Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "PackageDrone/HowTo/ReverseProxy"
| Line 20: | Line 20: | ||
/etc/init.d/apache2 reload | /etc/init.d/apache2 reload | ||
</pre> | </pre> | ||
| + | |||
| + | == RHEL / CentOS == | ||
| + | |||
| + | === RHEL 7 / CentOS 7 === | ||
| + | |||
| + | |||
== OpenSUSE == | == OpenSUSE == | ||
| Line 80: | Line 86: | ||
</VirtualHost> | </VirtualHost> | ||
</pre> | </pre> | ||
| + | |||
| + | == Securing Package Drone == | ||
| + | |||
| + | === Localhost only === | ||
| + | |||
| + | Once you have a reverse proxy installed, it is possible to limit access to "localhost" only, so that no remote user can access Package Drone on port 8080. | ||
| + | |||
| + | Edit the file <code>/etc/default/package-drone-server</code> and add <code>-Dorg.ops4j.pax.web.listening.addresses=localhost</code> to the <code>JAVA_OPTS</code> variable. | ||
| + | |||
| + | === RHEL 7 / CentOS 7 === | ||
| + | |||
| + | Enable <code>httpd</code> for the firewall: | ||
| + | |||
| + | firewall-cmd --permanent --zone public --add-service httpd | ||
| + | firewall-cmd --reload | ||
| + | |||
| + | === Let's encrypt === | ||
| + | |||
| + | In order to add a free TLS certificate from [https://letsencrypt.org Let's encrypt] you will need to install the Let's encrypt client and modify the <code>pdrone.conf</code> file to allow requests for <code>/.well-known</code> to the local file system. | ||
| + | |||
| + | DocumentRoot /var/www/html | ||
| + | |||
| + | … | ||
| + | |||
| + | ProxyPass /.well-known ! | ||
| + | ProxyPass / http://localhost:8080/ disablereuse=on | ||
| + | |||
| + | This will forward all requests for <code>/.well-known</code> to <code>/var/www/html/.well-known</code>. So Let's encrypt can be used with the webroot module on <code>/var/www/html</code>. | ||
Revision as of 07:46, 27 January 2016
This page describes a few ways on how to put a reverse proxy (like Apache, NGINX) in front of Package Drone so that the initial HTTP request is served by another HTTP server and then forwarded to Package Drone.
There are a few pros and cons for using a reverse proxy. If you want a reverse proxy, this is the page which describes how to do it.
Contents
Ubuntu
Ubuntu 14.04 LTS
- Enable "proxy" and "deflate". Run as root:/
a2enmod proxy a2enmod proxy_http a2enmod deflate
- Create a new file:
/etc/apache2/sites-available/pdrone.confwith the content of pdrone.conf (see below). - Activate site. Run as root:
a2ensite pdrone /etc/init.d/apache2 reload
RHEL / CentOS
RHEL 7 / CentOS 7
OpenSUSE
OpenSuse 13 & Apache
SUSE has probably two ways of doing this. I am not a SUSE-guy, so there may be an easier way ;-)
- Install Apache 2 ->
zypper install apache2 - Start YAST and
- Enable Apache 2
- Enable modules:
proxy,mod_proxy_httpand optionallydeflateandfilter
- Create a new file:
/etc/apache2/vhosts.d/pdrone.conf(content see below) - Add
ProxyRequests Offto/etc/apache2/default-server.conf
Files
pdrone.conf
NameVirtualHost *:80
<VirtualHost *:80>
ServerName your.server.name
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/ disablereuse=on
ProxyPassReverse / http://localhost:8080/
ProxyTimeout 300
<Location />
Order allow,deny
Allow from all
</Location>
DefaultType None
<IfModule mod_filter.c>
<IfModule mod_deflate.c>
FilterDeclare gzip CONTENT_SET
FilterProtocol gzip change=yes;byteranges=no
FilterProvider gzip DEFLATE "%{Content_Type} = 'text/html'"
FilterProvider gzip DEFLATE "%{Content_Type} = 'text/plain'"
FilterProvider gzip DEFLATE "%{Content_Type} = 'text/xml'"
FilterProvider gzip DEFLATE "%{Content_Type} = 'text/css'"
FilterProvider gzip DEFLATE "%{Content_Type} = 'text/javascript'"
FilterProvider gzip DEFLATE "%{Content_Type} = 'application/javascript'"
FilterChain gzip
</IfModule>
</IfModule>
</VirtualHost>
Securing Package Drone
Localhost only
Once you have a reverse proxy installed, it is possible to limit access to "localhost" only, so that no remote user can access Package Drone on port 8080.
Edit the file /etc/default/package-drone-server and add -Dorg.ops4j.pax.web.listening.addresses=localhost to the JAVA_OPTS variable.
RHEL 7 / CentOS 7
Enable httpd for the firewall:
firewall-cmd --permanent --zone public --add-service httpd firewall-cmd --reload
Let's encrypt
In order to add a free TLS certificate from Let's encrypt you will need to install the Let's encrypt client and modify the pdrone.conf file to allow requests for /.well-known to the local file system.
DocumentRoot /var/www/html … ProxyPass /.well-known ! ProxyPass / http://localhost:8080/ disablereuse=on
This will forward all requests for /.well-known to /var/www/html/.well-known. So Let's encrypt can be used with the webroot module on /var/www/html.