tech_documents:apache_reverse_proxy_centos8

Reverse Proxy using Apache on CentOS 8

This will install a Apache on CentOS 8 and use virtual hosts for reverse proxying. It includes fail2ban, SSH security, letsencrypt and auto updates.

Install CentOS 8 minimal with 2 CPU, 512MB+ RAM, 10GB+ storage, set FQDN, set static IP, enable NTP.

3.) After install if finished reboot → login → perform a “dnf update”.

Create limited user account and add to wheel group for sudo
useradd example_user && passwd example_user
usermod -aG wheel example_user
Install dependencies and vim
dnf install unzip wget vim

Logout of root and login using sudo user

Disallow root login over SSH
sudo vim /etc/ssh/sshd_config

then set 

PermitRootLogin no
Generate SSH key for sudo user on client computer (not the webserver)

To help keep things organized we'll create a keypair that is specific to the user and the remote sudo user+host.
https://www.ssh.com/ssh/keygen/ 

ssh-keygen -C "your_email@example.com" -f ~/.ssh/your_email@example.com-remote_sudo_username_@remote_hostname -t ed25519

Record the private and public keys in a secure document for the webserver.
Copy the public key to the remote webserver. 

ssh-copy-id -i ~/.ssh/your_email@example.com-remote_sudo_username_@remote_hostname.pub sudo_username@remote_hostname
sudo vim /etc/ssh/sshd_config

then set 

PasswordAuthentication no

Restart sshd 

sudo systemctl restart sshd

Login using SSH key 

ssh -i deployment_key.txt demo@192.237.248.66

https://www.tecmint.com/install-lamp-on-centos-8/ https://linuxize.com/post/how-to-install-php-on-centos-8/ https://www.linode.com/docs/web-servers/lamp/how-to-install-a-lamp-stack-on-centos-8/ https://www.linode.com/docs/web-servers/apache/how-to-install-and-configure-fastcgi-and-php-fpm-on-centos-8/ https://www.digitalocean.com/community/tutorials/how-to-run-multiple-php-versions-on-one-server-using-apache-and-php-fpm-on-ubuntu-18-04 https://certbot.eff.org/lets-encrypt/centosrhel8-apache.html

Install Apache

Configure hosts
sudo vim /etc/hosts

Add a line for your FQDN 

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.30  websrv01.domainname.com websrv01
sudo dnf install httpd httpd-tools mod_ssl
sudo systemctl enable httpd
sudo systemctl start httpd
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

Create Virtual Hosts

https://www.gonscak.sk/?p=401
https://ip-life.net/configuring-an-apache-reverse-proxy-for-multiple-domains/
https://stackoverflow.com/questions/25107654/how-to-configure-apache-server-to-talk-to-https-backend-server
Create a virtual host for each web domain that is going to sit behind this proxy.

Setup virtual host config files
sudo vim /etc/httpd/conf.d/site1.your_domain.conf

Add the following content. 

<VirtualHost *:80>
    ServerName subdomain.domain.com
    SSLProxyEngine On
    ProxyPreserveHost On
    ProxyPass / http://subdomain.domain.com/
    ProxyPassReverse / http://subdomain.domain.com/
</VirtualHost>

If you're back end servers have SSL/TLS setup already then change http to https. Make sure your proxy server trusts the SSL/TLS certificates.

Save and close the file when you are finished. Then check the Apache configuration file for any syntax errors: 

sudo httpd -t

You’ll see the following output: 

Output
Syntax OK
Disable Exposing Apache Server Info

https://www.if-not-true-then-false.com/2009/howto-hide-and-modify-apache-server-information-serversignature-and-servertokens-and-hide-php-version-x-powered-by/
This will help to prevent being the target of a an attack if you're running an out of date or vunerable release 

sudo vim /etc/httpd/httpd.conf

Add the following: 

ServerSignature Off
ServerTokens Prod

Finally, restart the Apache service to implement your changes: 

sudo systemctl restart httpd

delete the welconf.conf to disable the default apache welcome page. 

sudo rm /etc/httpd/conf.d/welcome.conf
Remove Default Access from httpd.conf

This is important as it would allow access to the /var/www/html path via HTTP. 

sudo vim /etc/httpd/conf/httpd.conf

Comment out the following: 

DocumentRoot "/var/www/html"

<Directory "/var/www">
    AllowOverride None
    # Allow open access:
    Require all granted
</Directory>

<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
AllowOverride None
</Directory>

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

Enable HTTPD to access network (SELinux) 

sudo setsebool -P httpd_can_network_connect on

Restart Apache 

sudo systemctl restart httpd

Target Host Modification

https://stackoverflow.com/questions/760283/apache-proxypass-how-to-preserve-original-ip-address/30784225#30784225
In the logs on the target web server it will show the IP of the proxy server making the request, not the IP of the original client. To fix this you need to add a setting to Apache on the TARGET WEB SERVERS, not the proxy server.

On CentOS 7 and 8 the remote_ip module is loaded by default. You'll need to add the option to httpd.conf 

sudo vim /etc/httpd/conf/httpd.conf

Add the following: 

RemoteIPHeader X-Forwarded-For

Restart Apache 

sudo systemctl restart httpd

Now the IP of the original client should show up in the application logs.

Letsencrypt

Install certbot
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto

Generate local certificates 

sudo /usr/libexec/httpd-ssl-gencerts

Request and install certificates for virtual hosts 

sudo /usr/local/bin/certbot-auto --apache

When prompted enabled Redirect so all requests go over https

Enable autorenew via crontab 

echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew -q" | sudo tee -a /etc/crontab > /dev/null

OR... Certificate manually via CA

Enable SSL Apache

https://www.thesslstore.com/knowledgebase/ssl-generate/generate-csr-apache-web-server-using-openssl-v-2/ https://forums.centos.org/viewtopic.php?t=43230 https://www.getpagespeed.com/server-setup/ssl-directory

Install Mod SSL 

sudo dnf install mod_ssl
Create Private Key and CSR
openssl req -new -newkey rsa:4096 -nodes -keyout clientdata.haddentech.com.key -out clientdata.haddentech.com.csr

Move the files to your PKI folder 

sudo mv clientdata.haddentech.com.* /etc/pki/tls/private/

Set permissions on private key 

sudo chown root:root /etc/pki/tls/private/clientdata.haddentech.com.key
sudo chmod 600 /etc/pki/tls/private/clientdata.haddentech.com.key
sudo restorecon -RvF /etc/pki/tls/private/

Submit the CSR to your CA (public or private)

Copy the BASE64 certificate from your CA to your cert folder 

sudo vim /etc/pki/tls/certs/clientdata.haddentech.com.crt

Create the CA bundle associated with your certificate 

vim /etc/pki/tls/certs/clientdata.haddentech.com.ca-bundle

Paste the subordinate followed by the root BASE64 certificates

Edit the conf file for you website and change 

<VirtualHost *:443>
    ServerName clientdata.haddentech.com
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/clientdata.haddentech.com.crt
        SSLCertificateKeyFile /etc/pki/tls/private/clientdata.haddentech.com.key
        SSLCertificateChainFile /etc/pki/tls/certs/clientdata.haddentech.com.ca-bundle
        ....
        ....
        ....
    </VirtualHost>

Restart Apache 

sudo systemctl restart httpd

Note: if you are using your own internal CA you'll need to import the root and any intermediate certificates into your browsers/etc.

Automatic Updates for CentOS

https://www.tecmint.com/dnf-automatic-install-security-updates-automatically-in-centos-8/ 

sudo dnf install dnf-automatic
sudo vim /etc/dnf/automatic.conf

Set: 

upgrade_type = security
download_updates = yes
system_name = (your system name)
emit_via = motd

Enable the auto-update timer 

sudo systemctl enable --now dnf-automatic.timer

fail2ban

https://idroot.us/install-fail2ban-centos-8/ https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04 

sudo dnf install fail2ban
Create a Jail for SSHd
sudo vim /etc/fail2ban/jail.d/sshd.local

Add the following: 

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[selinux-ssh]
enabled  = true
port     = ssh
logpath  = %(auditd_log)s
Create a Jail for Apache
sudo vim /etc/fail2ban/jail.d/apache.local

Add the following: 

[apache-auth]
enabled  = true
port     = http,https
logpath  = %(apache_error_log)s

[apache-badbots]
enabled  = true
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1

[apache-noscript]
enabled  = true
port     = http,https
logpath  = %(apache_error_log)s

[apache-overflows]
enabled  = true
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2

[apache-nohome]
enabled  = true
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2

[apache-botsearch]
enabled  = true
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2

[apache-fakegooglebot]
enabled  = true
port     = http,https
logpath  = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>

[apache-modsecurity]
enabled  = true
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2

[apache-shellshock]
enabled = true
port    = http,https
logpath = %(apache_error_log)s
maxretry = 1
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo fail2ban-client status sshd
  • tech_documents/apache_reverse_proxy_centos8.txt
  • Last modified: 2022/01/12 06:12
  • by jacob.hydeman