Reverse Proxy
lunedì, 27 Maggio 2013
Configurazione tipo per un reverse proxy SSL basato su Gentoo Linux e apache2
TimeOut 30 SetOutputFilter DEFLATE AddOutputFilterByType INCLUDES application/pdf AddEncoding x-gzip .gz AddType application/x-javascript .gz AddType application/javascript .gz BrowserMatch Firefox/1\.0\.[0-9] no-gzip # Netscape 4.x has some problems... BrowserMatch ^Mozilla/4 gzip-only-text/html # Netscape 4.06-4.08 have some more problems BrowserMatch ^Mozilla/4\.0[678] no-gzip # MSIE masquerades as Netscape, but it is fine BrowserMatch \bMSIE !no-gzip !gzip-only-text/html BrowserMatch "MSIE 6" no-gzip gzip-only-text/html SetEnvIfNoCase Request_URI \.(gif|jpg|jpeg|png)$ no-gzip dont-vary SetEnvIfNoCase Request_URI \.(htm|html|js|jsp|asp|php|do)$ !no-gzip SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary SetEnvIfNoCase Request_URI \.(gif|jpg|jpeg|png)$ no-gzip dont-vary SetEnvIfNoCase Request_URI \.(htm|html|js|jsp|asp|php|do)$ !no-gzip SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary Header append Vary User-Agent env=!dont-vary #SetEnvIfNoCase Request_URI \.* no-gzip dont-vary #SetEnvIfNoCase Request_URI \.jsp$ !no-gzip !dont-vary #SetEnvIfNoCase Request_URI \.htm$ !no-gzip !dont-vary #SetEnvIfNoCase Request_URI \.html$ !no-gzip !dont-vary #SetEnvIfNoCase Request_URI \.asp$ !no-gzip !dont-vary DeflateFilterNote Input instream DeflateFilterNote Output outstream DeflateFilterNote Ratio ratio DeflateWindowSize 15 DeflateMemLevel 9 DeflateCompressionLevel 9 ServerName nome_server LoadModule proxy_module modules/mod_proxy.so LoadModule ssl_module modules/mod_ssl.so SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown SSLSessionCache shm:/var/cache/apache2/ssl_scache(4096000) SSLSessionCacheTimeout 600 LogLevel error ErrorLog /var/log/apache2/ssl_error_log Listen 80 Options -All -Multiviews AllowOverride None Order allow,deny Allow from all DocumentRoot /home/domini-web/locale/www # ServerName nome_server # ServerAlias alias_server DirectoryIndex index.shtml index.php index.php3 index.html ScriptAlias /cgi-bin/ /home/domini-web/locale/cgi-bin/ CustomLog /var/log/apache2/access_log combined AddHandler server-parsed shtml Options +Includes Options -Indexes -All -Multiviews +Includes AllowOverride None Order allow,deny Allow from all Include /etc/apache2/conf/*.conf
/etc/apache2/conf/server_A.conf
Listen 400 # RewriteEngine on #RewriteCond %{REQUEST_URI} !^/galileo/public/ #RewriteCond %{REQUEST_URI} !^/galileo/ #RewriteRule / /galileo/public/menu.faces [R,L] # direttive proxypass ------------------------------------------ ProxyPass / http://X.X.X.X:8888/ retry=0 ttl=120 timeout=120 ProxyPassReverse / http://X.X.X.X:8888/ # autenticazione server ------------------------------------------ SSLEngine On #128bit SSLCipherSuite RC4-SHA:RC4-MD5:HIGH:MEDIUM:!ADH:!DSS:!SSLv2:+3DES SSLHonorCipherOrder on # 40 bit #SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!SSLv2:!LOW SSLCertificateFile /etc/apache2/ssl/server.crt #SSLCertificateChainFile /etc/apache2/ssl/cert-new.verisign.pem #SSLCertificateChainFile /etc/apache2/ssl/cert.verisign.pem SSLCertificateChainFile /etc/apache2/ssl/intermediate_good.crt SSLCertificateKeyFile /etc/apache2/ssl/server.nopassword.key # autenticazione client ------------------------------------------ # accesso permesso solo in presenza di comunicazione almeno a 128bit ErrorDocument 403 http://www.tuo_sito.it/ ErrorDocument 404 http://www.tuo_sito.it/ #SSLCACertificateFile /etc/apache2/ssl/client/CAcert.chain #SSLCARevocationFile /etc/apache2/ssl/crl.pem #SSLVerifyClient none #SSLVerifyDepth 10 #SSLOptions +StdEnvVars ServerName www.tuo_sito.it #ServerAlias Y.Y.Y.Y ProxyRequests on ProxyVia on AddOutputFilterByType SUBSTITUTE text/html #Eventuale sostituzione del testo proxato #Substitute "s|test_da_sostituire|vuoto|i" # eventuale log verso syslog esterno #CustomLog "|/usr/bin/logger -t reverseproxy -n syslog " combined
Ulteriori personalizzazioni possono essere inserite riguardi a questi tre moduli:
mod_evasive
mod_cband
mod_security
- Pubblicato il Sistemistica, Tips & Tricks
Non ci sono commenti