[SOLVED] How do I set up reverse proxy in Apache on a Slackware 14.2 Server?
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How do I set up reverse proxy in Apache on a Slackware 14.2 Server?
Zabbix is accessed through the link myu.com/zabbix, and is restricted by LDAP authentication; Now, I want Grafana to be accessed by myu.com/grafana, and since Grafana runs on a server itself, on port 3000, I need to do the reverse proxy to go through LDAP authentication as well.
In /etc/httpd/httpd.conf I enabled the following modules:
.mod_proxy;
.mod_proxy_http;
.mod_proxy_balancer (you may not even need to);
.mod_lbmethod_byrequests;
.mod_slotmem_shm;
I also had to uncomment the line:
#Include /etc/httpd/extra/httpd-vhosts.conf
And in /etc/httpd/extra/httpd_vhosts.conf I left it like this:
However, when trying to access any website after that, the message appears:
ssl_error_rx_record_too_long
I just comment on "#Include /etc/httpd/extra/httpd-vhosts.conf" again and the error goes away, but then I am left without grafana.myu.com in the hopeless way.
What can be wrong with these settings for reverse proxy?
However, when trying to access any website after that, the message appears:
ssl_error_rx_record_too_long
Your server is not SSL enabled, because you're not using a certificate/key.
Get a SSL certificate and add the following directives in the vhost configuration:
Your server is not SSL enabled, because you're not using a certificate/key.
Get a SSL certificate and add the following directives in the vhost configuration:
You are right, and I also had to put "SSLProxyEngine on". But now another problem has appeared, when loading the page only a json appears saying: '{"message": "Invalid username or password"}'
And I am also still able to access grafana through myu.com:3000 without going through LDAP authentication.
You are right, and I also had to put "SSLProxyEngine on". But now another problem has appeared, when loading the page only a json appears saying: '{"message": "Invalid username or password"}'
And I am also still able to access grafana through myu.com:3000 without going through LDAP authentication.
Does the error comes from the backend application (grafana)?
I know almost nothing about grafana, but let's try to remove SSLRequireSSL and move "ProxyPreserveHost On" inside the Location stanza, like a default reverse proxy configuration:
Does the error comes from the backend application (grafana)?
I know almost nothing about grafana, but let's try to remove SSLRequireSSL and move "ProxyPreserveHost On" inside the Location stanza, like a default reverse proxy configuration:
I left it as suggested, but I still manage to access the link below without going through LDAP authentication, that is, the reverse proxy does not seem to be working.
And when I put the URL myu.com/grafana, the message "You don't have permission to access this resource."
In Grafana it is configured like this:
Code:
#################################### Server ####################################
[server]
# Protocol (http, https, h2, socket)
protocol = https
# The ip address to bind to, empty will bind to all interfaces
http_addr = 192.168.6.3
# The http port to use
http_port = 3000
# The public facing domain name used to access grafana from a browser
domain = myu.com
# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
;enforce_domain = false
# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = %(protocol)s://%(domain)s:%(http_port)s/grafana/
# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
serve_from_sub_path = true
# Log web requests
;router_logging = false
# the path relative working path
static_root_path = public
I questioned this problem on the Grafana forum, but it seems that, after seeing other posts, the interaction between users there is very small.
I left it as suggested, but I still manage to access the link below without going through LDAP authentication, that is, the reverse proxy does not seem to be working.
You should either close port 3000 from your firewall, or make grafana listens only on the local loopback interface (127.0.0.1)
The reverse proxy is used to forward requests to the backend server resources that aren't (shouldn't be) accessible directly.
Quote:
And when I put the URL myu.com/grafana, the message "You don't have permission to access this resource."
Check the apache error_log, to see why it's complaining.
What happens if you visit https://myu.com/grafana?
Btw, add a trailing slash at the Location definition since you use it in ProxyPass and ProxyPassReverse directives. Also since you're using https protocol in grafana config, use the same in the proxied URL:
You should either close port 3000 from your firewall, or make grafana listens only on the local loopback interface (127.0.0.1)
The reverse proxy is used to forward requests to the backend server resources that aren't (shouldn't be) accessible directly.
Check the apache error_log, to see why it's complaining.
What happens if you visit https://myu.com/grafana?
Btw, add a trailing slash at the Location definition since you use it in ProxyPass and ProxyPassReverse directives. Also since you're using https protocol in grafana config, use the same in the proxied URL:
I don't know how I would access it if I left it in loopback. As for https, I already fixed it at the beginning, but the problem persists. Apache in Slackware seems to have its modules divided into several files in the extra folder, and I had a question, if I put all the configuration in httpd-vhosts.conf or part of it, without <virtualhost>, in proxy-html.conf.
I don't know how I would access it if I left it in loopback.
According to your grafana configuration, it listens on 192.168.6.3. That means that it's running on the same server as the apache reverse proxy.
So it's better make grafana listen on the local loopback interface and use apache to connect to it from the public IP. Or else you don't need a reverse proxy if you want/can connect to grafana directly.
Quote:
As for https, I already fixed it at the beginning, but the problem persists.
What problem? Please post the exact error you get and the relevant apache logs
Quote:
Apache in Slackware seems to have its modules divided into several files in the extra folder, and I had a question, if I put all the configuration in httpd-vhosts.conf or part of it, without <virtualhost>, in proxy-html.conf.
Depends if the host myu.com that you want to use to access grafana backend is a vhost or not. In the former case all the reverse proxy stuff should go into the vhost definition.
AFAIK proxy-html.conf is used by the proxy_html module, that I guess is not the case here.
The intention is just not to access it directly, it is the business rule of the sector to go through LDAP authentication before any access to internal sites.
Despite the delay in answering this post, as I had to solve other priorities, the problem of graphana with reverse proxy still persists.
According to your grafana configuration, it listens on 192.168.6.3. That means that it's running on the same server as the apache reverse proxy.
So it's better make grafana listen on the local loopback interface and use apache to connect to it from the public IP. Or else you don't need a reverse proxy if you want/can connect to grafana directly.
What problem? Please post the exact error you get and the relevant apache logs
Depends if the host myu.com that you want to use to access grafana backend is a vhost or not. In the former case all the reverse proxy stuff should go into the vhost definition.
AFAIK proxy-html.conf is used by the proxy_html module, that I guess is not the case here.
Another detail, when I try to access the link 'https://myu.com/grafana' it says that the URL was not found.
The intention is just not to access it directly, it is the business rule of the sector to go through LDAP authentication before any access to internal sites.
Despite the delay in answering this post, as I had to solve other priorities, the problem of graphana with reverse proxy still persists.
If you mean that you can access grafana directly using https://myu.com:3000/grafana/login, I already told you to either close port 3000, or since grafana runs on the same box as the apache reverse proxy make grafana listen just on the local loopback interface, so only apache can access it.
Quote:
Originally Posted by cesarsj
Another detail, when I try to access the link 'https://myu.com/grafana' it says that the URL was not found.
Could you please post your current reverse proxy configuration?
If you mean that you can access grafana directly using https://myu.com:3000/grafana/login, I already told you to either close port 3000, or since grafana runs on the same box as the apache reverse proxy make grafana listen just on the local loopback interface, so only apache can access it.
Could you please post your current reverse proxy configuration?
The file /etc/httpd/extra/httpd-ssl.conf looks like this:
Code:
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/srv/httpd/htdocs"
ServerName myu.com:443
ErrorLog "/var/log/httpd/error_log"
TransferLog "/var/log/httpd/access_log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
<Location /grafana/>
ProxyPreserveHost On
ProxyPass https://127.0.0.1:3000/
SSLRequireSSL
AuthType basic
AuthBasicProvider ldap
AuthName "Restrict Access"
AuthLDAPBindDN cn=apacheldap,ou=DSA,dc=myu,dc=com
AuthLDAPBindPassword <password>
AuthLDAPURL ldap://ldap.myu.com:389/ou=people,dc=myu,dc=com?uid?one TLS
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=restrictintranet,ou=groups,dc=myu,dc=com
</Location>
ProxyPassReverse /grafana/ https://127.0.0.1:3000/
And in Grafana, in defaults.ini I left it like this:
Code:
[server]
# Protocol (http, https, h2, socket)
protocol = https
# The ip address to bind to, empty will bind to all interfaces
http_addr = 127.0.0.1
# The http port to use
http_port = 3000
# The public facing domain name used to access grafana from a browser
domain = myu.com
# Redirect to correct domain if host header does not match domain
# Prevents DNS rebinding attacks
;enforce_domain = false
# The full public facing url you use in browser, used for redirects and emails
# If you use reverse proxy and sub path specify full url (with sub path)
root_url = %(protocol)s://%(domain)s:%(http_port)s/grafana/
# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
serve_from_sub_path = true
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.