Set up a reverse proxy in Linux

Setting up an Apache HTTP reverse proxy server in Linux requires the Apache 2.4 software and edits to some configuration file.

These instructions are only one example of how to set up a reverse proxy. You should consult your IT security department about the required protocols and security settings.

This procedure assumes the IXIASOFT CCMS Web Server was installed in /opt/ixiasoft/ccms. Apache version 2.4.x is installed with default installation paths, so configuration files are in the /etc/httpd/ folder.

  1. Download the required files:
    1. Go to the standard CentOS yum repository at # yum install httpd mod_ssl.
    2. Download the latest Apache 2.4 httpd and the required SSL module.
  2. Make sure that mod_proxy and mod_proxy_http are enabled in the Apache configuration file: /etc/httpd/conf.modules.d/00-proxy.conf
  3. Create a new file in the /etc/httpd/conf.d/ folder called reverse-proxy.conf with the following content, replacing webserver.acme.com with your server's FQDN address:
    ProxyRequests Off
    ProxyPreserveHost On
    RewriteEngine On
    RedirectMatch ^/$ https://webserver.acme.com/ixiasoft-ccms
    RewriteRule "^/oxygen-webapp/app/admin.html" - [R=403]
    ProxyPass "/ixiasoft-ccms" "http://127.0.0.1:8080/ixiasoft-ccms"
    ProxyPassReverse "/ixiasoft-ccms" "https://webserver.acme.com/ixiasoft-ccms"
    ProxyPass "/oxygen-webapp" "http://127.0.0.1:8080/oxygen-webapp"
    ProxyPassReverse "/oxygen-webapp" "https://webserver.acme.com/oxygen-webapp"
    ProxyPass "/license-servlet" "http://127.0.0.1:8080/license-servlet" 
    ProxyPassReverse "/license-servlet" "https://webserver.acme.com/license-servlet"
    Header add X-Frame-Options "SAMEORIGIN"
    Header add X-XSS-Protection "1; mode=block"
  4. Copy your server's SSL certificate files to the appropriate location on the server.
    For example, copy the certificates to /etc/pki/tls/certs/ and the key file in /etc/pki/tls/private/.
  5. Edit the /etc/httpd/conf.d/ssl.conf configuration file and make the following changes:
    1. Install SSL certificates in the place where httpd can access them.
      For example, put certificates in /etc/pki/tls/certs/ and the key file in /etc/pki/tls/private/.
    2. Configure paths and proper names for your SSL certificates in the properties: SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile, if applicable.
    3. Replace the lines (near line #52 and #83) beginning with SSLCipherSuite, SSLProxyCipherSuite, SSLProtocol, and SSLProxyProtocol with the following:
      SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-
      CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-
      AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-
      SHA256:ECDHE-RSA-AES128-SHA256
      SSLProxyCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-
      ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-
      RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-
      SHA256:ECDHE-RSA-AES128-SHA256
      
      SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
      SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
    4. Uncomment the following line:
      SSLHonorCipherOrder on
    5. Add the following lines after the previous line:
      SSLCompression off 
      SSLSessionTickets off
    6. Add the following lines just before the <Virtualhost _default_:443> section:
      SSLUseStapling on
      SSLStaplingCache "shmcb:/run/httpd/ssl_stapling(32768)"
      In a large environment the 32868 value might need to be higher. Contact IXIASOFT for more information.
    7. Add the following line in the end of the file just before the </VirtualHost> line:
      Include conf.d/reverse-proxy.conf
  6. Restart the Apache httpd service to apply changes:
    # systemctl restart httpd