Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "PackageDrone/HowTo/ReverseProxy"
Line 20: | Line 20: | ||
/etc/init.d/apache2 reload | /etc/init.d/apache2 reload | ||
</pre> | </pre> | ||
+ | |||
+ | == RHEL / CentOS == | ||
+ | |||
+ | === RHEL 7 / CentOS 7 === | ||
+ | |||
+ | |||
== OpenSUSE == | == OpenSUSE == | ||
Line 80: | Line 86: | ||
</VirtualHost> | </VirtualHost> | ||
</pre> | </pre> | ||
+ | |||
+ | == Securing Package Drone == | ||
+ | |||
+ | === Localhost only === | ||
+ | |||
+ | Once you have a reverse proxy installed, it is possible to limit access to "localhost" only, so that no remote user can access Package Drone on port 8080. | ||
+ | |||
+ | Edit the file <code>/etc/default/package-drone-server</code> and add <code>-Dorg.ops4j.pax.web.listening.addresses=localhost</code> to the <code>JAVA_OPTS</code> variable. | ||
+ | |||
+ | === RHEL 7 / CentOS 7 === | ||
+ | |||
+ | Enable <code>httpd</code> for the firewall: | ||
+ | |||
+ | firewall-cmd --permanent --zone public --add-service httpd | ||
+ | firewall-cmd --reload | ||
+ | |||
+ | === Let's encrypt === | ||
+ | |||
+ | In order to add a free TLS certificate from [https://letsencrypt.org Let's encrypt] you will need to install the Let's encrypt client and modify the <code>pdrone.conf</code> file to allow requests for <code>/.well-known</code> to the local file system. | ||
+ | |||
+ | DocumentRoot /var/www/html | ||
+ | |||
+ | … | ||
+ | |||
+ | ProxyPass /.well-known ! | ||
+ | ProxyPass / http://localhost:8080/ disablereuse=on | ||
+ | |||
+ | This will forward all requests for <code>/.well-known</code> to <code>/var/www/html/.well-known</code>. So Let's encrypt can be used with the webroot module on <code>/var/www/html</code>. |
Revision as of 07:46, 27 January 2016
This page describes a few ways on how to put a reverse proxy (like Apache, NGINX) in front of Package Drone so that the initial HTTP request is served by another HTTP server and then forwarded to Package Drone.
There are a few pros and cons for using a reverse proxy. If you want a reverse proxy, this is the page which describes how to do it.
Contents
Ubuntu
Ubuntu 14.04 LTS
- Enable "proxy" and "deflate". Run as root:/
a2enmod proxy a2enmod proxy_http a2enmod deflate
- Create a new file:
/etc/apache2/sites-available/pdrone.conf
with the content of pdrone.conf (see below). - Activate site. Run as root:
a2ensite pdrone /etc/init.d/apache2 reload
RHEL / CentOS
RHEL 7 / CentOS 7
OpenSUSE
OpenSuse 13 & Apache
SUSE has probably two ways of doing this. I am not a SUSE-guy, so there may be an easier way ;-)
- Install Apache 2 ->
zypper install apache2
- Start YAST and
- Enable Apache 2
- Enable modules:
proxy
,mod_proxy_http
and optionallydeflate
andfilter
- Create a new file:
/etc/apache2/vhosts.d/pdrone.conf
(content see below) - Add
ProxyRequests Off
to/etc/apache2/default-server.conf
Files
pdrone.conf
NameVirtualHost *:80 <VirtualHost *:80> ServerName your.server.name ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://localhost:8080/ disablereuse=on ProxyPassReverse / http://localhost:8080/ ProxyTimeout 300 <Location /> Order allow,deny Allow from all </Location> DefaultType None <IfModule mod_filter.c> <IfModule mod_deflate.c> FilterDeclare gzip CONTENT_SET FilterProtocol gzip change=yes;byteranges=no FilterProvider gzip DEFLATE "%{Content_Type} = 'text/html'" FilterProvider gzip DEFLATE "%{Content_Type} = 'text/plain'" FilterProvider gzip DEFLATE "%{Content_Type} = 'text/xml'" FilterProvider gzip DEFLATE "%{Content_Type} = 'text/css'" FilterProvider gzip DEFLATE "%{Content_Type} = 'text/javascript'" FilterProvider gzip DEFLATE "%{Content_Type} = 'application/javascript'" FilterChain gzip </IfModule> </IfModule> </VirtualHost>
Securing Package Drone
Localhost only
Once you have a reverse proxy installed, it is possible to limit access to "localhost" only, so that no remote user can access Package Drone on port 8080.
Edit the file /etc/default/package-drone-server
and add -Dorg.ops4j.pax.web.listening.addresses=localhost
to the JAVA_OPTS
variable.
RHEL 7 / CentOS 7
Enable httpd
for the firewall:
firewall-cmd --permanent --zone public --add-service httpd firewall-cmd --reload
Let's encrypt
In order to add a free TLS certificate from Let's encrypt you will need to install the Let's encrypt client and modify the pdrone.conf
file to allow requests for /.well-known
to the local file system.
DocumentRoot /var/www/html … ProxyPass /.well-known ! ProxyPass / http://localhost:8080/ disablereuse=on
This will forward all requests for /.well-known
to /var/www/html/.well-known
. So Let's encrypt can be used with the webroot module on /var/www/html
.