My Tech Notes and Stuff: Example Apache with SSL and reverse p...

Example Apache with SSL and reverse proxy configuration

httpd.conf

ServerTokens OS
ServerRoot "/etc/httpd"

PidFile run/httpd.pid

# Keepalive settings
Timeout 120

KeepAlive On

MaxKeepAliveRequests 100

KeepAliveTimeout 15

<IfModule prefork.c>
StartServers       8

MinSpareServers    5

MaxSpareServers   20

ServerLimit      256

MaxClients       256

MaxRequestsPerChild 4000

</IfModule>

<IfModule worker.c>
StartServers         2

MaxClients         150

MinSpareThreads     25

MaxSpareThreads     75

ThreadsPerChild     25

MaxRequestsPerChild 0

</IfModule>

Listen 80

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so

LoadModule authn_file_module modules/mod_authn_file.so

LoadModule authn_alias_module modules/mod_authn_alias.so

LoadModule authn_anon_module modules/mod_authn_anon.so

LoadModule authn_dbm_module modules/mod_authn_dbm.so

LoadModule authn_default_module modules/mod_authn_default.so

LoadModule authz_host_module modules/mod_authz_host.so

LoadModule authz_user_module modules/mod_authz_user.so

LoadModule authz_owner_module modules/mod_authz_owner.so

LoadModule authz_groupfile_module modules/mod_authz_groupfile.so

LoadModule authz_dbm_module modules/mod_authz_dbm.so

LoadModule authz_default_module modules/mod_authz_default.so

LoadModule ldap_module modules/mod_ldap.so

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

LoadModule include_module modules/mod_include.so

LoadModule log_config_module modules/mod_log_config.so

LoadModule logio_module modules/mod_logio.so

LoadModule env_module modules/mod_env.so

LoadModule ext_filter_module modules/mod_ext_filter.so

LoadModule mime_magic_module modules/mod_mime_magic.so

LoadModule expires_module modules/mod_expires.so

LoadModule deflate_module modules/mod_deflate.so

LoadModule headers_module modules/mod_headers.so

LoadModule usertrack_module modules/mod_usertrack.so

LoadModule setenvif_module modules/mod_setenvif.so

LoadModule mime_module modules/mod_mime.so

LoadModule dav_module modules/mod_dav.so

LoadModule status_module modules/mod_status.so

LoadModule autoindex_module modules/mod_autoindex.so

LoadModule info_module modules/mod_info.so

LoadModule dav_fs_module modules/mod_dav_fs.so

LoadModule vhost_alias_module modules/mod_vhost_alias.so

LoadModule negotiation_module modules/mod_negotiation.so

LoadModule dir_module modules/mod_dir.so

LoadModule actions_module modules/mod_actions.so

LoadModule speling_module modules/mod_speling.so

LoadModule userdir_module modules/mod_userdir.so

LoadModule alias_module modules/mod_alias.so

LoadModule rewrite_module modules/mod_rewrite.so

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_balancer_module modules/mod_proxy_balancer.so

LoadModule proxy_ftp_module modules/mod_proxy_ftp.so

LoadModule proxy_http_module modules/mod_proxy_http.so

LoadModule proxy_connect_module modules/mod_proxy_connect.so

LoadModule cache_module modules/mod_cache.so

LoadModule suexec_module modules/mod_suexec.so

LoadModule disk_cache_module modules/mod_disk_cache.so

LoadModule file_cache_module modules/mod_file_cache.so

LoadModule mem_cache_module modules/mod_mem_cache.so

LoadModule cgi_module modules/mod_cgi.so

LoadModule version_module modules/mod_version.so

Include conf.d/*.conf

#ExtendedStatus On

User webadmin
Group webadmin

# Main configuration
ServerAdmin pvalentino@sysxperts.com

# UseCanonicalName: When set "On", Apache will use the value of the
# ServerName directive. Otherwise apache will use the client provided host name

UseCanonicalName Off

DirectoryIndex index.html index.htm index.php

AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being

# viewed by Web clients.

#

<Files ~ "^\.ht">

    Order allow,deny

    Deny from all

</Files>

#
# TypesConfig describes where the mime.types file (or equivalent) is

# to be found.

#

TypesConfig /etc/mime.types

DefaultType text/plain

<IfModule mod_mime_magic.c>
#   MIMEMagicFile /usr/share/magic.mime

    MIMEMagicFile conf/magic

</IfModule>

HostnameLookups Off

# CACHE CONFIG AND KERNEL ACCELERATORS

<Directory "/www/">
        EnableMMAP off

        EnableSendfile off

</Directory>

#CacheRoot /web_cache
#CacheDirLevels 5

#CacheDirLength 3

#MCacheSize 409600

#MCacheMinObjectSize 1

#MCacheMaxObjectSize 256000

#CacheEnable disk /
#CacheEnable mem /

ErrorLog /log/nohost_error.log

LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{Referer}i -> %U" referer

LogFormat "%{User-agent}i" agent

SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
SetEnvIf Remote_Addr "-" dontlog

SetEnvIf Host "^$" dontlog

SetEnvIf Request_URI \.gif dontlog
SetEnvIf Request_URI \.jpg dontlog

SetEnvIf Request_URI \.jpeg dontlog

SetEnvIf Request_URI \.png dontlog

#

CustomLog /log/nohost_access.log combined

ServerSignature Off

Alias /icons/ "/var/www/icons/"

<Directory "/var/www/icons">
    Options Indexes MultiViews

    AllowOverride None

    Order allow,deny

    Allow from all

</Directory>

# IndexOptions: Controls the appearance of server-generated directory
# listings.

IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*

AddIconByType (SND,/icons/sound2.gif) audio/*

AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx

AddIcon /icons/tar.gif .tar

AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv

AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip

AddIcon /icons/a.gif .ps .ai .eps

AddIcon /icons/layout.gif .html .shtml .htm .pdf

AddIcon /icons/text.gif .txt

AddIcon /icons/c.gif .c

AddIcon /icons/p.gif .pl .py

AddIcon /icons/f.gif .for

AddIcon /icons/dvi.gif .dvi

AddIcon /icons/uuencoded.gif .uu

AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl

AddIcon /icons/tex.gif .tex

AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README

AddIcon /icons/folder.gif ^^DIRECTORY^^

AddIcon /icons/blank.gif ^^BLANKICON^^

DefaultIcon /icons/unknown.gif

ReadmeName README.html
HeaderName HEADER.html

IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

AddLanguage ca .ca
AddLanguage cs .cz .cs

AddLanguage da .dk

AddLanguage de .de

AddLanguage el .el

AddLanguage en .en

AddLanguage eo .eo

AddLanguage es .es

AddLanguage et .et

AddLanguage fr .fr

AddLanguage he .he

AddLanguage hr .hr

AddLanguage it .it

AddLanguage ja .ja

AddLanguage ko .ko

AddLanguage ltz .ltz

AddLanguage nl .nl

AddLanguage nn .nn

AddLanguage no .no

AddLanguage pl .po

AddLanguage pt .pt

AddLanguage pt-BR .pt-br

AddLanguage ru .ru

AddLanguage sv .sv

AddLanguage zh-CN .zh-cn

AddLanguage zh-TW .zh-tw

LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW

ForceLanguagePriority Prefer Fallback

AddDefaultCharset UTF-8

AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

AddHandler type-map var
#

AddType text/html .shtml

AddOutputFilter INCLUDES .shtml

Alias /error/ "/var/www/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>

    <Directory "/var/www/error">

        AllowOverride None

        Options IncludesNoExec

        AddOutputFilter Includes html

        AddHandler type-map var

        Order allow,deny

        Allow from all

        LanguagePriority en es de fr

        ForceLanguagePriority Prefer Fallback

    </Directory>

</IfModule>
</IfModule>

BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

BrowserMatch "RealPlayer 4\.0" force-response-1.0

BrowserMatch "Java/1\.0" force-response-1.0

BrowserMatch "JDK/1\.0" force-response-1.0

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully

BrowserMatch "^WebDrive" redirect-carefully

BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully

BrowserMatch "^gnome-vfs/1.0" redirect-carefully

BrowserMatch "^XML Spy" redirect-carefully

BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

FileETag MTime Size
ProxyRequests Off

TraceEnable Off

NameVirtualHost *:80

Include conf/sites/*

In the sites folder create your vhost such as www.sysxperts.com.conf

<VirtualHost _default_:80>
        ServerName www.sysxperts.com

        ServerAlias www1-sysxperts www1-sysxperts.sysxperts.com

        ServerAdmin pvalentino@sysxperts.com

        ErrorLog /var/log/httpd/www1-sysxperts-error_log
        CustomLog /var/log/httpd/www1-sysxperts-access_log combined env=!dontlog

        RewriteEngine On
        RewriteRule ^/myapp/?(.*)$ https://%{HTTP_HOST}/myapp/$1 [R,L]

        RewriteRule ^/myapp2/?(.*)$ https://%{HTTP_HOST}/myapp2/$1 [R,L]

        Include conf/all_vhosts.conf

        DocumentRoot /www/www.sysxperts.com

        <Directory "/www/www.sysxperts.com/">
                Options +Includes -Indexes

                AllowOverride None

                AddOutputFilter INCLUDES .htm

                AddOutputFilter INCLUDES .html

                Order Allow,Deny

                Allow From All

        </Directory>

</VirtualHost>

Listen www.sysxperts.com:443
<VirtualHost www.sysxperts.com:443>

        ServerName www.sysxperts.com

        ServerAlias www1-sysxperts www1-sysxperts.sysxperts.com

        ServerAdmin pvalentino@sysxperts.com

        ErrorLog /var/log/httpd/www1-sysxperts-error_log
        CustomLog /var/log/httpd/www1-sysxperts-access_log combined env=!dontlog

        RewriteEngine On
        RewriteRule ^/$ http://%{HTTP_HOST}/ [R,L]

        SSLEngine On
        SSLCertificateFile    ssl/www.sysxperts.com.crt

        SSLCertificateKeyFile ssl/www.sysxperts.com.key

       Include conf/ssl.conf

        Include conf/all_vhosts.conf

        DocumentRoot /www/www.sysxperts.com

        <Directory "/www/www.sysxperts.com/">
                Options +Includes -Indexes

                AllowOverride None

                AddOutputFilter INCLUDES .htm

                AddOutputFilter INCLUDES .html

                Order Allow,Deny

                Allow From All

        </Directory>

        RewriteRule /myapp$ /myapp/ [R,L]
        <Location "/myapp/">

                ProxyPass http://myapp.sysxperts.com:8080/myapp/

                ProxyPassReverse http://myapp.sysxperts.com:8080/myapp/

                ProxyPassReverse /

        </Location>

        RewriteRule /myapp2$ /myapp2/ [R,L]
        <Location "/myapp2/">

                ProxyPass http://myapp2.sysxperts.com:8080/myapp2/

                ProxyPassReverse http://myapp2.sysxperts.com:8080/myapp2/

                ProxyPassReverse /

        </Location>

</VirtualHost>

The include file all_vhosts.conf should have entries common to all virtual hosts i.e.:

# Rewrite engine must be turned on prior to including this config file

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

ProxyPass /commonapp/ http://commonapp.sysxperts.com:8080/commonapp/
ProxyPassReverse /commonapp/ http://commonapp.sysxperts.com:8080/commonapp/

The ssl include file should contain entries common to all SSL vhosts i.e. :

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

For PCI Scans you may also need to add an .htaccess file to /var/www/manual/images with Options -Indexes or you can disable the manual altogether.

My Tech Notes and Stuff

Example Apache with SSL and reverse p...

No comments:

Facebook Badge

Please donate to vCommunity Trust Inc. Today

Paul & Amy Valentino

Great Strides for Cystic Fibrosis

Blog Archive

Thaddeus Hogan's Musings

Master Apache 2 Certification

Master 2003 Server Admin

Brainbench Cisco Cert

Brainbench Unix Programming

About Me

My Brainbench Transcript