Skip to content

Instantly share code, notes, and snippets.

@ravibhure

ravibhure/Apache Reverse Proxy

Last active January 5, 2018 06:21
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ravibhure/c04bc45e1fea29727bea to your computer and use it in GitHub Desktop.
Save ravibhure/c04bc45e1fea29727bea to your computer and use it in GitHub Desktop.
Download ZIP
Reverse Proxy - Apache & Nginx
Raw
Apache Reverse Proxy
# Make sure mod_ssl, mod_rewrite, mod_headers, mod_proxy,
# mod_proxy_http and mod_proxy_balancer are enabled
# Advanced Apache reverse proxy - Rails
# Oh so cleverly adapted from this https://gist.github.com/MrZYX/719014
<VirtualHost *:80>
ServerName www.example11.com
RedirectPermanent / https://www.example11.com/
</VirtualHost>
<VirtualHost *:443>
ServerName www.example11.com
DocumentRoot /path/to/example11/public
RewriteEngine On
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ balancer://upstream%{REQUEST_URI} [P,QSA,L]
<Proxy balancer://upstream>
BalancerMember http://127.0.0.1:3000
</Proxy>
ProxyRequests Off
ProxyVia On
ProxyPreserveHost On
RequestHeader set X_FORWARDED_PROTO https
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
<Directory /path/to/example11/public>
Allow from all
AllowOverride all
Options -MultiViews
</Directory>
SSLEngine On
SSLCertificateFile /path/to/cert
SSLCertificateKeyFile /path/to/private_key
# maybe not needed, need for example for startssl to point to a local
# copy of http://www.startssl.com/certs/sub.class1.server.ca.pem
SSLCertificateChainFile /path/to/chain_file
</VirtualHost>
Raw
Nginx Reverse Proxy
# Nginx Passenger reverse proxy
# This is not a complete Nginx configuration! It only shows the relevant parts for integrating Example11.
# [...]
http {
# Your standard server configuration goes here
# [...]
# This vhost just redirects to HTTPS
server {
# If your host is not IPv6 ready use listen 80; here.
# Add ipv6only=off to your listen directive that has default_server.
# Or this one if this is your only vhost. Do not add it to both!
listen [::]:80;
server_name www.example11.com www.www.example11.com;
rewrite ^/(.*) https://www.example11.com/$1 permanent;
}
server {
listen [::]:443 ssl spdy; # Same rules as for listen [::]:80 apply.
server_name www.www.example11.com;
rewrite ^/(.*) https://www.example11.com/$1 permanent;
# SSL setup
# This file should also include any necessary intermediate certificates
# For example for StartSSL that would be http://www.startssl.com/certs/sub.class1.server.ca.pem
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private_key.key;
# Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
# You might want to make these global
# generate with openssl dhparam 2048 > /path/to/dhparam.pem
ssl_dhparam /path/to/dhparam.pem;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
}
# Actual proxy
server {
listen [::]:443 ssl spdy; # Same rules as for listen [::]:80 apply.
server_name www.example11.com;
root /path/to/example11/public;
# Configure maximum picture size
# Note that Example11 has a client side check set at 4M
client_max_body_size 5M;
# SSL setup
# This file should also include any necessary intermediate certificates
# For example for StartSSL that would be http://www.startssl.com/certs/sub.class1.server.ca.pem
ssl_certificate /path/to/certificate.crt;
ssl_certificate_key /path/to/private_key.key;
# Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
# You might want to make these global
# generate with openssl dhparam 2048 > /path/to/dhparam.pem
ssl_dhparam /path/to/dhparam.pem;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
# Proxy if requested file not found
try_files $uri @example11;
location @example11 {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://example11_server;
}
}
# Proxy destination
# Add as many server directives as you want
# Also takes a socket, like unix:/path/to/some/socket.sock
upstream example11_server {
server 127.0.0.1:3000;
}
}
# [...]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment