Set up a reverse proxy in Linux
Setting up an Apache HTTP reverse proxy server in Linux requires the Apache 2.4 software and edits to some configuration file.
These instructions are only one example of how to set up a reverse proxy. You should consult your IT security department about the required protocols and security settings.
This procedure assumes the IXIASOFT CCMS Web Server was installed in /opt/ixiasoft/ccms. Apache version 2.4.x is installed with default installation paths, so configuration files are in the /etc/httpd/ folder.
-
Make sure you have set the
REVERSE_PROXY_SETUP
parameter astrue
in the properties.txt file when installing IXIASOFT CCMS Web. - Edit the configuration file for the Tomcat server /opt/ixiasoft/ccms/apache-tomcat-9.0.67/conf/catalina.properties.
-
Add the following line at the end of the file if it doesn't
exist:
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
- Edit the Tomcat server configuration file /opt/ixiasoft/ccms/apache-tomcat-9.0.67/conf/server.xml.
-
Make sure
<Connector>
sections are set to listen only on thelocalhost (127.0.0.1)
interface:<Connector port="8080" protocol="HTTP/1.1" address="127.0.0.1" ......other settings...... connectionTimeout="20000" redirectPort="8443" />
-
Restart the Tomcat service to apply the changes:
# systemctl restart tomcat-ccms
-
Download the required files:
-
Go to the standard CentOS yum repository at
# yum install httpd mod_ssl
. - Download the latest Apache 2.4 httpd and the required SSL module.
-
Go to the standard CentOS yum repository at
-
Create a new file in the /etc/httpd/conf.d/ folder called reverse-proxy.conf with the following content, replacing
webserver.acme.com with your server's
FQDN address:
ProxyRequests Off ProxyPreserveHost On RewriteEngine On RedirectMatch ^/$ https://webserver.acme.com/ixiasoft-ccms RewriteRule "^/oxygen-webapp/app/admin.html" - [R=403] ProxyPass "/ixiasoft-ccms" "http://127.0.0.1:8080/ixiasoft-ccms" ProxyPassReverse "/ixiasoft-ccms" "https://webserver.acme.com/ixiasoft-ccms" ProxyPass "/oxygen-webapp" "http://127.0.0.1:8080/oxygen-webapp" ProxyPassReverse "/oxygen-webapp" "https://webserver.acme.com/oxygen-webapp"
-
Copy your server's SSL certificate files to the appropriate
location on the server.
For example, copy the certificates to /etc/pki/tls/certs/ and the key file in /etc/pki/tls/private/.
-
Edit the /etc/httpd/conf.d/ssl.conf configuration file and make the
following changes:
-
Configure paths and proper names for your SSL
certificates in the properties:
SSLCertificateFile
,SSLCertificateKeyFile
andSSLCertificateChainFile
, if applicable. -
Replace the lines (near line #52 and #83) beginning
with
SSLCipherSuite
,SSLProxyCipherSuite
,SSLProtocol
, andSSLProxyProtocol
with the following:SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLProxyCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
-
Uncomment the following line:
SSLHonorCipherOrder on
-
Add the following lines after the previous line:
SSLCompression off SSLSessionTickets off
-
Add the following lines just before the
<Virtualhost _default_:443>
section:SSLUseStapling on SSLStaplingCache "shmcb:/run/httpd/ssl_stapling(32768)"
In a large deployments, the 32868 value might need to be higher. Contact IXIASOFT for more information. -
Add the following line in the end of the file just
before the
</VirtualHost>
line:Include conf.d/reverse-proxy.conf
-
Configure paths and proper names for your SSL
certificates in the properties:
-
Restart the Apache httpd service to apply changes:
# systemctl restart httpd