In this guide we will see how to configure apache2 for using his integrated module for doing a reverse proxy and servicing some services from our client. In addition we will see how to setup a SSL encryption for these sites and we will create a template for the use of these sites.
I did all of this on an installation of Debian 12 bookworm, virtualized on Proxmox.
This should work in all debian based distros, clearly this can change, always check if your system and package manger support these packages.
We will need the following packages:
So we should execute these command
This is for installing the required packages
apt-get install apache2 certbot python3-certbot-apache
This is for enable the apache2 modules we need for doing the reverse proxy
a2enmod proxy proxy_http proxy_balancer lbmethod_byrequests
Now we should configure apache2, all config files are located in the directory under /etc/apache2.
The directory structure should be somthing similar to this:
.
└── etc/
└── apache2/
├── apache2.conf
├── conf-avable
├── conf-enabled
├── envvars
├── magic
├── mods-available
├── mods-enabled
├── ports.conf
├── sites-available
└── sites-enabled
Now we need to create 2 new folders, we will create one for puntting the proxyes and the other one for storing our templates, we will follow the similiar structure already present.
The command for create the folders:
mkdir <folder>
After creating these 3 folders the folder struture should look something similiar to this:
.
└── etc/
└── apache2/
├── apache2.conf
├── conf-avable
├── conf-enabled
├── envvars
├── magic
├── mods-available
├── mods-enabled
├── ports.conf
├── sites-available
├── sites-enabled
├── proxy-available
├── proxy-enabled
└── templates
Now we should edit the apache2.conf file, that is located in the root folder of the /etc/apache2 directory, let's open it by using a text editor, in this case i will use nano:
nano apache2.conf
Now we should go to the bottom of the page, the last lines shoud look something similar to this:
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\>LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" com>
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf
# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf
Now we must add an option to the end for include the directory with the proxy configurations, so in the end we will add the following lines:
# Include custom configurations for the proxys
IncludeOptional proxy-enabled/*.conf
This will tell apache2 to include all the files with the .conf extension under the proxy-enabled folder.
Now is the time to create our template for the proxy, we will created it in the previusly created folder templates, i will leave here my configuration file that i use, you can customize it for your own requirements:
# Variable definition
# domain - The domain from where to listen
# local_proxy - The local ip with the port to where apache should redirect
<VirtualHost *:80>
ServerName ${domain}
# Comment to prevent HTTP to HTTPS redirect
Redirect permanent / https://${domain}/
ErrorLog /var/log/apache2/${domain}-error.log
CustomLog /var/log/apache2/${domain}-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =${domain}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName ${domain}
# This folder exists just for certbot
DocumentRoot /var/www/html/${domain}/public_html
ProxyPreserveHost On
# Letsencrypt's certbot will place a file in this folder when updating/verifying certs
ProxyPass "/.well-known/" "!"
# Tell to forward requests that came from TLS connections
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
ProxyPass "/socket" "ws://${local_proxy}/socket"
ProxyPassReverse "/socket" "ws://${local_proxy}/socket"
ProxyPass "/" "http://${local_proxy}/"
ProxyPassReverse "/" "http://${local_proxy}/"
SSLEngine on
Protocols h2 http/1.1
# Enable only strong encryption ciphers and prefer versions with Forward Secrecy
SSLCipherSuite HIGH:RC4-SHA:AES128-SHA:!aNULL:!MD5
SSLHonorCipherOrder on
# Disable insecure SSL and TLS versions
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
ErrorLog /var/log/apache2/${domain}-error.log
CustomLog /var/log/apache2/${domain}-access.log combined
SSLCertificateFile /etc/letsencrypt/live/${domain}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/${domain}/privkey.pem
Now we will need to lead to lead to the proxy-availabe folder, there we should create a file and put some lines. Let's call'it test.conf
Define domain subdomain.domain.com
Define local_proxy 192.168.1.1:8080
Include /etc/apache2/templates/proxy-template.conf
This should be the result, instead of the 192.168.1.1 put your local ip, and for the port if is not a standard one like 80 or 443 you must specify it, and for the domain you should put yours, is indifferent if it is a 3, 4, 5 level domain, it will follow standard apache2 rules.
Now we need to activate the config, we must lead to the proxy-enabled folder, from there we should run this command:
ln -s ../proxy-available/test.conf
This command will create a soft link to the file we created before, now if we try to run or restart apache2 it will throw and error that becase we miss the ssl certificate.
Now is the time for require our ssl certificate, for get this you must be shure that apache2 is turned off with systemctl stop apache2, now we run the following command:
certbot certonly -d subdomain.domain.com
This will start a procedure with the certbot for getting a certificate for the domain subdomain.domain.com, now it will ask us 3 option we chose the second one:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel):
We chose the second because is the easies and faster, now if we choose it, it will automatically get up a temporary webserver for verifyng that our domain is pointing toward this webserver, if everything is successfully it will show a message.
Since the certificate is present we can try to turn on apache2:
systemctl start apache2
If no message is show this mean that our webserver has no error configuration and everything is where we told apache is, we can try to lead to our domain from a browser and see if the server respond correctly.