Set up a reverse proxy in Linux

Setting up an Apache HTTP reverse proxy server in Linux requires the Apache 2.4 software and edits to some configuration file.

About this task

These instructions are only one example of how to set up a reverse proxy. You should consult your IT security department about the required protocols and security settings.

This procedure assumes the IXIA CCMS Web Server was installed in /opt/ixiasoft/ccms. Apache version 2.4.x is installed with default installation paths, so configuration files are in the /etc/httpd/ folder.

To set up a reverse proxy in Linux:

Procedure

  1. Confirm you have set the REVERSE_PROXY_SETUP parameter as true in the properties.txt file when installing IXIA CCMS Web.
  2. Edit the configuration file for the Tomcat server /opt/ixiasoft/ccms/apache-tomcat-9.0.89/conf/catalina.properties.
  3. Add the following line at the end of the file if it doesn't exist:
    org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
  4. Edit the Tomcat server configuration file /opt/ixiasoft/ccms/apache-tomcat-9.0.89/conf/server.xml.
  5. Confirm <Connector> sections are set to listen only on the localhost (127.0.0.1) interface:
    <Connector port="8080" protocol="HTTP/1.1"
    address="127.0.0.1"
    ......other settings......
    connectionTimeout="20000"
    redirectPort="8443" />
  6. Restart the Tomcat service to apply the changes:
    # systemctl restart tomcat-ccms
  7. Download the required files:
    1. Go to the standard CentOS yum repository at # yum install httpd mod_ssl.
    2. Download the latest Apache 2.4 httpd and the required SSL module.
  8. Create a new file in the /etc/httpd/conf.d/ folder called reverse-proxy.conf with the following content, replacing webserver.acme.com with your server's FQDN address:
    ProxyRequests Off
    ProxyPreserveHost On
    RewriteEngine On
    RedirectMatch ^/$ https://webserver.acme.com/ixiasoft-ccms
    RewriteRule "^/oxygen-webapp/app/admin.html" - [R=403]
    ProxyPass "/ixiasoft-ccms" "http://127.0.0.1:8080/ixiasoft-ccms"
    ProxyPassReverse "/ixiasoft-ccms" "https://webserver.acme.com/ixiasoft-ccms"
    ProxyPass "/oxygen-webapp" "http://127.0.0.1:8080/oxygen-webapp"
    ProxyPassReverse "/oxygen-webapp" "https://webserver.acme.com/oxygen-webapp"
  9. Copy your server's SSL certificate files to the appropriate location on the server.
    For example, copy certificates to /etc/pki/tls/certs/ and key file in /etc/pki/tls/private/.
  10. Edit the /etc/httpd/conf.d/ssl.conf configuration file and make the following changes:
    1. Configure paths and proper names for your SSL certificates in the properties: SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile, if applicable.
    2. Replace the lines (near line #52 and #83) beginning with SSLCipherSuite, SSLProxyCipherSuite, SSLProtocol, and SSLProxyProtocol with the following:
      SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
      SSLProxyCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
      
      SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
      SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
    3. Uncomment the following line:
      SSLHonorCipherOrder on
    4. Add the following lines after the previous line:
      SSLCompression off 
      SSLSessionTickets off
    5. Add the following lines just before the <Virtualhost _default_:443> section:
      SSLUseStapling on
      SSLStaplingCache "shmcb:/run/httpd/ssl_stapling(32768)"
      In a large deployments, the 32868 value might need to be higher. Contact MadCap Software for more information.
    6. Add the following line at the end of the file just before the </VirtualHost> line:
      Include conf.d/reverse-proxy.conf
  11. Restart the Apache httpd service to apply changes:
    # systemctl restart httpd