[Ubuntu] Secure your Apache 2 Reverse Proxy

We got an Apache 2, working as Reverse Proxy to some Docker instances (we won't talk about the nginx vs Apache stuff here for the same reasons we won't talk about vi vs emacs vs xyz ;)) - and somehow we realized that our apps are a little bit too sensitive to allow them from any ip.

First, we want to activate the needed modules. Normally that should not be necessary, but for sake of completeness:

sudo a2enmod mod_authz_core
sudo a2enmod mod_authz_host

Secondly, we want to allow them only from trusted ips. We do redirect them to the docker instances via ProxyPass - but need to create an Location / "catcher" - otherwise we could not use the mod_authz to deny other ips :).

<VirtualHost *:80>
ServerAdmin johndoe@example.com
ServerName hex.example.com
ServerAlias hex

RedirectMatch ^/$ https://example.com

<Location / >
<RequireAll>
Require ip 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
</RequireAll>
</Location>

ProxyPass "/" "http://127.0.0.1:8020/"
ProxyPassReverse "/" "http://127.0.0.1:8020/"

</VirtualHost>

<VirtualHost *:443>
ServerAdmin johndoe@example.com
ServerName hex.example.com
ServerAlias hex

<Location / >
<RequireAll>
Require ip 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
</RequireAll>
</Location>

ProxyPass "/" "http://127.0.0.1:8020/"
ProxyPassReverse "/" "http://127.0.0.1:8020/"

# Alias /static /srv/example_sw/sw/public_html/

SSLEngine on
SSLCertificateFile /etc/ssl/certs/hex.example.com.pem
SSLCertificateKeyFile /etc/ssl/private/hex.example.com.key
SSLCertificateChainFile /etc/ssl/chains/example-ca-chain.pem

</VirtualHost>

That way, hosts from other subnets than 192.168.1.0, 2.0 and 3.0 won't be able to access the proxy and therefore our app :)!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.