htaccess won't work.

Seven: Application examples
Assuming that Apache is compiled and installed under the/usr/local/apache/directory of the host 192.168.1.56, we compile
The rewrite and proxy modules are translated into the.

1) hide a directory under Apache so that any requests for that directory are redirected to another file.

The realization method of a> httpd.conf

Let's put the part of the face down to/usr/local/apache/conf/httpd.conf.


Options Indexes FollowSymLinks
AllowOverride All
Rewriteengine on
Rewritebase/
Rewriterule ^ (. *) $ index.html.en [r=301]


Note: Rewriteengine on is a rewrite engine switch, and if set to off, any rewrite rule definitions will not be
The other advantage of this switch is that if you want to remove the rewrite rules temporarily, then turn off and then restart Apache.
You do not have to comment out the rewrite rules for the following strips.
The Rewritebase/function is if the section is rewritten in the following Rewriterule definition (file
Name Index.html.en) in front of no/, is relative to the directory, relative to this rewritebase after the definition is also
is/usr/local/apache/htdocs/index.html.en, otherwise, if there is no rewritebase/this
One item, it is rewritten as
Http://192.168.1.56/usr/local/apache/htdocs/manual/index.html.en, apparently.
Not correct.

But here we can also not rewritebase/, but instead
Rewriteengine on
Rewriterule ^ (. *) $/index.html.en [r=301]
Or
Rewriteengine on
Rewriterule ^ (. *) $ http://192.168.1.56/index.html.en [r=301]

B>. How to implement Htaccess

Let's put the following part to Httpd.conf.


Options Indexes FollowSymLinks
AllowOverride All


and put the following part into the/usr/local/apache/htdocs/manual/.htaccess.
Rewriteengine on
Rewritebase/
Rewriterule ^ (. *) $ index.html.en [r=301]

Note: Any changes made to the file. htaccess do not require a restart of Apache.

Q: What if I redirect this manual directory to the user Jephe's own home directory?
Use the following. htaccess scenario.
Rewriteengine on
Rewritebase/~jephe/
Rewriterule ^ (. *) $ $ [r=301]

Requests for any files in the manual directory are redirected to the same file in the ~jephe directory.

2) Convert Www.username.domain.com's home page request for username
Www.domain.com/username

The request for http/1.1 includes a host:http header, which we can rewrite with the following rule set
Http://www.username.domain.com/anypath to/home/username/anypath

Rewriteengine on
Rewritecond%{http_host} ^www\. [^.] +\.host\.com$
Rewriterule ^ (. +)%{http_host}$1 [C]
Rewriterule ^www\. ([^.] +) \.host\.com (. *)/home/$1$2

Note:
Rewritecond conditional rewrite rules that apply the following rewrite rules when the conditions defined later are met.
Rewritecond have various variables
, please refer to the relevant documentation.

3) Rewrite rules on the firewall proxy requests for servers on the internal network segment.

Namevirtualhost 1.2.3.4


ServerName www.domain.com
Rewriteengine on
Proxyrequest on
Rewriterule ^/(. *) $ http://192.168.1.3/$1 [p,l]


Note: When an external browser requests www.domain.com to be resolved to the IP address 1.2.3.4, Apache surrenders
Mod_rewrite processing is converted into
Http://192.168.1.3/$1 after the agent module Mod_proxy get the content to be transferred back to the user's browser.


4) Basic pre-set conversion map table to rewrite Rewritemap

Convert Www.domain.com/{countrycode}/anypath to the URI specified in the map table, above the virtual host
The definition in

Rewritelog/usr/local/apache/logs/rewrite.log
Rewriteloglevel 9

Rewriteengine on
Proxyrequest on
Rewritemap Sitemap Txt:/usr/local/apache/conf/rewrite.map
Rewriterule ^/([^/]+) +/(. *) $ http://%{remote_host}::$1 [C]
Rewriterule (. *)::([a-z]+] $ ${sitemap:$2|http://h.i.j.k/} [r=301,l]

The contents of the file/usr/local/apache/conf/rewrite.map are as follows:

SG http://a.b.c.d/
SH http://e.f.g.h/

Note: When the user requests Http://www.domain.com/sg/anypath, it is rewritten as
Http://a.b.c.d/anypath.
When debugging is required, use Rewritelog and Rewriteloglevel 9 and 9 for maximum debug
Information
The minimum is 1, the minimum debugging information, the default is 0, no debugging information.
The syntax of a sitemap is ${sitemap:lookupkey | DefaultValue}, some books put $ into% is wrong
The wrong.

Apache HTTPS reverse proxy setup scheme

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.