Apache 2 Config

Home

Table of Contents

1 Force SSL on specific domain

## Force HTTPS for .COM domain
##
## IF header X-Forwarde-Proto NOT set to https
## (ie. SSL already loaded from load balancer or nginx proxy)
RewriteCond %{HTTP:X-Forwarded-Proto} !https
## AND   Not requesting HTTPS directly to local apache
RewriteCond %{HTTPS} off
## AND  DOMAIN is  www.example.com   OR just   example.com
RewriteCond %{HTTP_HOST} ^(www\.)?example\.com$ [NC]
## THEN   Redirect to the HTTPS version
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Note: chaining RewriteCond uses an implicit [AND]. It is possible to use [OR] instead at the end of the RewriteCond

2 Remote IP Header

/etc/apache2/sites-available/test.example.com.conf 

#http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipheader
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy  172.17.0.1/32


## Custom Log to correctly print the remote IP when begind a proxy
ErrorLog ${APACHE_LOG_DIR}/www.example.com.error.log
#CustomLog ${APACHE_LOG_DIR}/www.example.com.access.log combined
# http://httpd.apache.org/docs/current/mod/mod_remoteip.html#remoteipheader
LogFormat "%a %{c}a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\""  forwarded
CustomLog ${APACHE_LOG_DIR}/www.example.com.access.log forwarded

3 Ask for password, but allow a specific IP (Apache 2.4)

<If "%{REMOTE_ADDR} != '54.243.219.253'">
AuthType Basic
AuthName "Protected Login"
AuthUserFile /home/vhosts/htpasswdMage
Require valid-user
</If>

4 Apache proxy to Docker container - SSL to SSL

at the command prompt: 

# a2enmod proxy_http

# a2enmod proxy_html

To activate the new configuration, you need to run:
  systemctl restart apache2

/etc/apache2/sites-available/test.example.com.conf 

<VirtualHost *:80>

        ServerName test.example.com
        #ServerAlias test2.example.com

        ServerAdmin ti@example.com

        # Proxy to Docker container
        ProxyRequests Off
        ProxyPreserveHost On
        ProxyPass        "/" "http://172.17.0.2/"
        ProxyPassReverse "/" "http://172.17.0.2/"


        # Turn off mod_pagespeed
        ModPagespeed off



#      Redirect /  https://test.example.com/

#      DocumentRoot /home/vhosts/test.example.com/public

#      <Directory /home/vhosts/test.example.com/public>
#          Options Indexes FollowSymLinks MultiViews
#          AllowOverride All
#          Require all granted
#       </Directory>

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/test.example.com.error.log
        CustomLog ${APACHE_LOG_DIR}/test.example.com.access.log combined

</VirtualHost>


<VirtualHost *:443>

        ServerName test.example.com
        #ServerAlias test2.example.com

        ServerAdmin ti@example.com

        ########################################
        # Proxy to Docker container
        ########################################

	# Allows SSL to SSL
        SSLProxyEngine On

        ProxyRequests Off
        ProxyPreserveHost On
        ProxyPass        "/" "https://172.17.0.2/"
        ProxyPassReverse "/" "https://172.17.0.2/"

        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set X-Forwarded-Port "443"


        # Turn off mod_pagespeed
        ModPagespeed off


#     DocumentRoot /home/vhosts/test.example.com/public

#     <Directory /home/vhosts/test.example.com/public>
#         Options Indexes FollowSymLinks MultiViews
#         AllowOverride All
#         Require all granted
#      </Directory>


        ErrorLog ${APACHE_LOG_DIR}/test.example.com.error.log
        CustomLog ${APACHE_LOG_DIR}/test.example.com.access.log combined


        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on


        SSLCertificateKeyFile /etc/apache2/ssl/test.example.com/test.example.com.2048.key
        SSLCertificateFile    /etc/apache2/ssl/test.example.com/test_example_com.crt
        SSLCACertificateFile  /etc/apache2/ssl/test.example.com/pushmaze_example_com.ca-bundle
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown


        SSLProtocol ALL -SSLv2 -SSLv3
        SSLHonorCipherOrder on


SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4


        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>

        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Author: Sebastian Emilio Narvaez

Created: 2020-01-06 Mon 09:25

Emacs 25.2.2 (Org mode 8.2.10)

Validate