[Ubuntu] Secure your Apache 2 Reverse Proxy

We got an Apache 2, working as Reverse Proxy to some Docker instances (we won't talk about the nginx vs Apache stuff here for the same reasons we won't talk about vi vs emacs vs xyz ;)) - and somehow we realized that our apps are a little bit too sensitive to allow them from any ip.

First, we want to activate the needed modules. Normally that should not be necessary, but for sake of completeness:
sudo a2enmod mod_authz_core sudo a2enmod mod_authz_host

Secondly, we want to allow them only from trusted ips. We do redirect them to the docker instances via ProxyPass - but need to create an Location / "catcher" - otherwise we could not use the mod_authz to deny other ips :).

<VirtualHost *:80>
ServerAdmin johndoe@example.com
ServerName hex.example.com
ServerAlias hex

RedirectMatch ^/$ https://example.com

<Location / >
<RequireAll>
Require ip 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
</RequireAll>
</Location>

ProxyPass "/" "http://127.0.0.1:8020/"
ProxyPassReverse "/" "http://127.0.0.1:8020/"

</VirtualHost>

<VirtualHost *:443>
ServerAdmin johndoe@example.com
ServerName hex.example.com
ServerAlias hex

<Location / >
<RequireAll>
Require ip 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24
</RequireAll>
</Location>

ProxyPass "/" "http://127.0.0.1:8020/"
ProxyPassReverse "/" "http://127.0.0.1:8020/"

# Alias /static /srv/example_sw/sw/public_html/

SSLEngine on
SSLCertificateFile /etc/ssl/certs/hex.example.com.pem
SSLCertificateKeyFile /etc/ssl/private/hex.example.com.key
SSLCertificateChainFile /etc/ssl/chains/example-ca-chain.pem

</VirtualHost>

That way, hosts from other subnets than 192.168.1.0, 2.0 and 3.0 won't be able to access the proxy and therefore our app :)!

[Ubuntu] Letsencrypt with Apache and Freeradius

This little tutorial describes how to use Letsencrypt with Apache, Freeradius and Auto-Renewal of the Certificates.

#Install Letsencrypt
sudo apt-get update
sudo apt-get install git
cd /opt
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt

#Become root
sudo su

#"Order" certificates (replace SERVERDOMAIN.COM with the DNS of your Server!)
./letsencrypt-auto --apache -d SERVERDOMAIN.COM --rsa-key-size 4096
Enter Contact Mail: mail@SERVERDOMAIN.COM
Configuration Type: Secure #is best, as it does redirect insecure http to https)

#Read PATH variable
echo $PATH

#Cronjob for certificate renewal
#you should under all circumstances replace the string following PATH= with your own, as read with the command above.
#Seperate with ; from the rest of the command like shown in the example
crontab -e

#letsencrypt
30 2 * * 1 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games;/opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/freeradius restart
35 2 * * 1 /etc/init.d/apache2 restart

#Configure Freeradius
cp -r /etc/freeradius/certs/ /etc/freeradius/certs_bkp
rm /etc/freeradius/certs/*.pem
cp /etc/freeradius/eap.conf /etc/freeradius/eap.conf_bkp

vi /etc/freeradius/eap.conf

#certdir = ${confdir}/certs
#cadir = ${confdir}/certs
certdir = /etc/letsencrypt/live/SERVERDOMAIN.COM
cadir = /etc/letsencrypt/live/SERVERDOMAIN.COM
#dh_file = ${certdir}/dh
dh_file = ${confdir}/certs/dh
#private_key_password = whatever
private_key_file = ${certdir}/privkey.pem
certificate_file = ${certdir}/cert.pem
CA_file = ${cadir}/fullchain.pem

#Configure access rights on /etc/letsencrypt
cd /etc/letsencrypt/
chgrp -R ssl-cert archive csr keys live options-ssl-apache.conf renewal # set group of cert/key dirs to ssl-cert
find . -type d -exec chmod g+xs {} \; # directories executable and setguid (set group ssl-cert for new files/dirs)
find . -type f -exec chmod g+r {} \; # files readable

#Restart Freeradius
service freeradius stop
service freeradius start

Additional infos: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04

[WinXP/Vista/7] Port 80 Blocked

Developing Websites with XAMPP is always neat and nice: Compact package, everything you need is there - and even having it portable on an USB Stick (in an TrueCrypt file ;)) will get you up and running on every Windows PC - where ever you are - in no time. But the problem with this solution comes with the "Host PC": There are a lot of tools nowdays which hijack and use Port 80 (your most beloved Webserver / Apache Standard Port) for their own needs. And so you are quickly on the point of "Apache terminated" in your XAMPP Windows - because of the blocked port. Finding out which program is blocking / using that port is easy, as XAMPP comes with an "Port-Check" Tool which can be used from the XAMPP Control Panel. Other than that, here is the TOP 4 of the most annoyning port blocking apps:

4.) Teamviewer (as commented by Teufelsauge)
A remote desktop tool which can be configured to run as background service, listening to port 80 and 443.

3.) Apache
Yeah, thats right. Some people got an old Apache setup running - set up years ago and forgotten in the background. Sounds stupid, but as most errors are - this is one of the most nasty ones. So check your memory before jumping to wrong conclusions.

2.) Microsoft SQL Server
It is an SQL Server! Not an Webserver! Why the heck would... Yeah, right: It DOES block port 80. Open services.msc from your "Run As" Dialog and look out for "Sql server reporting services(MSSQLSERVER)". Set it to disabled and stop it. Port 80 freed, hurray!

1.) Skype
To bypass corporate security standards and firewalls, Skype can use Port 80 and even Port 443 (SSL) as workaround. And it does that, by default. To disable that, start Skype and go to Tools -> Options - > Advanced -> Connection. Disable "Use port 80 and 443 as alternatives for incoming connections".