-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 John, On 5/24/19 07:19, John Welsby wrote: > Hi everyone, I am looking for some help configuring Apache Web > Server as a reverse proxy. > > A little background: I have a Debian 9 (stretch) server at my > home, running Nextcloud on Apache2. I have a static IP from my ISP, > and a domain I own is pointed to it. I have forwarded ports 80 and > 443 on my router to the LAN IP of my Debian server. Everything is > configured and working, and I can access my Nextcloud instance at > https://mydomain.com <https://mydomain.com/> > > What I would like – and tell me if I'm barking up the wrong tree > here – is a secure way of accessing different services on my home > network from the internet. According to the material I have found, > a reverse proxy is a good way of doing this. > > Put simply, I would like to be able to access my Nextcloud server > at https://nextcloud.mydomain.com <https://nextcloud.mydomain.com/> > and the ability to add other services (on the same or different > machines), such as https://email.mydomain.com > <http://email.mydomain.com/> or https://bittorrent.mydomain.com > <https://bittorrent.mydomain.com/> > > Can someone help me with the configuration required to do this? > Also, does it defeat the purpose if the reverse proxy and the > services I want to access are on the same machine? > > I have checked the documentation at > https://httpd.apache.org/docs/2.4/vhosts/examples.html and there is > a brief section on using virtual_host and mod_proxy together, but > not enough detail for me to create my own configs. > > Here is my current Nextcloud configuration: > > > <IfModule mod_ssl.c> <VirtualHost _default_:443> DocumentRoot > /var/www/nextcloud CustomLog /var/log/apache2/nc-access.log > combined ErrorLog /var/log/apache2/nc-error.log SSLEngine on > #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem > SSLCertificateFile /home/john/ssl/certificate.crt > #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key > SSLCertificateKeyFile /home/john/ssl/private.key <IfModule > mod_rewrite.c> RewriteEngine On #RewriteBase / RewriteCond > %{HTTP_HOST} ^www\.(.*)$ [NC] RewriteRule ^(.*)$ https://%1/$1 > [R=301,L] </IfModule> </VirtualHost> <Directory > /var/www/nextcloud/> Options +FollowSymlinks AllowOverride All > <IfModule mod_dav.c> Dav off </IfModule> LimitRequestBody 0 > SSLRenegBufferSize 10486000 </Directory> </IfModule> > > > Any help is much appreciated. It isn't clear whether you need proxying at all. What are the other "services' and where are they running? For example if you are running your email service from httpd, then you don't need a proxy, just s VirtualHost will get the job done. Proxying local services is a completely legitimate use-case. In general, using mod_proxy is the way to go for proxying HTTP(S). Have a look at the documentation for mod_proxy which can do both forward- and reverse-proxying using a number of protocols. You are probably interested in mod_proxy_http which proxys (you guessed it) HTTP. mod_proxy is a kind of "parent module" which also requires that you enable a protocol-specific module as well, so you'd need to enable both mod_proxy *and* mod_proxy_http for example. Most mod_proxy configurations start with something simple like this: <VirtualHost *:443> ServerName email.mydomain.com SSLEngine on (Other TLS configuration) ProxyPass / http://localhost:8888/ ProxyPassReverse / http://localhost:8888/ </VirtualHost> The above would be appropriate if your email were hosted locally (to the httpd server) over cleartext HTTP on port 8888. If it's elsewhere on your network, then: ProxyPass / http://ip-or-local-hostname:port/ ProxyPassReverse / http://ip-or-local-hostname:port/ If you want to use HTTPS on your local network segment (which I would highly recommend), then you'll need to use https:// URLs and probably configure some certificate trust using e.g. directives like SSLProxyCACertificateFile in mod_ssl. To get DNS working, you'll need to register email.mydomain.com, nextcloud.mydomain.com, bittorrent.mydomain.com, etc. all as pointing to the IP address of your router (probably) and then port-forward from the router to the main http reverse-proxy, as you have things, now. Remember to set a ServerName for each of your VirtualHosts and the appropriate TLS key and certificate material for each one. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzslxkACgkQHPApP6U8 pFie+w/+LUfg82VVb3XTmVAEE+3PoSjhrjnF7k5LCUc5t9pvChu31GXbpntSm9Dj LQXz+4rgLmofByq9pjANFAPYc9yeybBhqIlOZiQUzE5jWbTZElMpD9EcW1Og55j9 WuhSF1UjqJ33qYV/kmrW+UFGWKGV0gB84Zh2yC2UgyV6dWw9HM+rnarjkt6yy/eR CgGPKMQjSBt2L3vnDe5d/pKaMAM6s4hQnBOuvW3WgT0rWFRrgd/XZhpIp9xV+0It AzC3v7lXoUhqQBsKaY0ibOYctQSLd9paldYiJ8Z8NU6O9XGs7yL8zaq1CaX1qK46 DXKVL0tDMrvInwi3mx2vvTTKCj9L/wjZOTpM64sfoax3CbPRGMRmMumZZiwMl2Eh yuepTmk+1yvyebnuKbJKjEbpmVB1FrWjQrfSbgFGYnRWS6HLLDdDPfjeP344y/GM M3Ic7eoaHwCRhbXmkVQHPY/s+IHsKAUnwSz1tc/QfX3xOoxRxMzD9kuZ6X0Zh9s1 d+0apa2XBjmiDZMXYGTqCwRUEit3goV2u0XE0xZC2J4PoN9Vgz0vHH/m6DQjseqf 8GqA4qxPyPytcrYsoN85ruYxXfIM6G0zYLRo3N47DCWX8L90/rQIy4AZV5eN6Lg6 WpQRXN7zn+nPl6IISg/B/DsTgWOLIvw1Piy4yW+LnU0b2QncwPg= =dG4R -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx