Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "PackageDrone/HowTo/ReverseProxy"
(add section for ubuntu) |
m (→RHEL 7 / CentOS 7) |
||
(7 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
=== Ubuntu 14.04 LTS === | === Ubuntu 14.04 LTS === | ||
+ | |||
+ | * Enable "proxy" and "deflate". Run as root:/ | ||
+ | <pre> | ||
+ | a2enmod proxy | ||
+ | a2enmod proxy_http | ||
+ | a2enmod deflate | ||
+ | </pre> | ||
* Create a new file: <code>/etc/apache2/sites-available/pdrone.conf</code> with the content of <tt>pdrone.conf</tt> (see below). | * Create a new file: <code>/etc/apache2/sites-available/pdrone.conf</code> with the content of <tt>pdrone.conf</tt> (see below). | ||
− | * | + | * Activate site. Run as root: |
− | + | <pre> | |
+ | a2ensite pdrone | ||
+ | /etc/init.d/apache2 reload | ||
+ | </pre> | ||
+ | |||
+ | == RHEL / CentOS == | ||
+ | |||
+ | === RHEL 7 / CentOS 7 === | ||
+ | |||
+ | yum install httpd mod_ssl | ||
+ | |||
+ | Create a new file - <code>/etc/httpd/conf.d/pdrone.conf</code> with the content of <tt>pdrone.conf</tt> (see below). | ||
+ | |||
+ | If you have SElinux enabled you might run into the following error message: | ||
+ | |||
+ | Permission denied: AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (localhost) failed | ||
+ | |||
+ | Execute the following command to allow the httpd server to make connections: | ||
+ | |||
+ | setsebool -P httpd_can_network_connect 1 | ||
+ | systemctl restart httpd | ||
== OpenSUSE == | == OpenSUSE == | ||
Line 19: | Line 46: | ||
* Install Apache 2 -> <code>zypper install apache2</code> | * Install Apache 2 -> <code>zypper install apache2</code> | ||
* Start YAST and | * Start YAST and | ||
− | + | ** Enable Apache 2 | |
− | + | ** Enable modules: <code>proxy</code>, <code>mod_proxy_http</code> and optionally <code>deflate</code> and <code>filter</code> | |
− | * Create a new file: <code>/etc/apache2/vhosts.d/pdrone.conf</code> (see below) | + | * Create a new file: <code>/etc/apache2/vhosts.d/pdrone.conf</code> (content see below) |
* Add <code>ProxyRequests Off</code> to <code>/etc/apache2/default-server.conf</code> | * Add <code>ProxyRequests Off</code> to <code>/etc/apache2/default-server.conf</code> | ||
Line 29: | Line 56: | ||
<pre> | <pre> | ||
− | |||
<VirtualHost *:80> | <VirtualHost *:80> | ||
Line 70: | Line 96: | ||
</VirtualHost> | </VirtualHost> | ||
</pre> | </pre> | ||
+ | |||
+ | == Securing Package Drone == | ||
+ | |||
+ | === Localhost only === | ||
+ | |||
+ | Once you have a reverse proxy installed, it is possible to limit access to "localhost" only, so that no remote user can access Package Drone on port 8080. | ||
+ | |||
+ | Edit the file <code>/etc/default/package-drone-server</code> and add <code>-Dorg.ops4j.pax.web.listening.addresses=localhost</code> to the <code>JAVA_OPTS</code> variable. | ||
+ | |||
+ | === RHEL 7 / CentOS 7 === | ||
+ | |||
+ | Enable <code>httpd</code> for the firewall: | ||
+ | |||
+ | firewall-cmd --permanent --zone public --add-service httpd | ||
+ | firewall-cmd --reload | ||
+ | |||
+ | === Let's encrypt === | ||
+ | |||
+ | In order to add a free TLS certificate from [https://letsencrypt.org Let's encrypt] you will need to install the Let's encrypt client and modify the <code>pdrone.conf</code> file to allow requests for <code>/.well-known</code> to the local file system. | ||
+ | |||
+ | DocumentRoot /var/www/html | ||
+ | |||
+ | … | ||
+ | |||
+ | ProxyPass /.well-known ! | ||
+ | ProxyPass / http://localhost:8080/ disablereuse=on | ||
+ | |||
+ | This will forward all requests for <code>/.well-known</code> to <code>/var/www/html/.well-known</code>. So Let's encrypt can be used with the webroot module on <code>/var/www/html</code>. |
Latest revision as of 06:00, 29 February 2016
This page describes a few ways on how to put a reverse proxy (like Apache, NGINX) in front of Package Drone so that the initial HTTP request is served by another HTTP server and then forwarded to Package Drone.
There are a few pros and cons for using a reverse proxy. If you want a reverse proxy, this is the page which describes how to do it.
Contents
Ubuntu
Ubuntu 14.04 LTS
- Enable "proxy" and "deflate". Run as root:/
a2enmod proxy a2enmod proxy_http a2enmod deflate
- Create a new file:
/etc/apache2/sites-available/pdrone.conf
with the content of pdrone.conf (see below). - Activate site. Run as root:
a2ensite pdrone /etc/init.d/apache2 reload
RHEL / CentOS
RHEL 7 / CentOS 7
yum install httpd mod_ssl
Create a new file - /etc/httpd/conf.d/pdrone.conf
with the content of pdrone.conf (see below).
If you have SElinux enabled you might run into the following error message:
Permission denied: AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (localhost) failed
Execute the following command to allow the httpd server to make connections:
setsebool -P httpd_can_network_connect 1 systemctl restart httpd
OpenSUSE
OpenSuse 13 & Apache
SUSE has probably two ways of doing this. I am not a SUSE-guy, so there may be an easier way ;-)
- Install Apache 2 ->
zypper install apache2
- Start YAST and
- Enable Apache 2
- Enable modules:
proxy
,mod_proxy_http
and optionallydeflate
andfilter
- Create a new file:
/etc/apache2/vhosts.d/pdrone.conf
(content see below) - Add
ProxyRequests Off
to/etc/apache2/default-server.conf
Files
pdrone.conf
<VirtualHost *:80> ServerName your.server.name ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://localhost:8080/ disablereuse=on ProxyPassReverse / http://localhost:8080/ ProxyTimeout 300 <Location /> Order allow,deny Allow from all </Location> DefaultType None <IfModule mod_filter.c> <IfModule mod_deflate.c> FilterDeclare gzip CONTENT_SET FilterProtocol gzip change=yes;byteranges=no FilterProvider gzip DEFLATE "%{Content_Type} = 'text/html'" FilterProvider gzip DEFLATE "%{Content_Type} = 'text/plain'" FilterProvider gzip DEFLATE "%{Content_Type} = 'text/xml'" FilterProvider gzip DEFLATE "%{Content_Type} = 'text/css'" FilterProvider gzip DEFLATE "%{Content_Type} = 'text/javascript'" FilterProvider gzip DEFLATE "%{Content_Type} = 'application/javascript'" FilterChain gzip </IfModule> </IfModule> </VirtualHost>
Securing Package Drone
Localhost only
Once you have a reverse proxy installed, it is possible to limit access to "localhost" only, so that no remote user can access Package Drone on port 8080.
Edit the file /etc/default/package-drone-server
and add -Dorg.ops4j.pax.web.listening.addresses=localhost
to the JAVA_OPTS
variable.
RHEL 7 / CentOS 7
Enable httpd
for the firewall:
firewall-cmd --permanent --zone public --add-service httpd firewall-cmd --reload
Let's encrypt
In order to add a free TLS certificate from Let's encrypt you will need to install the Let's encrypt client and modify the pdrone.conf
file to allow requests for /.well-known
to the local file system.
DocumentRoot /var/www/html … ProxyPass /.well-known ! ProxyPass / http://localhost:8080/ disablereuse=on
This will forward all requests for /.well-known
to /var/www/html/.well-known
. So Let's encrypt can be used with the webroot module on /var/www/html
.