DigitalOcean Reverse Proxy: Difference between revisions

From Chorke Wiki
Jump to navigation Jump to search
Line 140: Line 140:


== Check Reverse Proxy ==
== Check Reverse Proxy ==
All configuration done! Right now need to check either your are able access <code>http://dev.chorke.org/init/</code> or not, instead of <code>http://dev.chorke.org:8304/init</code>. Then you should prevent direct access to <code>http://dev.chorke.org:8304/init</code>.
All configuration done! Right now need to check either your are able access <code>http://dev.chorke.org/init/</code> or not, instead of <code>http://dev.chorke.org:8304/init</code>. Then you should prevent direct access to <code>http://dev.chorke.org:8304/init</code>. All of the HTTP Port should be start with 83 and integration port 13.
 
<source lang="bash">
#http port prefix with 83
8300 for amqp web console
8301 for mqtt web console
8302 for ebis web console
8303 for fhir web console
8304 for init web console
</source>
 
<source lang="bash">
#mllp port prefix with 13
1300 for amqp web service
1301 for mqtt web service
1302 for ebis web service
1303 for fhir web service
1304 for init web service
</source>


== References ==
== References ==

Revision as of 20:14, 29 January 2019

Why Reverse Proxy

A reverse proxy is a type of proxy server that takes HTTP(S) requests and transparently distributes them to one or more backend servers. Reverse proxies are useful because many modern web applications process incoming HTTP requests using backend application servers which aren't meant to be accessed by users directly and often only support rudimentary HTTP features. You can use a reverse proxy to prevent these underlying application servers from being directly accessed. They can also be used to distribute the load from incoming requests to several different application servers, increasing performance at scale and providing fail-safeness. They can fill in the gaps with features the application servers don't offer, such as caching, compression, or SSL encryption too.

Prerequisites

  1. CentOS 7 Droplet with root/sudo access
  2. Apache 2 installed on your CentOS 7
  3. Optionally, the nano/vim text editor
yum install httpd
apachectl restart
systemctl status httpd
apachectl -t

Required Modules

The modules that are needed to use Apache as a reverse proxy include mod_proxy itself and several of its add-on modules, which extend its functionality to support different network protocols. Specifically, we will be using:

  1. mod_proxy, the main proxy module Apache module for redirecting connections; it allows Apache to act as a gateway to the underlying application servers.
  2. mod_proxy_http, which adds support for proxying HTTP connections.
  3. mod_proxy_balancer and mod_lbmethod_byrequests, which add load balancing features for multiple backend servers.


The command output will list all enabled Apache modules. The four lines you're looking for are the aforementioned module names:

httpd -M
# console output 
proxy_module (shared)
.... more ....
lbmethod_byrequests_module (shared)
.... more ....
proxy_balancer_module (shared)
proxy_http_module (shared)
.... more ....

In case the modules are not enabled, you can enable them by opening the /etc/httpd/conf.modules.d/00-proxy.conf with vi, vim or nano

Config Reverse Proxy

# /etc/httpd/conf.d/httpd-proxy.conf
<VirtualHost *:80>
    ProxyPreserveHost On
    ProxyRequests Off
    AllowEncodedSlashes Off
    ServerName dev.chorke.org
    ServerAlias uat.chorke.org

    # proxy for amqp
    ProxyPass /amqp http://127.0.0.1:8300/amqp nocanon
    ProxyPassReverse /amqp http://127.0.0.1:8300/amqp

    # proxy for mqtt
    ProxyPass /mqtt http://127.0.0.1:8301/mqtt nocanon
    ProxyPassReverse /mqtt http://127.0.0.1:8301/mqtt

    # proxy for ebis
    ProxyPass /ebis http://127.0.0.1:8302/ebis nocanon
    ProxyPassReverse /ebis http://127.0.0.1:8302/ebis

    # proxy for fhir
    ProxyPass /fhir http://127.0.0.1:8303/fhir nocanon
    ProxyPassReverse /fhir http://127.0.0.1:8303/fhir

    # proxy for init
    ProxyPass /init http://127.0.0.1:8304/init nocanon
    ProxyPassReverse /init http://127.0.0.1:8304/init
</VirtualHost>

Restrict Reverse Proxy

# /etc/httpd/conf.d/httpd-proxy.conf
<VirtualHost *:80>
    ProxyPreserveHost On
    ProxyRequests Off
    AllowEncodedSlashes Off
    ServerName dev.chorke.org
    ServerAlias uat.chorke.org

    <Proxy *>
        Order Deny,Allow
        Deny from all
        Allow from ::1
        Allow from 100.43.0
        Allow from 127.0.0.1
        Allow from 192.168.0
    </Proxy>

    # proxy for ebis
    ProxyPass /ebis http://127.0.0.1:8302/ebis nocanon
    ProxyPassReverse /ebis http://127.0.0.1:8302/ebis

    # proxy for fhir
    ProxyPass /fhir http://127.0.0.1:8303/fhir nocanon
    ProxyPassReverse /fhir http://127.0.0.1:8303/fhir

    # proxy for init
    ProxyPass /init http://127.0.0.1:8304/init nocanon
    ProxyPassReverse /init http://127.0.0.1:8304/init
</VirtualHost>

Restrict Proxy Location

# /etc/httpd/conf.d/httpd-proxy.conf
<VirtualHost *:80>
    ProxyPreserveHost On
    ProxyRequests Off
    AllowEncodedSlashes Off
    ServerName dev.chorke.org
    ServerAlias uat.chorke.org

    # proxy for amqp
    ProxyPass /amqp http://127.0.0.1:8300/amqp nocanon
    ProxyPassReverse /amqp http://127.0.0.1:8300/amqp

    # proxy for mqtt
    ProxyPass /mqtt http://127.0.0.1:8301/mqtt nocanon
    ProxyPassReverse /mqtt http://127.0.0.1:8301/mqtt

    # proxy for ebis
    <Location /ebis>
        Order Deny,Allow
        Deny from all
        Allow from ::1
        Allow from 100.43.0
        Allow from 127.0.0.1
        Allow from 192.168.0
        ProxyPass http://127.0.0.1:8302/ebis nocanon
        ProxyPassReverse http://127.0.0.1:8302/ebis
    </Location>
</VirtualHost>

Check Apache Config

apachectl -t
# apachectl restart
systemctl restart httpd
# grant network connection to apache 
setsebool -P httpd_can_network_connect on

Check Reverse Proxy

All configuration done! Right now need to check either your are able access http://dev.chorke.org/init/ or not, instead of http://dev.chorke.org:8304/init. Then you should prevent direct access to http://dev.chorke.org:8304/init. All of the HTTP Port should be start with 83 and integration port 13.

 #http port prefix with 83
 8300 for amqp web console
 8301 for mqtt web console
 8302 for ebis web console
 8303 for fhir web console
 8304 for init web console
 #mllp port prefix with 13
 1300 for amqp web service
 1301 for mqtt web service
 1302 for ebis web service
 1303 for fhir web service
 1304 for init web service

References