Jump to: navigation, search

PackageDrone/HowTo/ReverseProxy

This page describes a few ways on how to put a reverse proxy (like Apache, NGINX) in front of Package Drone so that the initial HTTP request is served by another HTTP server and then forwarded to Package Drone.

There are a few pros and cons for using a reverse proxy. If you want a reverse proxy, this is the page which describes how to do it.

Ubuntu

Ubuntu 14.04 LTS

  • Enable "proxy" and "deflate". Run as root:/
a2enmod proxy
a2enmod proxy_http
a2enmod deflate
  • Create a new file: /etc/apache2/sites-available/pdrone.conf with the content of pdrone.conf (see below).
  • Activate site. Run as root:
a2ensite pdrone
/etc/init.d/apache2 reload

RHEL / CentOS

RHEL 7 / CentOS 7

yum install httpd mod_ssl

Create a new file - /etc/httpd/conf.d/pdrone.conf with the content of pdrone.conf (see below).

If you have SElinux enabled you might run into the following error message:

Permission denied: AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (localhost) failed

Execute the following command to allow the httpd server to make connections:

setsebool -P httpd_can_network_connect 1
systemctl restart httpd

OpenSUSE

OpenSuse 13 & Apache

SUSE has probably two ways of doing this. I am not a SUSE-guy, so there may be an easier way ;-)

  • Install Apache 2 -> zypper install apache2
  • Start YAST and
    • Enable Apache 2
    • Enable modules: proxy, mod_proxy_http and optionally deflate and filter
  • Create a new file: /etc/apache2/vhosts.d/pdrone.conf (content see below)
  • Add ProxyRequests Off to /etc/apache2/default-server.conf

Files

pdrone.conf

<VirtualHost *:80>

ServerName your.server.name

ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPass / http://localhost:8080/ disablereuse=on
ProxyPassReverse / http://localhost:8080/
ProxyTimeout 300

<Location />
Order allow,deny
Allow from all
</Location>

DefaultType None

<IfModule mod_filter.c>
<IfModule mod_deflate.c>
FilterDeclare gzip CONTENT_SET

FilterProtocol gzip change=yes;byteranges=no

FilterProvider gzip DEFLATE "%{Content_Type} = 'text/html'"
FilterProvider gzip DEFLATE "%{Content_Type} = 'text/plain'"
FilterProvider gzip DEFLATE "%{Content_Type} = 'text/xml'"
FilterProvider gzip DEFLATE "%{Content_Type} = 'text/css'"
FilterProvider gzip DEFLATE "%{Content_Type} = 'text/javascript'"
FilterProvider gzip DEFLATE "%{Content_Type} = 'application/javascript'"

FilterChain gzip
</IfModule>
</IfModule>

</VirtualHost>

Securing Package Drone

Localhost only

Once you have a reverse proxy installed, it is possible to limit access to "localhost" only, so that no remote user can access Package Drone on port 8080.

Edit the file /etc/default/package-drone-server and add -Dorg.ops4j.pax.web.listening.addresses=localhost to the JAVA_OPTS variable.

RHEL 7 / CentOS 7

Enable httpd for the firewall:

firewall-cmd --permanent --zone public --add-service httpd
firewall-cmd --reload

Let's encrypt

In order to add a free TLS certificate from Let's encrypt you will need to install the Let's encrypt client and modify the pdrone.conf file to allow requests for /.well-known to the local file system.

DocumentRoot /var/www/html

…

ProxyPass /.well-known !
ProxyPass / http://localhost:8080/ disablereuse=on

This will forward all requests for /.well-known to /var/www/html/.well-known. So Let's encrypt can be used with the webroot module on /var/www/html.