Skip to Main Content

Reverse Proxy Configuration using Apache

Recently I set out to add a reverse proxy to my Oracle website setup, to increase security and also to add some flexibility. This turned out to be relatively easy, as long as you limit this to http. Adding https was quite a struggle however, so I thought I'd let you in on how I finally got this to work...

In the example below, the following setup is used:
  • Website URL: https://tedstruik-oracle.nl/ords/f?p=25384
  • Existing Database/ORDS/Tomcat server: 192.168.2.104 (CentOS 6.8, Oracle XE 11g database, ORDS 3.0.9 running on port 8090, Tomcat 8.0.41)
  • New Proxy server: 192.168.2.22 (CentOS 7, Apache 2.4, http on port 80, https on port 443)
  • Certbot and Let's Encrypt handle the SSL certificate
Note that the instructions are for CentOS 7 (and therefore Apache 2.4); other CentOS/Apache versions will need slightly different commands.

Httpd Installation

Httpd Configuration

Info: https://www.digitalocean.com/community/tutorials/how-to-use-apache-as-a-reverse-proxy-with-mod_proxy-on-centos-7

As root: Add this text:
Note: The last 2 lines are absolutely vital: Without those lines, you will get this kind of 403 error in Chrome when posting pages: The "ProxyPreserveHost On" line is always needed.
The "RequestHeader unset Origin" is needed for ORDS > 3.0.2. Finding that solution took way too long... The problem is hinted at (but not solved) here and here. Maybe the answer is given here but my Russian is not good enough to say for sure...

Note: Spescha Gian Branko kindly remarked that for this configuration to work, you need to make sure that headers_module is loaded in Apache, using something like this: When I installed all this, this module was already loaded by default in ./conf.modules.d/00-base.conf so I didn't have to do that myself. But that may depend on your specific versions, Linux distribution, etc.
More info on loading Apache modules can be found at https://nitstorm.github.io/blog/enabling-disabling-modules-sites-apache/.

Httpd Final Steps

Info: http://sysadminsjourney.com/content/2010/02/01/apache-modproxy-error-13permission-denied-error-rhel/

Tell SELinux to allow httpd to access the rest of the world, as root:
Restart httpd and set it to start automatically at system boot, as root:
Create/verify that NAT rules exist for TCP ports 80 and 443, on both the database server firewall and/or your internet firewall.

Https - Certbot and Let's Encrypt

Info: https://certbot.eff.org/#centosrhel7-apache

As root: Here's the output of "certbot -- apache" from my setup:
Test certificate renewal, as root: Verify the content of the log file.

Schedule certificate renewal.
Info: https://stackoverflow.com/questions/41535546/how-do-i-schedule-the-lets-encrypt-certbot-to-automatically-renew-my-certificat
Add a line to crontab (making sure to choose a random hour and minute), as root:
Restart httpd, as root:
And that should do it.

Let's Encrypt TLS-SNI-01 validation

I received an email from Let's Encrypt:
TLS-SNI-01 validation is reaching end-of-life. It will stop working temporarily on February 13th, 2019, and permanently on March 13th, 2019. Any certificates issued before then will continue to work for 90 days after their issuance date.
You need to update your ACME client to use an alternative validation method (HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals will break and existing certificates will start to expire.
[...]
If you're a Certbot user, you can find more information here: https://community.letsencrypt.org/t/how-to-stop-using-tls-sni-01-with-certbot/83210
That page didn't provide any info on updating Certbot however, just on installing it.
It turned out to be easy enough; the simplest option is to just let yum update all packages:

As root:
If you don't want to let yum update everything, you can try this (more info here: https://community.letsencrypt.org/t/certbot-upgrade-not-working/84224/8):
As root:
After that you can proceed with the instructions to "Remove any explicit references to tls-sni-01 in your renewal configuration" and "Do a full renewal dry run".