Recently I set out to add a reverse proxy to my Oracle website setup, to increase security and also to add some flexibility. This turned out to be relatively easy, as long as you limit this to http. Adding https was quite a struggle however, so I thought I'd let you in on how I finally got this to work...

In the example below, the following setup is used:

• Website URL: https://tedstruik-oracle.nl/ords/f?p=25384
• Existing Database/ORDS/Tomcat server: 192.168.2.104 (CentOS 6.8, Oracle XE 11g database, ORDS 3.0.9 running on port 8090, Tomcat 8.0.41)
• New Proxy server: 192.168.2.22 (CentOS 7, Apache 2.4, http on port 80, https on port 443)
• Certbot and Let's Encrypt handle the SSL certificate

Note that the instructions are for CentOS 7 (and therefore Apache 2.4); other CentOS/Apache versions will need slightly different commands.

Info: https://oracle-base.com/articles/misc/apache-reverse-proxy-configuration

As root: yum install httpd

Info: https://www.digitalocean.com/community/tutorials/how-to-use-apache-as-a-reverse-proxy-with-mod_proxy-on-centos-7

As root: cd /etc/httpd/conf.d vi default-site.conf Add this text: ProxyRequests Off <VirtualHost *:80> ServerName tedstruik-oracle.nl ServerAlias tedstruik-oracle ErrorLog /var/log/httpd/tedstruik-oracle-error_log TransferLog /var/log/httpd/tedstruik-oracle-access_log ProxyPass / http://192.168.2.104:8090/ ProxyPassReverse / http://192.168.2.104:8090/ ProxyPreserveHost On RequestHeader unset Origin </VirtualHost>
Note: The last 2 lines are absolutely vital: ProxyPreserveHost On RequestHeader unset Origin Without those lines, you will get this kind of 403 error in Chrome when posting pages: ORACLE REST DATA SERVICES 403 Forbidden The request cannot be processed because this resource does not support Cross Origin Sharing requests, or the request Origin is not authorized to access this resource. If ords is being reverse proxied ensure the front end server is propagating the host name, for mod_proxy ensure ProxyPreserveHost is set to On". The "ProxyPreserveHost On" line is always needed.
The "RequestHeader unset Origin" is needed for ORDS > 3.0.2. Finding that solution took way too long... The problem is hinted at (but not solved) here and here. Maybe the answer is given here but my Russian is not good enough to say for sure...

Note: Spescha Gian Branko kindly remarked that for this configuration to work, you need to make sure that headers_module is loaded in Apache, using something like this: LoadModule headers_module modules/mod_headers.so When I installed all this, this module was already loaded by default in ./conf.modules.d/00-base.conf so I didn't have to do that myself. But that may depend on your specific versions, Linux distribution, etc.
More info on loading Apache modules can be found at https://nitstorm.github.io/blog/enabling-disabling-modules-sites-apache/.

Info: http://sysadminsjourney.com/content/2010/02/01/apache-modproxy-error-13permission-denied-error-rhel/

Tell SELinux to allow httpd to access the rest of the world, as root: setsebool httpd_can_network_connect 1 setsebool -P httpd_can_network_connect 1
Restart httpd and set it to start automatically at system boot, as root: systemctl restart httpd systemctl enable httpd.service
Create/verify that NAT rules exist for TCP ports 80 and 443, on both the database server firewall and/or your internet firewall.

Info: https://certbot.eff.org/#centosrhel7-apache

As root: yum install epel-release yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional yum install python-certbot-apache certbot --apache Here's the output of "certbot -- apache" from my setup: [root@dmz-proxy-02 ~]# certbot --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Which names would you like to activate HTTPS for? ------------------------------------------------------------------------ 1: tedstruik-oracle.nl ------------------------------------------------------------------------ Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for tedstruik-oracle.nl Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/httpd/conf.d/default-site-le-ssl.conf Deploying Certificate for tedstruik-oracle.nl to VirtualHost /etc/httpd/conf.d/default-site-le-ssl.conf Please choose whether HTTPS access is required or optional. ------------------------------------------------------------------------ 1: Easy - Allow both HTTP and HTTPS access to these sites 2: Secure - Make all requests redirect to secure HTTPS access ------------------------------------------------------------------------ Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting vhost in /etc/httpd/conf.d/default-site.conf to ssl vhost in /etc/httpd/conf.d/default-site-le-ssl.conf ------------------------------------------------------------------------ Congratulations! You have successfully enabled https://tedstruik-oracle.nl You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=tedstruik-oracle.nl ------------------------------------------------------------------------ IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/tedstruik-oracle.nl/fullchain.pem. Your cert will expire on 2017-09-27. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew"
Test certificate renewal, as root: certbot renew --dry-run bash -c "certbot renew >> /var/log/certbot_renew.log" Verify the content of the log file.

Schedule certificate renewal.
Info: https://stackoverflow.com/questions/41535546/how-do-i-schedule-the-lets-encrypt-certbot-to-automatically-renew-my-certificat
Add a line to crontab (making sure to choose a random hour and minute), as root: crontab -e 17 02 * * * certbot renew >> /var/log/certbot_renew.log
Restart httpd, as root: systemctl restart httpd
And that should do it.

I received an email from Let's Encrypt: That page didn't provide any info on updating Certbot however, just on installing it.
It turned out to be easy enough; the simplest option is to just let yum update all packages:

As root: certbot --version || /path/to/certbot-auto --version certbot 0.21.1 yum update certbot --version || /path/to/certbot-auto --version certbot 0.29.1
If you don't want to let yum update everything, you can try this (more info here: https://community.letsencrypt.org/t/certbot-upgrade-not-working/84224/8):
As root: yum update certbot python-certbot-apache python2-certbot python2-acme
After that you can proceed with the instructions to "Remove any explicit references to tls-sni-01 in your renewal configuration" and "Do a full renewal dry run".