Knowledge Base

Proxied redirect using Mod Proxy in Apache 2.4

Last Modified:
27 Nov 2018
User Level:
Administrator

This guide outlines the use of a virtual host file to create an AJP proxied redirect to your TERMINALFOUR installation over port 8009 and is written from the point of view of a fresh installation of the Apache 2.4 on CentOS. While most generic installations of Apache will be the same it's important to note that there are subtle differences which you may need to take into account if not using CentOS.

Assumptions

  • Apache 2.4 has been installed such that it's located at /etc/httpd/
  • Your web server is set to run on port 443
  • Your application server is running on port 8009
  • Your TERMINALFOUR context defined within your application server is called 'terminalfour'
  • You wish to have your website publish to:
  • You have signed SSL certs for your CMS Domain
  • Your server has been secured. Do not enable any of the following without ensuring this.

If any of the above is untrue please carefully read the settings below and alter them where appropriate.

Create VirtualHost for Website and Context

We will create a VirtualHost definition in /etc/httpd/conf.d/terminalfour.YOURDOMAIN.com.conf.  This website performs two functions:

  1. Act as a web front-end for the site at /web/terminalfour.YOURDOMAIN.com/htdocs
  2. Act as a proxy server to forward requests to the /terminalfour context on port 8009

Save the following into a file called "terminalfour.YOURDOMAIN.com.conf" at  /etc/httpd/conf.d/:

<VirtualHost *:443>
        ServerAdmin sysadmin@YOURDOMAIN.com
        ServerName cms.YOURDOMAIN.com

        DocumentRoot /web/terminalfour/htdocs/

        # SSL Config
        SSLEngine on
        SSLOptions +StrictRequire
        SSLHonorCipherOrder On

        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

        SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
        SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

        SSLCertificateFile /etc/httpd/sslcerts/cms.YOURDOMAIN.com/cms.YOURDOMAIN.com.cer
        SSLCertificateKeyFile /etc/httpd/sslcerts/cms.YOURDOMAIN.com/cms.YOURDOMAIN.com.key
        SSLCertificateChainFile /etc/httpd/sslcerts/cms.YOURDOMAIN.com/cms.YOURDOMAIN.com.interm.cer

        SSLVerifyClient none
        SSLProxyEngine off

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>

        <Directory /web/terminalfour/htdocs/>
                Options -Indexes +FollowSymLinks +MultiViews
                AllowOverride None
                Require all granted
        </Directory>

        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} ^TRACE
        RewriteRule .* - [F]

        # Logging Configuration
        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
        LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
        LogLevel warn
        ErrorLog /web/terminalfour/logs/ssl_error_log
        CustomLog /web/terminalfour/logs/ssl_access_log combined env=!forwarded
        CustomLog /web/terminalfour/logs/ssl_access_log proxy env=forwarded

        AddOutputFilterByType DEFLATE text/plain
        AddOutputFilterByType DEFLATE text/html
        AddOutputFilterByType DEFLATE text/xml
        AddOutputFilterByType DEFLATE text/css
        AddOutputFilterByType DEFLATE application/xml
        AddOutputFilterByType DEFLATE application/xhtml+xml
        AddOutputFilterByType DEFLATE application/rss+xml
        AddOutputFilterByType DEFLATE application/javascript
        AddOutputFilterByType DEFLATE application/x-javascript
        AddOutputFilterByType DEFLATE text/json
        AddOutputFilterByType DEFLATE application/json
        AddOutputFilterByType DEFLATE text/javascript
        BrowserMatch ^Mozilla/4 gzip-only-text/html
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
        BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
        Header append Vary User-Agent

        ProxyRequests Off
        ProxyPreserveHost On
        ProxyTimeout 300

        <Location /terminalfour>
            ProxyPass ajp://localhost:8009/terminalfour
            ProxyPassReverse ajp://localhost:8009/terminalfour
        </Location>
</VirtualHost>

Checking Congifuration and Restart

Once your file has been saved check the configuration for Apache to ensure everything is okay:

apachectl -t

And if this returns "Syntax OK" restart your Apache server:

apachectl graceful

Hints for Other Systems

ModProxy Not Enabled:
Some Apache configurations will not have the necessary modules enabled by default. Ensure that both of these modules are available and enabled:

  • proxy_module        (mod_proxy.so)
  • proxy_http_module    (mod_proxy_http.so)

Proxies Disabled System Wide:
Some Apache installations will have proxies disabled by default. This is usually set in a file titled 'proxy.conf.' To alter this edit the file and alter the line "Deny from all" to read "Allow from all."

Back to top