Setting Up httpd (2.2) as ReverseProxy (OLD)

December 2 2015

#httpd2.2 #setup #sysadmin

httpd can be configured as a frontend load balancing proxyfier. There are better tools in the market for doing this exact thing, and nginx and haproxy have shown a much better performance in real world and benchmarks with a lower RAM footprint but like all servers httpd can also be configured with mod_proxy to act as a http proxy engine.

Setup Notes

Point all your DNS to your httpd node. And setup virtual hosts as listed below. Be sure to install mod_proxy on your httpd node.

<VirtualHost *:80>                                                                     
  ServerAdmin jp@iiit.ac.in                                                          
  ServerName ithelp.iiit.ac.in                                                                 
  ErrorLog logs/ithelp.iiit.ac.in-error_log                                                 
  CustomLog logs/ithelp.iiit.ac.in-access_log combined                                       
  <Location />                                                                             
    ProxyPass http://ithelp.iiit.ac.in/                                                        
  </Location>                                                                               
</VirtualHost>

For serving https content be sure to install mod_ssl as well.

<VirtualHost *:443>
  ServerAdmin jp@iiit.ac.in
  ServerName ithelp.iiit.ac.in
  ErrorLog logs/ithelp.iiit.ac.in-error_log
  CustomLog logs/ithelp.iiit.ac.in-access_log combined
  SSLEngine on
  SSLProxyEngine on
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerExpire off
  <Location />
    ProxyPass https://ithelp.iiit.ac.in/
  </Location>
</VirtualHost>

In addition, if you want to enable appropriate SSL, be sure to add the additional config into the *:443 VHost

  SSLProtocol All -SSLv2 -SSLv3
  SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
  SSLHonorCipherOrder On
  SSLCertificateFile /path/to/certificate
  SSLCertificateKeyFile /path/to/key/file
  Header always set Strict-Transport-Security "max-age=63072000"

SNI (Server Name Indication)

Since it is mighty difficult for hostname to be detected from a https:// connection the folks out there making browsers have implemented SNI.

What SNI does is that it indicates what hostname is being accessed to the server so that the connections can be made without the additional headache of passing the proxy.

To test a SNI site, you need to dish in your server name as follows

openssl s_client -servername <name> -host <name> -port <port>

This is already implemented in most browsers, so unless you are using cURL for a primary browser role, you would not even notice this.

Setting the SSLCertificate would automatically handle it so you should not have any issues doing this.

Parth Kolekar

ANSI Sequences in Output Without a TTY

#ansi #bundler #colors #sysadmin

ANSI Sequences or ansi escape codes are special formatting characters used to inform a receiving terminal about special colors and formatting to use when displaying text. These sequences still remain in use to this day, with a lot of utilities supporting...

...

offlineimap setup

#offlineimap #setup #sysadmin

OfflineIMAP is a GPLv2 software to dispose your mailbox(es) as a local Maildir(s). What it allows you to do is to make a complete sync of your email over the IMAP protocol and in essence keep local copies of email. This is a GUI-less alternative...

...