3.1 update reverse proxypass (apache)

Discussion in 'Developers' Forum' started by Rein van 't Veer, Jun 10, 2016.

  1. Hi,

    I'm using the following apache directive to give my clients the control panel over https (port 443) instead of 9999

    Code:
    SSLProxyEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    ProxyPass / https://127.0.0.1:9999/
    ProxyPassReverse / https://127.0.0.1:9999/
    The SSLChecks are just to bypass a false certificate ;-).

    my firewall is blocking port 9999, so it's not less secure imo.

    But: something goes wrong with the loading of the page.

    Chrome gives adds /login/ (as expected; otherwise a session would already exist)
    BUT: other URL's are also with the /login/ ending

    Code:
    jquery.min.js:4 GET https://control.ichtushosting.com/login/nav.php?nav=side 404 (Not Found)send @ jquery.min.js:4ajax @ jquery.min.js:4loadMenus @ ispconfig.min.js:1loadInitContent @ ispconfig.min.js:1(anonymous function) @ ispconfig.min.js:1dispatch @ jquery.min.js:3r.handle @ jquery.min.js:3trigger @ jquery.min.js:3triggerHandler @ jquery.min.js:3ready @ jquery.min.js:2I @ jquery.min.js:2
    jquery.min.js:4 GET https://control.ichtushosting.com/login/dashboard/dashboard.php 404 (Not Found)send @ jquery.min.js:4ajax @ jquery.min.js:4loadInitContent @ ispconfig.min.js:1(anonymous function) @ ispconfig.min.js:1dispatch @ jquery.min.js:3r.handle @ jquery.min.js:3trigger @ jquery.min.js:3triggerHandler @ jquery.min.js:3ready @ jquery.min.js:2I @ jquery.min.js:2
    jquery.min.js:4 GET https://control.ichtushosting.com/login/keepalive.php 404 (Not Found)send @ jquery.min.js:4ajax @ jquery.min.js:4keepalive @ ispconfig.min.js:1loadInitContent @ ispconfig.min.js:1(anonymous function) @ ispconfig.min.js:1dispatch @ jquery.min.js:3r.handle @ jquery.min.js:3trigger @ jquery.min.js:3triggerHandler @ jquery.min.js:3ready @ jquery.min.js:2I @ jquery.min.js:2
    jquery.min.js:4 GET https://control.ichtushosting.com/login/nav.php?nav=top 404 (Not Found)send @ jquery.min.js:4ajax @ jquery.min.js:4loadMenus @ ispconfig.min.js:1loadInitContent @ ispconfig.min.js:1(anonymous function) @ ispconfig.min.js:1dispatch @ jquery.min.js:3r.handle @ jquery.min.js:3trigger @ jquery.min.js:3triggerHandler @ jquery.min.js:3ready @ jquery.min.js:2I @ jquery.min.js:2
    This should be:
    Code:
    https://control.ichtushosting.com/dashboard/dashboard.php
    https://control.ichtushosting.com/nav.php?nav=top
    https://control.ichtushosting.com/keepalive.php
    
    Right?
     
  2. Jesse Norell

    Jesse Norell Active Member

    I just set this up earlier this week, what I have and seems to work fine (haven't seen any session issues) using port 8080 is:
    Code:
    # cat /etc/apache2/conf-enabled/local.conf
    # local (to this server) config snippets
    
    Alias /webmail /var/lib/roundcube
    
    <IfModule mod_proxy.c>
        ProxyRequests Off
    </IfModule>
    
    Code:
    # cat /etc/apache2/sites-enabled/000-default.conf
    <VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName default
    
        ServerAdmin [email protected]
        DocumentRoot /var/www/html
    
        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn
    
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    
        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
    </VirtualHost>
    
    <VirtualHost *:80>
        ServerName controlpanel.domain.com
        ServerAdmin [email protected]
    
        <IfModule mod_rewrite.c>
            RewriteEngine on
            RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
            RewriteRule ^ - [END]
            RewriteCond %{HTTPS} off
            RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
        </IfModule>
    
        DocumentRoot /var/www/html
    
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>
    
    # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
    Code:
    # cat /etc/apache2/sites-enabled/000-default-ssl.conf
    <IfModule mod_ssl.c>
        ## This is the default *:443 host, displaying a placeholder page
        <VirtualHost *:443>
            ServerName default
            ServerAdmin [email protected]
    
            ServerSignature Off
    
            SSLEngine on
            SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
            SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
            #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
    
            SSLProtocol All -SSLv3
    
            SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
            SSLHonorCipherOrder On
    
            DocumentRoot /var/www/html
    
            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                    SSLOptions +StdEnvVars
            </FilesMatch>
            <Directory /usr/lib/cgi-bin>
                    SSLOptions +StdEnvVars
            </Directory>
    
            BrowserMatch "MSIE [2-6]" \
                    nokeepalive ssl-unclean-shutdown \
                    downgrade-1.0 force-response-1.0
            BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    
            <IfModule mod_headers.c>
              Header always add Strict-Transport-Security "max-age=15768000"
            </IfModule>
    
        </VirtualHost>
    
        ## This is the default controlpanel.domain.com for https (port 443),
        ## proxy to the real control panel on port 8080
        <VirtualHost *:443>
            ServerName controlpanel.domain.com
            ServerAdmin [email protected]
    
            ServerSignature Off
    
            SSLEngine on
            SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
            SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
            #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
    
            SSLProtocol All -SSLv3
    
            SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
            SSLHonorCipherOrder On
    
            DocumentRoot /var/www/html
    
            SSLProxyEngine on
            <IfModule mod_proxy.c>
                ProxyRequests Off
                ProxyPreserveHost On
                ProxyPass /webmail "!"
                ProxyPass /roundcube "!"
                ProxyPass /squirrelmail "!"
                ProxyPass /phpmyadmin "!"
                ProxyPass / https://127.0.0.1:8080/
                ProxyPassReverse / https://127.0.0.1:8080/
            </IfModule>
    
            BrowserMatch "MSIE [2-6]" \
                    nokeepalive ssl-unclean-shutdown \
                    downgrade-1.0 force-response-1.0
            BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    
            <IfModule mod_headers.c>
              Header always add Strict-Transport-Security "max-age=15768000"
            </IfModule>
    
        </VirtualHost>
    </IFModule>
    
    # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
    
    I had to enable the proxy and proxy_http apache modules.

    The 000-default-ssl.conf contents are mostly from 000-ispconfig.vhost (I'd love it if the SSL settings were in a common file included by both 000-ispconfig.vhost and 000-default-ssl.conf, so I don't have to try to manually track SSLCipherSuite changes and such).

    I think letsencrypt is still working with this (need to test more), but webmail and other things are fine so far. If you're running 3.1, you can easily setup letsencrypt for your control panel as well, and get rid of the certificate errors.
     
  3. It was a bit more complicated for my setup, but I made it work :).

    Control panel = https://control.domain.com
    not listening on port 9999 anywhere
    Uses the default 000-ispconfig.vhost
    At the moment uses Let's encrypt certificates

    Todo: configure let'secrypt to auto renew these certificates.
     

Share This Page