Today I will explain how I have setup a secure proxy on my raspberry PI server. The target is to allow external access to my raspberry over the internet but only with secure SSL encripted connection and with fully trusted client.
To do this I will use SHA2 encription (as the SHA1 is no more supported by most of the brother after 2016). We will also use client certificate and all certificates will be signed by my own created certificate authority. This allow to have a full free valid SSL certificate + having full trush of my certificates.
First you need to follow the following post : SHA 2 SSL certificate with trusted Apache web server. It exlain how to create the different certificate and how to use it with your browser. You can also have a look to the fast method following : Simple SHA2 SSL certificate with client cert for free.
Once done, this means that you have a full secure web service. But sometime you want to access several web services from the Internet, and you should open several ports on your firewall/router (most of the time the firewall/router is your adls box).
To avoid this you can configure what it is called a “reverse proxy” using apache and open only port 443 for service HTTPS on your box. Then from the reverse proxy configuration you decide which one of your local web service should be reachable from the internet.
OK but how !!?
If you sucessfully followed the previous listed link you have now on the config file “/etc/apache2/sites-available/default” one section with :
<VirtualHost *:443>
some line and
</VirtualHost>
We will now add between these line the proxy configuration, just before the </VirtualHost> tab put the folowing lines :
################################# # Proxy Confug with Autentification requiered ################################# <Proxy *> # From the Internet only HTTPS + Strong-Cipher + Password # or the alternative HTTPS + Strong-Cipher + Client-Certificate # If HTTPS is used, make sure a strong cipher is used. # Additionally allow client certs as alternative to basic auth. # This seting have to be put for the web server + for the proxy conf SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +FakeBasicAuth +StrictRequire SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 # Allow Network Access and/or Basic Auth Satisfy all # HTTP Basic Authentication AuthType basic AuthName "Protected Intranet Proxy " AuthBasicProvider file AuthUserFile "/path/to/htpasswd/.htpasswd" Require valid-user </Proxy> ############################## # ProxyPass/Reverse ############################## ProxyPreserveHost On ProxyRequests off # redirect 1 : /domo/ to domoticz web service ProxyPass /domo/ http://192.168.1.32:8080/ retry=0 ProxyPassReverse /domo/ http://192.168.1.32:8080/ # redirect 2 : /RPi-Monitor1/ to RPi-Monitor n°1 ProxyPass /RPi-Monitor1/ http://192.168.1.32:8888/ retry=0 ProxyPassReverse /RPi-Monitor/ http://192.168.1.32:8081/
You can add as much as you need ProxyPass/ProxyPass Reverse line, depending of the number of we services you want.
In this example we supose the raspberry pi using the IP 192.168.1.32 but of course you have to addapt it with your hown IP. AuthUserFile is also to be changed to match the correct one.
You need then to load apache module for proxy usage and finaly restart apache :
sudo a2enmod proxy sudo a2enmod proxy_http sudo /etc/init.d/apache restart
And try to acess you web services using :
https://your-external-url.net/domo/
I hope this will help 🙂 At least it helps me to understand how proxy/apache/ssl works !
Thanks for all the person how help on this topic with very interesting doc, my main usefull references were : magdiblog.fr and blog.héry.com and of course the apache doc.
Leave a comment if you have any concern of if you like this post 🙂