Reverse Proxy

Configurazione tipo per un reverse proxy SSL basato su Gentoo Linux e apache2

TimeOut 30
SetOutputFilter DEFLATE
AddOutputFilterByType INCLUDES application/pdf
AddEncoding x-gzip .gz
AddType application/x-javascript .gz
AddType application/javascript .gz
BrowserMatch Firefox/1\.0\.[0-9] no-gzip
# Netscape 4.x has some problems...
BrowserMatch ^Mozilla/4 gzip-only-text/html
# Netscape 4.06-4.08 have some more problems
BrowserMatch ^Mozilla/4\.0[678] no-gzip
# MSIE masquerades as Netscape, but it is fine
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
BrowserMatch "MSIE 6" no-gzip gzip-only-text/html
SetEnvIfNoCase Request_URI \.(gif|jpg|jpeg|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(htm|html|js|jsp|asp|php|do)$ !no-gzip
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(gif|jpg|jpeg|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(htm|html|js|jsp|asp|php|do)$ !no-gzip
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary
#SetEnvIfNoCase Request_URI \.* no-gzip dont-vary
#SetEnvIfNoCase Request_URI \.jsp$ !no-gzip !dont-vary
#SetEnvIfNoCase Request_URI \.htm$ !no-gzip !dont-vary
#SetEnvIfNoCase Request_URI \.html$ !no-gzip !dont-vary
#SetEnvIfNoCase Request_URI \.asp$ !no-gzip !dont-vary
DeflateFilterNote Input instream
DeflateFilterNote Output outstream
DeflateFilterNote Ratio ratio
DeflateWindowSize 15
DeflateMemLevel 9
DeflateCompressionLevel 9
ServerName nome_server
LoadModule proxy_module modules/mod_proxy.so
LoadModule ssl_module modules/mod_ssl.so
SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown
SSLSessionCache shm:/var/cache/apache2/ssl_scache(4096000)
SSLSessionCacheTimeout 600
LogLevel error
ErrorLog /var/log/apache2/ssl_error_log
Listen 80
Options -All -Multiviews
AllowOverride None
Order allow,deny
Allow from all
DocumentRoot /home/domini-web/locale/www
# ServerName nome_server
# ServerAlias alias_server
DirectoryIndex index.shtml index.php index.php3 index.html
ScriptAlias /cgi-bin/ /home/domini-web/locale/cgi-bin/
CustomLog /var/log/apache2/access_log combined
AddHandler server-parsed shtml
Options +Includes
Options -Indexes -All -Multiviews +Includes
AllowOverride None
Order allow,deny
Allow from all
Include /etc/apache2/conf/*.conf

/etc/apache2/conf/server_A.conf

Listen 400
#
RewriteEngine on
#RewriteCond %{REQUEST_URI} !^/galileo/public/
#RewriteCond %{REQUEST_URI} !^/galileo/
#RewriteRule / /galileo/public/menu.faces [R,L]
# direttive proxypass ------------------------------------------
ProxyPass / http://X.X.X.X:8888/ retry=0 ttl=120 timeout=120
ProxyPassReverse / http://X.X.X.X:8888/
# autenticazione server ------------------------------------------
SSLEngine On
#128bit
SSLCipherSuite RC4-SHA:RC4-MD5:HIGH:MEDIUM:!ADH:!DSS:!SSLv2:+3DES
SSLHonorCipherOrder on
# 40 bit
#SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!SSLv2:!LOW
SSLCertificateFile /etc/apache2/ssl/server.crt
#SSLCertificateChainFile /etc/apache2/ssl/cert-new.verisign.pem
#SSLCertificateChainFile /etc/apache2/ssl/cert.verisign.pem
SSLCertificateChainFile /etc/apache2/ssl/intermediate_good.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.nopassword.key
# autenticazione client ------------------------------------------
# accesso permesso solo in presenza di comunicazione almeno a 128bit
ErrorDocument 403 http://www.tuo_sito.it/
ErrorDocument 404 http://www.tuo_sito.it/
#SSLCACertificateFile /etc/apache2/ssl/client/CAcert.chain
#SSLCARevocationFile /etc/apache2/ssl/crl.pem
#SSLVerifyClient none
#SSLVerifyDepth 10
#SSLOptions +StdEnvVars
 
ServerName www.tuo_sito.it
#ServerAlias Y.Y.Y.Y
ProxyRequests on
ProxyVia on
AddOutputFilterByType SUBSTITUTE text/html
#Eventuale sostituzione del testo proxato
#Substitute "s|test_da_sostituire|vuoto|i"
# eventuale log verso syslog esterno
#CustomLog "|/usr/bin/logger -t reverseproxy -n syslog " combined
 

 

Ulteriori personalizzazioni possono essere inserite riguardi a questi tre moduli:

mod_evasive

mod_cband

mod_security