Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "PackageDrone/HowTo/ReverseProxy"
(add section for ubuntu) |
m (→RHEL 7 / CentOS 7) |
||
| (7 intermediate revisions by the same user not shown) | |||
| Line 6: | Line 6: | ||
=== Ubuntu 14.04 LTS === | === Ubuntu 14.04 LTS === | ||
| + | |||
| + | * Enable "proxy" and "deflate". Run as root:/ | ||
| + | <pre> | ||
| + | a2enmod proxy | ||
| + | a2enmod proxy_http | ||
| + | a2enmod deflate | ||
| + | </pre> | ||
* Create a new file: <code>/etc/apache2/sites-available/pdrone.conf</code> with the content of <tt>pdrone.conf</tt> (see below). | * Create a new file: <code>/etc/apache2/sites-available/pdrone.conf</code> with the content of <tt>pdrone.conf</tt> (see below). | ||
| − | * | + | * Activate site. Run as root: |
| − | + | <pre> | |
| + | a2ensite pdrone | ||
| + | /etc/init.d/apache2 reload | ||
| + | </pre> | ||
| + | |||
| + | == RHEL / CentOS == | ||
| + | |||
| + | === RHEL 7 / CentOS 7 === | ||
| + | |||
| + | yum install httpd mod_ssl | ||
| + | |||
| + | Create a new file - <code>/etc/httpd/conf.d/pdrone.conf</code> with the content of <tt>pdrone.conf</tt> (see below). | ||
| + | |||
| + | If you have SElinux enabled you might run into the following error message: | ||
| + | |||
| + | Permission denied: AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (localhost) failed | ||
| + | |||
| + | Execute the following command to allow the httpd server to make connections: | ||
| + | |||
| + | setsebool -P httpd_can_network_connect 1 | ||
| + | systemctl restart httpd | ||
== OpenSUSE == | == OpenSUSE == | ||
| Line 19: | Line 46: | ||
* Install Apache 2 -> <code>zypper install apache2</code> | * Install Apache 2 -> <code>zypper install apache2</code> | ||
* Start YAST and | * Start YAST and | ||
| − | + | ** Enable Apache 2 | |
| − | + | ** Enable modules: <code>proxy</code>, <code>mod_proxy_http</code> and optionally <code>deflate</code> and <code>filter</code> | |
| − | * Create a new file: <code>/etc/apache2/vhosts.d/pdrone.conf</code> (see below) | + | * Create a new file: <code>/etc/apache2/vhosts.d/pdrone.conf</code> (content see below) |
* Add <code>ProxyRequests Off</code> to <code>/etc/apache2/default-server.conf</code> | * Add <code>ProxyRequests Off</code> to <code>/etc/apache2/default-server.conf</code> | ||
| Line 29: | Line 56: | ||
<pre> | <pre> | ||
| − | |||
<VirtualHost *:80> | <VirtualHost *:80> | ||
| Line 70: | Line 96: | ||
</VirtualHost> | </VirtualHost> | ||
</pre> | </pre> | ||
| + | |||
| + | == Securing Package Drone == | ||
| + | |||
| + | === Localhost only === | ||
| + | |||
| + | Once you have a reverse proxy installed, it is possible to limit access to "localhost" only, so that no remote user can access Package Drone on port 8080. | ||
| + | |||
| + | Edit the file <code>/etc/default/package-drone-server</code> and add <code>-Dorg.ops4j.pax.web.listening.addresses=localhost</code> to the <code>JAVA_OPTS</code> variable. | ||
| + | |||
| + | === RHEL 7 / CentOS 7 === | ||
| + | |||
| + | Enable <code>httpd</code> for the firewall: | ||
| + | |||
| + | firewall-cmd --permanent --zone public --add-service httpd | ||
| + | firewall-cmd --reload | ||
| + | |||
| + | === Let's encrypt === | ||
| + | |||
| + | In order to add a free TLS certificate from [https://letsencrypt.org Let's encrypt] you will need to install the Let's encrypt client and modify the <code>pdrone.conf</code> file to allow requests for <code>/.well-known</code> to the local file system. | ||
| + | |||
| + | DocumentRoot /var/www/html | ||
| + | |||
| + | … | ||
| + | |||
| + | ProxyPass /.well-known ! | ||
| + | ProxyPass / http://localhost:8080/ disablereuse=on | ||
| + | |||
| + | This will forward all requests for <code>/.well-known</code> to <code>/var/www/html/.well-known</code>. So Let's encrypt can be used with the webroot module on <code>/var/www/html</code>. | ||
Latest revision as of 06:00, 29 February 2016
This page describes a few ways on how to put a reverse proxy (like Apache, NGINX) in front of Package Drone so that the initial HTTP request is served by another HTTP server and then forwarded to Package Drone.
There are a few pros and cons for using a reverse proxy. If you want a reverse proxy, this is the page which describes how to do it.
Contents
Ubuntu
Ubuntu 14.04 LTS
- Enable "proxy" and "deflate". Run as root:/
a2enmod proxy a2enmod proxy_http a2enmod deflate
- Create a new file:
/etc/apache2/sites-available/pdrone.confwith the content of pdrone.conf (see below). - Activate site. Run as root:
a2ensite pdrone /etc/init.d/apache2 reload
RHEL / CentOS
RHEL 7 / CentOS 7
yum install httpd mod_ssl
Create a new file - /etc/httpd/conf.d/pdrone.conf with the content of pdrone.conf (see below).
If you have SElinux enabled you might run into the following error message:
Permission denied: AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (localhost) failed
Execute the following command to allow the httpd server to make connections:
setsebool -P httpd_can_network_connect 1 systemctl restart httpd
OpenSUSE
OpenSuse 13 & Apache
SUSE has probably two ways of doing this. I am not a SUSE-guy, so there may be an easier way ;-)
- Install Apache 2 ->
zypper install apache2 - Start YAST and
- Enable Apache 2
- Enable modules:
proxy,mod_proxy_httpand optionallydeflateandfilter
- Create a new file:
/etc/apache2/vhosts.d/pdrone.conf(content see below) - Add
ProxyRequests Offto/etc/apache2/default-server.conf
Files
pdrone.conf
<VirtualHost *:80>
ServerName your.server.name
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/ disablereuse=on
ProxyPassReverse / http://localhost:8080/
ProxyTimeout 300
<Location />
Order allow,deny
Allow from all
</Location>
DefaultType None
<IfModule mod_filter.c>
<IfModule mod_deflate.c>
FilterDeclare gzip CONTENT_SET
FilterProtocol gzip change=yes;byteranges=no
FilterProvider gzip DEFLATE "%{Content_Type} = 'text/html'"
FilterProvider gzip DEFLATE "%{Content_Type} = 'text/plain'"
FilterProvider gzip DEFLATE "%{Content_Type} = 'text/xml'"
FilterProvider gzip DEFLATE "%{Content_Type} = 'text/css'"
FilterProvider gzip DEFLATE "%{Content_Type} = 'text/javascript'"
FilterProvider gzip DEFLATE "%{Content_Type} = 'application/javascript'"
FilterChain gzip
</IfModule>
</IfModule>
</VirtualHost>
Securing Package Drone
Localhost only
Once you have a reverse proxy installed, it is possible to limit access to "localhost" only, so that no remote user can access Package Drone on port 8080.
Edit the file /etc/default/package-drone-server and add -Dorg.ops4j.pax.web.listening.addresses=localhost to the JAVA_OPTS variable.
RHEL 7 / CentOS 7
Enable httpd for the firewall:
firewall-cmd --permanent --zone public --add-service httpd firewall-cmd --reload
Let's encrypt
In order to add a free TLS certificate from Let's encrypt you will need to install the Let's encrypt client and modify the pdrone.conf file to allow requests for /.well-known to the local file system.
DocumentRoot /var/www/html … ProxyPass /.well-known ! ProxyPass / http://localhost:8080/ disablereuse=on
This will forward all requests for /.well-known to /var/www/html/.well-known. So Let's encrypt can be used with the webroot module on /var/www/html.