Configuring Reverse Proxy Apache (Debian 8) with automatic issue of Let's Encrypt
Since often there are a lot of sites in the organization, and there are few IP addresses, you need to have a solution with Reverse Proxy. For my purposes, Microsoft TMG has always spoken before, but it has its drawbacks, as well as advantages. One of the main drawbacks is that TMG needs to upload certificates of a published resource, which is rather inconvenient with Let's Encrypt, since certificates are updated every 90 days.
The solution was found: to raise Reverse Proxy on Apache and make sure that auto issuing of Let's Encrypt certificates. And then calmly publish it on the Firewall, while the ports will be redirected from http to https.
We take as a basis that we have a clean Debian GNU / Linux 8 (jessie). More under the cut.
Well then, let's go.
')
Then we activate the following modules:
and restart Apache:
Here the first failure awaits us, Apach does not have enough mod_xml2enc module for proper operation, BUT! In Jessie, this module does not work, we need to consistently enter the following commands:
After that, everything is good, the module is worth it. Going further)
Since we want to publish an HTTPS site, until we install Let's Encrypt, we need to make a self-signed certificate for our site, enter the command:
We need to create a configuration file and name it with a friendly name:
And ask the file something like this:
After completing the creation, do not forget to include our site:
restart apache:
After all the procedures we have done, we have a configured Reverse Proxy on Apache2, now we can proceed to setting up Let's Encrypt:
Of all the free certificates, only Let's Encrypt remained alive, but its peculiarity is that the certificate is issued for a period of 3 months.
We need to put a certificate, and make an automatic issue at the end of the certification period.
after:
Well, now we set Let's Encrypt:
We are waiting for the installation process, and we are trying to issue a certificate:
And here we are waiting for failure:
This is due to the fact that the repositories are still the old version (at the time of writing 0.10.2), in which errors are observed. Namely errors in python scripts. The solution is as usual simple:
Downloading the latest version of certbot:
After that, we go along the way:
Delete the folders (and better backup):
acme
certbot
certbot_apache
And copy the files from the new release:
Now you can start the process of issuing a certificate with peace of mind:
We answer questions and that's it!
Congratulations, we issued the certificate, now we need to add the certificate auto-renew script, because Let's Encrypt issue certificates for a period of only 90 days (we remember that).
It's simple. We need to add the line to cron:
Those. recruit:
And add our line (be sure to go to the next term, otherwise it will not be saved)
And all, repeat infinitely many times with your other resources.
Good luck, admins!
The solution was found: to raise Reverse Proxy on Apache and make sure that auto issuing of Let's Encrypt certificates. And then calmly publish it on the Firewall, while the ports will be redirected from http to https.
We take as a basis that we have a clean Debian GNU / Linux 8 (jessie). More under the cut.
Well then, let's go.
')
aptitude install -y build-essential aptitude install -y libapache2-mod-proxy-html libxml2-dev aptitude install -y apache2 Then we activate the following modules:
a2enmod proxy a2enmod proxy_http a2enmod proxy_ajp a2enmod rewrite a2enmod deflate a2enmod headers a2enmod proxy_balancer a2enmod proxy_html a2enmod proxy_ftp a2enmod proxy_connect a2enmod ssl and restart Apache:
service apache2 restart Here the first failure awaits us, Apach does not have enough mod_xml2enc module for proper operation, BUT! In Jessie, this module does not work, we need to consistently enter the following commands:
aptitude install apache2-prefork-dev libxml2 libxml2-dev apache2-dev mkdir ~/modbuild/ && cd ~/modbuild/ wget http://apache.webthing.com/svn/apache/filters/mod_xml2enc.c wget http://apache.webthing.com/svn/apache/filters/mod_xml2enc.h apxs2 -aic -I/usr/include/libxml2 ./mod_xml2enc.c cd ~ rm -rfd ~/modbuild/ service apache2 restart After that, everything is good, the module is worth it. Going further)
Since we want to publish an HTTPS site, until we install Let's Encrypt, we need to make a self-signed certificate for our site, enter the command:
mkdir /etc/apache2/ssl cd /etc/apache2/ssl openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt We need to create a configuration file and name it with a friendly name:
touch /etc/apache2/sites-available/sambi4.conf And ask the file something like this:
<VirtualHost *:80> ServerName sambi4.ru Redirect permanent / https://sambi4.ru/ # https </VirtualHost> <VirtualHost *:443> SSLEngine On SSLProxyEngine On ProxyRequests Off ProxyPreserveHost On ProxyVia full SSLCertificateFile /etc/apache2/ssl/server.crt # SSLCertificateKeyFile /etc/apache2/ssl/server.key # ProxyHTMLInterp On ProxyHTMLExtended On <proxy *> Order deny,allow Allow from all </proxy> ProxyPass / https://192.168.199.78/ #IP . ProxyPassReverse / https://192.168.199.78/ #IP . ServerName sambi4.ru ServerAdmin sambi4@sambi4.ru # email DocumentRoot "/var/www/html" # , . </VirtualHost> After completing the creation, do not forget to include our site:
a2ensite /etc/apache2/sites-available/sambi4.conf restart apache:
service apache2 restart After all the procedures we have done, we have a configured Reverse Proxy on Apache2, now we can proceed to setting up Let's Encrypt:
Of all the free certificates, only Let's Encrypt remained alive, but its peculiarity is that the certificate is issued for a period of 3 months.
We need to put a certificate, and make an automatic issue at the end of the certification period.
echo 'deb http://ftp.debian.org/debian jessie-backports main' | tee /etc/apt/sources.list.d/backports.list after:
aptitude update Well, now we set Let's Encrypt:
aptitude install -y python-certbot-apache -t jessie-backports We are waiting for the installation process, and we are trying to issue a certificate:
certbot --apache And here we are waiting for failure:
ERROR: letsencrypt_apache.configurator: No vhost exists with servername or alias of: sambi4.ru. No vhost was selected. Please specify servernames in the Apache config
This is due to the fact that the repositories are still the old version (at the time of writing 0.10.2), in which errors are observed. Namely errors in python scripts. The solution is as usual simple:
Downloading the latest version of certbot:
git clone https://github.com/certbot/certbot.git After that, we go along the way:
cd /usr/lib/python2.7/dist-packages Delete the folders (and better backup):
acme
certbot
certbot_apache
And copy the files from the new release:
cp /root/certbot/certbot /usr/lib/python2.7/dist-packages/ cp /root/certbot/acme/acme/ /usr/lib/python2.7/dist-packages/ cp /root/certbot/certbot-apache/certbot_apache/ /usr/lib/python2.7/dist-packages/ Now you can start the process of issuing a certificate with peace of mind:
certbot --apache We answer questions and that's it!
Congratulations, we issued the certificate, now we need to add the certificate auto-renew script, because Let's Encrypt issue certificates for a period of only 90 days (we remember that).
It's simple. We need to add the line to cron:
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log Those. recruit:
crontab -e And add our line (be sure to go to the next term, otherwise it will not be saved)
And all, repeat infinitely many times with your other resources.
Good luck, admins!
Source: https://habr.com/ru/post/330670/
All Articles