Apache2 Https Proxy

  

Estimated reading time: 4 minutes

  • Re: Apache as Reverse Proxy with SSL The short answer is that the client browser will complain about a 'man-in-the-middle' attack if you do this. At a minimum, the proxy would need to have a valid server certificate for the same site as the server's own certificate.
  • Apache HttpClient - Proxy Authentication - In this chapter, we will learn how to create a HttpRequest authenticated using username and password and tunnel it through a proxy to a target host, using an ex.
Apache

This page contains information about hosting your own registry using theopen source Docker Registry. For information about Docker Hub, which offers ahosted registry with additional features such as teams, organizations, webhooks, automated builds, etc, see Docker Hub.

The strategy is to use apache for the SSL, and proxy using ajp on the ofbiz side. First, disable ordinary http access for our site, since we are only using a proxy to ajp. Disable http, https in OFBiz. Apache is a very popular HTTP server and can be configured as a proxy to redirect HTTP traffic similar to nginx. In this guide, we will learn how to set up Apache on CentOS 7 and use it as a reverse-proxy to welcome incoming connections and redirect them to the ASP.NET Core application running on Kestrel. Tell Apache to load the modproxy and modproxyhttp modules, if it's not already. In SuSE this is accomplished by adding ' proxy proxyhttp ' to APACHEMODULES in /etc/sysconfig/apache2 and restarting Apache.

Use-case

People already relying on an apache proxy to authenticate their users to other services might want to leverage it and have Registry communications tunneled through the same pipeline.

Usually, that includes enterprise setups using LDAP/AD on the backend and a SSO mechanism fronting their internal http portal.

Alternatives

If you just want authentication for your registry, and are happy maintaining users access separately, you should really consider sticking with the native basic auth registry feature.

Solution

With the method presented here, you implement basic authentication for docker engines in a reverse proxy that sits in front of your registry.

While we use a simple htpasswd file as an example, any other apache authentication backend should be fairly easy to implement once you are done with the example.

We also implement push restriction (to a limited user group) for the sake of the example. Again, you should modify this to fit your mileage.

Gotchas

While this model gives you the ability to use whatever authentication backend you want through the secondary authentication mechanism implemented inside your proxy, it also requires that you move TLS termination from the Registry to the proxy itself.

Furthermore, introducing an extra http layer in your communication pipeline adds complexity when deploying, maintaining, and debugging.

Setting things up

Read again the requirements.

Ready?

Login

Run the following script:

Apache Proxy Server

Starting and stopping

Now, start your stack:

Log in with a “push” authorized user (using testuserpush and testpasswordpush), then tag and push your first image:

Now, log in with a “pull-only” user (using testuser and testpassword), then pull back the image:

Verify that the “pull-only” can NOT push:

registry, on-prem, images, tags, repository, distribution, authentication, proxy, apache, httpd, TLS, recipe, advancedSkip to end of metadataGo to start of metadata

Installing OFBiz with MariaDB as the back end, behind an Apache httpd server, with SSL.

Step-by-step guide for Debian based Distributions

Get the Right Java

Install Java 8 (somehow - it is not the current version for your distro). I used [https://adoptopenjdk.net/ adoptjdk]. Set it as default

BTW: I selected the [https://www.royvanrijn.com/blog/2018/05/openj9-jvm-shootout/ openj9 implementation], because its memory use profile is superior.

If you have other software that needs some other version of Java, you will need to setup the Java environment to suit - using JAVA_HOME and such appropriately.

Then the Latest OFBiz

Download the latest stable https://ofbiz.apache.org/download.html OFBiz from apache]. At the time of writing it was 17.12.04.

Unzip the OFBiz into somewhere like /var/www. cd into that directory.

Build and Configure

Setup for SQL

I chose mariadb, mostly because it was required for other services I was already running on the server. Postgresql would be fine (or better), and I am sure the built in Derby is also fine for small installations.

Enable Https Apache2

I installed the client driver and copied the relevant piece into the gradle build system as follows:

Edit the config to use mariadb, change driver references from com.mysql to org.mariadb.
Make sure the users and passwords match what you are going to put in the database below.


Change default delegators from using localderby to localmysql. Make your passwords in the localmysql, localmysqlolap and localmysqltenant sections match those in the mysql sql code that creates the databases below.



Setup your mariadb tables.

Seed the database

Apache2 Https Proxy List

Then run gradle to seed the database. It is recommended to use the demo data, as there are lots of dependencies in various tables on having at least one record in some other seemingly unrelated table.

If you want the demo data, simply run

Here is the invocation to avoid having the demo data but still have an admin login:

Launch the server

Because I set this up on a cloud, I changed host-headers-allowed to match my domain so I could login remotely on my VM.


Configuration


Now you can start the service in the systemd way:


You will also want to enable the service on reboot:

Connect and Test Login

You should be able to login as admin at this point (default password is ofbiz): http://example.ca:8443/accounting.

This is using a self signed certificate that came with ofbiz, so you will need to accept it in your browser to proceed, but not to worry, in a bit we will be setting up a proper Let's Encrypt certificate.

Secure with SSL

We need to change a few things here. The strategy is to use apache for the SSL, and proxy using ajp on the ofbiz side.
First, disable ordinary http access for our site, since we are only using a proxy to ajp.

Disable http, https in OFBiz.

Shazam costume for girls. Enable Proxy service:

Here I create a regular (port 80) configuration, because I can then use certbot to create a modified version, and add redirection code to this, but you can skip this phase if you wish.

Now we need to enable SSL:

Get a certificate from Let's Encrypt.

Then we can redirect non-ssl(80) to the ssl(443),

Enabling SSL with LetsEncrypt certificates

Proxy

And finally proxy port 443 to the ajp(8009) port:

Then enable the secure site with:


Lastly, we can enable redirects from our http port 80 site to the SSL side:

Secure Sockets Layer Connection

Now a connection looks like:

https://example.ca/webtools

Static Content

Have apache serve up static content directly, by not proxying it through Tomcat.

Ready for Business