Set up a reverse proxy in Linux

Setting up an Apache HTTP reverse proxy server in Linux requires the Apache 2.4 software and edits to some configuration file.

These instructions are only one example of how to set up a reverse proxy. You should consult your IT security department about the required protocols and security settings.

This procedure assumes the IXIASOFT CCMS Web Server was installed in /opt/ixiasoft/ccms. Apache version 2.4.x is installed with default installation paths, so configuration files are in the /etc/httpd/ folder.

  1. Make sure you have set the REVERSE_PROXY_SETUP parameter as true in the properties.txt file when installing IXIASOFT CCMS Web.
  2. Edit the configuration file for the Tomcat server /opt/ixiasoft/ccms/apache-tomcat-9.0.43/conf/catalina.properties.
  3. Add the following line at the end of the file if it doesn't exist:
    org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
  4. Edit the Tomcat server configuration file /opt/ixiasoft/ccms/apache-tomcat-9.0.43/conf/server.xml.
  5. Make sure <Connector> sections are set to listen only on the localhost (127.0.0.1) interface:
    <Connector port="8080" protocol="HTTP/1.1"
    address="127.0.0.1"
    ......other settings......
    connectionTimeout="20000"
    redirectPort="8443" />
  6. Restart the Tomcat service to apply the changes:
    # systemctl restart tomcat-ccms
  7. Download the required files:
    1. Go to the standard CentOS yum repository at # yum install httpd mod_ssl.
    2. Download the latest Apache 2.4 httpd and the required SSL module.
  8. Create a new file in the /etc/httpd/conf.d/ folder called reverse-proxy.conf with the following content, replacing webserver.acme.com with your server's FQDN address:
    ProxyRequests Off
    ProxyPreserveHost On
    RewriteEngine On
    RedirectMatch ^/$ https://webserver.acme.com/ixiasoft-ccms
    RewriteRule "^/oxygen-webapp/app/admin.html" - [R=403]
    ProxyPass "/ixiasoft-ccms" "http://127.0.0.1:8080/ixiasoft-ccms"
    ProxyPassReverse "/ixiasoft-ccms" "https://webserver.acme.com/ixiasoft-ccms"
    ProxyPass "/oxygen-webapp" "http://127.0.0.1:8080/oxygen-webapp"
    ProxyPassReverse "/oxygen-webapp" "https://webserver.acme.com/oxygen-webapp"
  9. Copy your server's SSL certificate files to the appropriate location on the server.
    For example, copy the certificates to /etc/pki/tls/certs/ and the key file in /etc/pki/tls/private/.
  10. Edit the /etc/httpd/conf.d/ssl.conf configuration file and make the following changes:
    1. Configure paths and proper names for your SSL certificates in the properties: SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile, if applicable.
    2. Replace the lines (near line #52 and #83) beginning with SSLCipherSuite, SSLProxyCipherSuite, SSLProtocol, and SSLProxyProtocol with the following:
      SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
      SSLProxyCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
      
      SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
      SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
    3. Uncomment the following line:
      SSLHonorCipherOrder on
    4. Add the following lines after the previous line:
      SSLCompression off 
      SSLSessionTickets off
    5. Add the following lines just before the <Virtualhost _default_:443> section:
      SSLUseStapling on
      SSLStaplingCache "shmcb:/run/httpd/ssl_stapling(32768)"
      In a large deployments, the 32868 value might need to be higher. Contact IXIASOFT for more information.
    6. Add the following line in the end of the file just before the </VirtualHost> line:
      Include conf.d/reverse-proxy.conf
  11. Restart the Apache httpd service to apply changes:
    # systemctl restart httpd