Apache use ssl virtual host to reverse proxy to http

Documenting partially for myself but also for anyone else who just wants to deal with the http virtual host, but have ssl as well.

You need some basic ssl configs, which I tend to place in a separate file so all virtal hosts can share the same settings.

tf=/etc/httpd/conf.d/all-ssl.cnf
touch "${tf}" ; chmod 0644 "${tf}" ; chown root.root "${tf}" ;
cat <<EOF 1> "${tf}"
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
</Directory>

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateChainFile /etc/pki/tls/certs/chain-localhost.crt

SetEnvIf User-Agent ".*MSIE 4\.0b2.*"                 nokeepalive ssl-unclean-shutdown                 downgrade-1.0 force-response-1.0

LogLevel warn
ErrorLog logs/ssl_error_log
CustomLog logs/ssl_access_log combinedvhost

<Directory "/var/www/html/notfound/">
        AllowOverride None
        Order allow,deny
        Allow from all
</Directory>

# END OF FILE all-ssl.cnf
EOF

And the real config file:

tf=/etc/httpd/conf.d/repo.conf
touch "${tf}" ; chmod 0644 "${tf}" ; chown root.root "${tf}" ;
cat <<EOF 1> "${tf}" 
# reference:
# https://bgstack15.wordpress.com/2016/03/24/adding-adfs-integration-to-apache/
# ssl act as proxy: https://httpd.apache.org/docs/2.4/rewrite/proxy.html

#Listen 80 # not needed here in base C7 because this is provided in /etc/httpd/conf/httpd.conf
#Listen 443
<VirtualHost *:80>
ServerName repo1.int.example.com
ServerAlias *.int.example.com *
UseCanonicalName Off

DocumentRoot /var/www/html
Options +Indexes
IndexOptions IgnoreCase FancyIndexing FoldersFirst NameWidth=* DescriptionWidth=*
</VirtualHost>

<VirtualHost *:443>

ServerName repo1.int.example.com:443
ServerAlias *.int.example.com

Include conf.d/all-ssl.cnf
# try the <proxy> stuff from https://bgstack15.wordpress.com/2017/10/12/adding-reverse-proxy-for-plex-to-apache-vhost/

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://repo1.int.example.com/
ProxyPassReverse / http://repo1.int.example.com/

</VirtualHost>
Advertisements

Ansible find first accessible proxy and use it

If you need to find the first available http proxy and use it for a process, you can use a python snippet to discover it and use it.

https://gitlab.com/bgstack15/former-gists/tree/master/get_first_open_port.py

vars:
  http_proxies:
  - 192.168.1.5:3128
  - proxy5.internal.example.com:3128

tasks:

  - name: learn which proxy to use
    script: get_first_open_port.py {{ http_proxies | join( " " ) }}
    changed_when: false
    register: open_ports

  - set_fact:
      http_proxy: "{{ open_ports.stdout_lines[0] }}"
    when:
    - 'open_ports.stdout | length > 0'
    failed_when:
    - 'open_ports.stdout | length = 0'

  - name: use http_proxy environment variable
    script: script_needing_internet.sh -i {{ inputvar }}
    environment:
      http_proxy: "http://{{ http_proxy | default(omit) }}"

The sole output is the first hostname and port available.

#!/usr/bin/python2
# Filename: get_first_open_port.py
# Location: /etc/ansible/roles/install_sccm/files/
# Author: bgstack15
# Startdate: 2018-10-02 10:13
# Title: Script that Gets the First Open Port
# Purpose: Return to standard output the first valid host and port to use as a http proxy
# Project: projects derived from ansible role certreq
# History:
# Usage:
#    in ansible
# Reference:
#    https://stackoverflow.com/questions/19196105/python-how-to-check-if-a-network-port-is-open-on-linux
#    string split https://stackoverflow.com/questions/6670290/split-string-into-different-variables-instead-of-array-in-python
# Improve:
# Documentation:

import socket, sys
from contextlib import closing

GFOP_VERSION="2018-10-02a"

def check_socket(host, port):
   with closing(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) as sock:
      sock.settimeout(2)
      if sock.connect_ex((host,port)) == 0:
         print host + ":" + str(port)
         return True
   return False


x = 0
for myarg in sys.argv:

   # show version
   if myarg == "--version" or myarg == "-V":
      print(sys.argv[0]+" "+GFOP_VERSION)
      sys.exit(0)

   x = x + 1
   # skip the script $0 name itself
   if x > 1:
      # split on the colon
      host, port = myarg.split(":",2)
      # short-circuit upon first successful one
      if check_socket(host,int(port)):
         sys.exit(0)

Quick script to purge URL from squid proxy

If you have the requisite permissions in squid.conf, you can just use a quick script to purge URLs. I use this for flushing local files I am developing and download to clients with http.

tf=/usr/local/bin/purge
touch "${tf}" ; chmod 0755 "${tf}"
echo <<EOF > "${tf}"
#!/bin/sh
for word in ${@} ;
do
   squidclient -h localhost -r -p 3128 -m PURGE "${word}"
done
EOF

For squid, I am using a few lines to allow purging:

acl PURGE method PURGE
http_access allow PURGE localhost

Then you can call it:

purge http://example.com/url1 http://example.com/url2 http://example.com/url3

Install openssl-1.1.0 on CentOS7

I really wanted the -proxy flag on the openssl command. It’s not available in the provided openssl package (1.0.1 series), but it is in the 1.1.0 which is now the base package in Fedora. But for the Enterprise Linux users, you need to do a little bit of work to get it.

Download a pre-compiled package

You could just download the package from my copr. Save the contents of the .repo file [copr.fedorainfracloud.org] or use them from here.

[bgstack15-stackrpms]
name=Copr repo for stackrpms owned by bgstack15
baseurl=https://copr-be.cloud.fedoraproject.org/results/bgstack15/stackrpms/epel-7-$basearch/
type=rpm-md
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/bgstack15/stackrpms/pubkey.gpg
repo_gpgcheck=0
enabled=1
enabled_metadata=1

Install with:

yum install openssl110

And then the binary has been named openssl110

Download and compile the source

wget https://www.openssl.org/source/openssl-1.1.0i.tar.gz
tar -zxf openssl-1.1.0i.tar.gz
cd openssl-1.1.0i
./config
make
sudo make install

To prevent an error that resembles:

/usr/local/bin/openssl version
/usr/local/bin/openssl: error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: No such file or directory

You have to provide the library files in a directory that the dynamic linker is looking in. There are multiple ways to tackle this.

Option 1: update library path

Add the directory containing the libcrypt.so.1.1 and similar files to the LD_LIBRARY_PATH environment variable.

export LD_LIBRARY_PATH=/usr/local/lib64:${LD_LIBRARY_PATH}

Option 2: move library files to lib directory

Or just move the files to the main library location. On a x86_64 system, that would be:

mv libcrypto.so.1.1 libssl.so.1.1 /usr/lib64/

References

Weblinks

Internet search openssl s_client http proxy [duckduckgo.com]
openssl s_client using a proxy [stackoverflow.com]
How to update openssl 1.1.0 in Centos 6.9/7.0 [linuxscriptshub.com]

Adding Reverse Proxy for Plex to Apache vhost

Introduction

It is easy to find apache vhost definitions for reverse proxying plex traffic.
What this post does is show you how to include the parts needed, to provide a reverse proxy to plex, in an existing vhost. Why would you need this? I don’t know. I did, and it was as easy as adding a few bits to represent the web address.

Adding reverse proxy for plex to Apache vhost

So in your vhost, add these lines:

        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
        ProxyRequests Off
        ProxyPass               /web/   http://www.ipa.example.com:32400/web/
        ProxyPassReverse        /web/   http://www.ipa.example.com:32400/web/
        <LocationMatch '^/web\/.*$'>
                RequestHeader set Front-End-Https "On"
                RewriteEngine On
                RewriteCond     %{REQUEST_URI}          !^/web
                RewriteCond     %{HTTP:X-Plex-Device}   ^$
                RewriteCond %{REQUEST_METHOD}   !^(OPTIONS)$
                RewriteRule ^/$ /web/$1 [R,L]
        </LocationMatch>

So the difference in this snippet from a separate vhost definition is that you proxypass only the /web/ location over to your Plex media server.

<VirtualHost 192.168.1.14:180>

	ServerName	example.no-ip.biz:80
	ServerAlias	example.no-ip.biz example www www.ipa.example.com
	ServerAdmin	bgstack15@gmail.com

	DocumentRoot	/var/www

	Options +Indexes
	IndexOptions IgnoreCase FancyIndexing FoldersFirst NameWidth=* DescriptionWidth=*
	IndexIgnore FOOTER.html repodata favicon.ico favicon.png
	ReadmeName FOOTER.html
	DirectoryIndex index.php index.html index.htm
	ServerSignature Off

	SetEnvIf Request_URI "ignoredfile.html" dontlog
	LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedvhost
	CustomLog logs/access_log combinedvhost env=!dontlog

	# Useful additions for a mirror server
	AddIcon /icons/rpm.png          .rpm
	AddIcon /icons/deb.png          .deb
	AddIcon /icons/repo.png         .repo
	AddType application/octet-stream .iso

	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
	BrowserMatch ^Mozilla/4 gzip-only-text/html
	BrowserMatch ^Mozilla/4\.0[678] no-gzip
	BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

	TraceEnable off
	<FilesMatch "\.acl$">
		Deny from All
	</FilesMatch>
	&ltDirectory "/var/www/example">
		AllowOverride None
		Order allow,deny
		Allow from all
		Options Indexes FollowSymLinks
	</Directory>
 
       # Allows "centos.example.no-ip.biz" redirection to "example.no-ip.biz/centos" behavior
# RewriteEngine On
# RewriteCond %{HTTP_HOST} ^([^.]*)\.example\.no-ip\.biz$
# RewriteRule /(.*) http://example.no-ip.biz/%1/$1 [R,L]

	# reference: welcome.conf, reverseproxyforplex.conf
	# reference: http://matt.coneybeare.me/how-to-map-plex-media-server-to-your-home-domain/
	<Proxy *>
		Order deny,allow
		Allow from all
	</Proxy>
	ProxyRequests Off
	ProxyPass		/web/	http://www.ipa.example.com:32400/web/
	ProxyPassReverse	/web/	http://www.ipa.example.com:32400/web/
	<LocationMatch '^/web\/.*$'>
		RequestHeader set Front-End-Https "On"
	        RewriteEngine On
		RewriteCond	%{REQUEST_URI}		!^/web
		RewriteCond	%{HTTP:X-Plex-Device}	^$
		RewriteCond %{REQUEST_METHOD}	!^(OPTIONS)$	
		RewriteRule ^/$ /web/$1 [R,L]
	</LocationMatch>

</VirtualHost>

References

Weblinks

  1. http://matt.coneybeare.me/how-to-map-plex-media-server-to-your-home-domain/