How to Configure Apache HTTPS Reverse Proxy on CentOS Linux

Posted by Curtis K in Administration, CentOS 6, CentOS 7, Networking, Security, Tutorials, Web Servers Sep, 30 2017 1 Comment

What is a reverse proxy?

A reverse proxy accepts connections and then routes them to an appropriate backend. For example, if we have a Ruby application running on port 3000, we can configure a reverse proxy to accept connections on HTTP or HTTPS, which can then transparently proxy requests to the ruby backend.

What are reverse proxies used for?

  • Backend routing logic/transparent routing
  • Network ACLs
  • Logging
  • URL rewriting
  • Virtualhost configuration
  • Easy SSL configuration

Configure Apache reverse proxy on CentOS Linux

In this tutorial, we will learn how to configure a reverse proxy with HTTPS in Apache on CentOS Linux. We will not cover obtaining SSL certificates in this particular tutorial, but you can follow this tutorial on obtaining free SSL certificates on CentOS Linux with Let’s Encrypt.

We’ll use example application running on 127.0.0.1:3000 as the backend service that we want to reverse proxy requests to.

1. Firstly, ensure that Apache is installed

yum install httpd mod_ssl -y

2. Define Apache reverse proxy configuration

For this config, we’ll use example virtualhost myapp.centosblog.com

vim /etc/httpd/conf.d/app.centosblog.com.conf
# HTTP
<VirtualHost *:80>

  ServerName myapp.centosblog.com

  # Redirect any HTTP request to HTTPS
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]

  # Logging
  LogLevel warn
  ErrorLog logs/myapp.centosblog.com-error_log
  CustomLog logs/myapp.centosblog.com-access_log combined

</VirtualHost>

# HTTPS
<VirtualHost *:443>

  ServerName myapp.centosblog.com

  # Logging
  LogLevel warn
  ErrorLog myapp.centosblog.com-error_log
  CustomLog myapp.centosblog.com-access_log combined

  # SSL Configuration - uses strong cipher list - these might need to be downgraded if you need to support older browsers/devices
  SSLEngine on
  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
  SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLHonorCipherOrder On
  SSLCertificateFile /path/to/your/certificate.crt
  SSLCertificateKeyFile /path/to/your/certificate.private_key
  SSLCertificateChainFile /path/to/your/certificate/chainfile.crt

  # HSTS (optional)
  Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
  # Remove this if you need to use frames or iframes
  Header always set X-Frame-Options DENY
  # Prevent MIME based attacks
  Header set X-Content-Type-Options "nosniff"

  # Reverse proxy configuration
  <Location />
    ProxyPass http://localhost:3000/
    ProxyPassReverse http://localhost:3000/
  </Location>

</VirtualHost>

3. Enable and start the Apache service

systemctl enable httpd && systemctl start httpd

Final Notes

Your Apache reverse proxy should now be running! You can now access your application via https://myapp.centosblog.com/

This config demonstrates the simplest form of using Apache as a reverse proxy – a single backend service. The Apache reverse proxy module is quite powerful, and supports configuring multiple backends, clusters and load balancing algorithms. You can find out more about Apache’s reverse proxy configuration module from Apache’s Reverse Proxy Guide.

Tags With:
Share This Post

About Author: Curtis K

Hi! My name is Curtis, and I am the author of CentOS Blog. Please feel free to comment with any suggestions, feedback or questions!