Raspberry secure proxy with SHA2 SSL and client cert

reverse proxy apache raspberry Today I will explain how I have setup a secure proxy on my raspberry PI server. The target is to allow external access to my raspberry over the internet but only with secure SSL encripted connection and with fully trusted client.

To do this I will use  SHA2 encription (as the  SHA1 is no more supported by most of the brother after 2016). We will also use client certificate and all certificates will be signed by my own created certificate authority. This allow to have a full free valid SSL certificate + having full trush of my certificates.

First you need to follow the following post  : SHA 2 SSL certificate with trusted Apache web server. It exlain how to create the different certificate and how to use it with your browser. You can also have a look to the fast method following : Simple SHA2 SSL certificate with client cert for free

Once done, this means that you have a full secure web service. But sometime you want to access several web services from the Internet, and you should open several ports on your firewall/router  (most of the time the firewall/router is your adls box).

To avoid this you can configure what it is called a “reverse proxy” using apache and open only port 443 for service HTTPS on your box. Then from the reverse proxy configuration you decide which one of  your local web service should be reachable from the internet.

reverse_secure_proxy

Reverse proxy configuration on Raspberry PI with Apache and SSL

OK but how !!?

If you sucessfully followed the previous listed link you have now on the config file “/etc/apache2/sites-available/default” one section with :

<VirtualHost *:443>

some line and

</VirtualHost>

We will now add between these line the proxy configuration, just before the </VirtualHost> tab put the folowing lines :

#################################
# Proxy Confug with Autentification requiered
#################################
<Proxy  *>
#   From the Internet only HTTPS + Strong-Cipher + Password
#   or the alternative HTTPS + Strong-Cipher + Client-Certificate
#   If HTTPS is used, make sure a strong cipher is used.
#   Additionally allow client certs as alternative to basic auth.
#   This seting have to be put for the web server + for the proxy conf


    SSLVerifyClient      optional
    SSLVerifyDepth       1
    SSLOptions           +FakeBasicAuth +StrictRequire
    SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128
    #   Allow Network Access and/or Basic Auth
    Satisfy              all

    #   HTTP Basic Authentication
    AuthType             basic
    AuthName             "Protected Intranet Proxy "
    AuthBasicProvider    file
    AuthUserFile         "/path/to/htpasswd/.htpasswd"
    Require              valid-user
</Proxy>

##############################
# ProxyPass/Reverse
##############################

ProxyPreserveHost On
ProxyRequests off

  # redirect 1 : /domo/ to domoticz web service 
  ProxyPass /domo/ http://192.168.1.32:8080/ retry=0
  ProxyPassReverse /domo/ http://192.168.1.32:8080/

  # redirect 2 :  /RPi-Monitor1/ to RPi-Monitor n°1
  ProxyPass /RPi-Monitor1/ http://192.168.1.32:8888/ retry=0
  ProxyPassReverse /RPi-Monitor/ http://192.168.1.32:8081/

You can add as much as you need ProxyPass/ProxyPass Reverse line, depending of the number of we services you want.

In this example we supose the raspberry pi using the IP 192.168.1.32 but of course you have to addapt it with your hown IP. AuthUserFile  is also to be changed to match the correct one.

You need then to load apache module for proxy usage and finaly restart apache :

sudo a2enmod proxy

sudo a2enmod proxy_http

sudo /etc/init.d/apache restart

And try to acess you web services using :

https://your-external-url.net/domo/

I hope this will help 🙂 At least it helps me to understand how proxy/apache/ssl works !

Thanks for all the person how help on this topic with very interesting doc, my main usefull references were : magdiblog.fr and blog.héry.com and of course the apache doc.

Leave a comment if you have any concern of if you like this post 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *