Apache Reverse Proxy Vhost Examples

For certain projects I’ll use Nginx or Apache as a reverse proxy to back end web servers. While Nginx is far more light weight and faster, Apache is the swiss army knife of web servers and has just about every feature you could need.

Here’s a couple of examples of Apache Reverse proxy vhosts.

SSL Proxy with SSL back end origin:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerName yourdomain.com
	ServerAlias www.yourdomain.com
	SSLProxyEngine on
	ProxyPreserveHost On
	ProxyPass / https://192.10.2.11:443/
	ProxyPassReverse / https://192.10.2.11:443/
 
	ErrorLog ${APACHE_LOG_DIR}/yourdomainerror.log
        CustomLog ${APACHE_LOG_DIR}/yourdomainaccess.log combined
 
	SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Standard HTTP proxy with HTTP back end origin (Forced SSL Rewrite):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<VirtualHost *:80>
	ServerName yourdomain.com
	ServerAlias www.yourdomain.com
        ProxyPreserveHost On
        ProxyPass / http://192.10.2.11:80/
        ProxyPassReverse / http://192.10.2.11:80/
 
        ErrorLog ${APACHE_LOG_DIR}/yourdomainerror.log
        CustomLog ${APACHE_LOG_DIR}/yourdomainaccess.log combined
 
	RewriteEngine on
	RewriteCond %{SERVER_NAME} =yourdomain.com [OR]
	RewriteCond %{SERVER_NAME} =www.yourdomain.com
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

I’ll do a write up in the future on the benefits of reverse proxy configurations.

Enabling X-Forwarded-For Logging In Apache 2.4

It’s critical to enable X-Forwarded-For Logging when behind a proxy or load balancer in order grab the true IP address of visitors.

To enable this in your Apache vhost configuration, simply add the following logging options:

1
2
3
4
5
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
CustomLog "/var/log/httpd/youraccess.log" combined env=!forwarded
CustomLog "/var/log/httpd/youraccess.log" proxy env=forwarded

This is a simple fix to get real data on the IPs hitting your website!

Simple .htaccess rules to protect wp-login.php and xmlrpc.php

The majority of trash WordPress traffic is targeting wp-login.php with bruteforces and xmlrpc.php for pingback/dos attacks.
A simple solution? Enforce IP based ACLs via your web server.

Apache 2.4 .htaccess Example:

1
2
3
4
5
<Files wp-login.php>
 Require all denied
 # your IP below
 Require ip xxx.xxx.xxx.xxx
</Files>
1
2
3
4
5
<Files xmlrpc.php>
 Require all denied
 # your IP below
 Require ip xxx.xxx.xxx.xxx
</Files>

How to enable IPV6 and DHCP6 on a Fortigate firewall with FortiOS 5.2

Example Environment:
My IPv6 Subnet: xxxx:xxxx:0:106::1/64
My DHCP Subnet: xxxx:xxxx:0:cccc::1/64

Step 1. Configure external interface and set options:

1
2
3
4
5
6
7
8
9
10
config system interface
    edit "wan1"
        set alias "External"
            config ipv6
                set ip6-address xxxx:xxxx:0:106::2/64
                set ip6-allowaccess ping
                set ip6-manage-flag enable
                set ip6-other-flag enable
            end
    next

Step 2. Configure IPV6 Routes:

1
2
3
4
5
6
config router static6
    edit 1
        set device "wan1"
        set gateway xxxx:xxxx:0:106::1
    next
end

Step 3. Configure Internal Interface:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 config system interface
    edit "Internal"
            config ipv6
                 set ip6-mode static
                 set ip6-address xxxx:xxxx:0:cccc::1/64
                 set ip6-allowaccess ping
                 set ip6-send-adv enable
                 set ip6-manage-flag enable
                 set ip6-other-flag enable
                 set ip6-max-interval 600
                 set ip6-min-interval 198
                 set ip6-link-mtu 0
                 set ip6-reachable-time 0
                 set ip6-retrans-time 3000
                 set ip6-default-life 1800
                 set ip6-hop-limit 0
                 set autoconf disable
                 set dhcp6-relay-service disable
            end
    next

Step 4. Configure DHCP6 Server And Options:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
config system dhcp6 server
    edit 1
        set dns-service specify
        set status enable
        set interface "internal"
            config ip-range
                edit 1
                    set end-ip xxxx:xxxx:0:cccc::6000
                    set start-ip xxxx:xxxx:0:cccc::1000
                next
            end
        set lease-time 10800
        set option1 0
        set option2 0
        set option3 0
        set rapid-commit disable
        set subnet xxxx:xxxx:0:cccc::/64
        set dns-server1 2001:4860:4860::8888
        set dns-server2 2001:4860:4860::4444
        set dns-server3 ::
    next
end