Mod-security e mod-proxy, reverse proxy in sicurezza con linux
Start from a CentOS 6.6, in this moment it’s the last version of 6.x release, and install it as “basic server”.
Setup disk volumes / partitions as you prefer, keep present that logs should be have adequate space.
After install Centos disable SeLinux, edit “/etc/selinux/config” and change
From:
SELINUX=enforcing
To:
SELINUX=permissive
This policy will be active at next boot, to avoid a reboot use the command:
Upgrade the system with last fix with
Now install apache, modules and “Core ModSecurity Rule Set ver.2.2.6”:
rpm -ivh http://fedora.mirror.uber.com.au/epel/6/i386/epel-release-6-8.noarch.rpm
yum install mod_security mod_security_crs mod_ssl
Activate the secure module: edit ModSecurity configuration file
/etc/httpd/conf.d/mod_security.conf
and look for the SecRuleEngine Directive on the File and configured with the desired value.
On – Rules are activated
Off – Rules are deactivated
DetectionOnly – Only intercepts and log transaction.
In a first period please, use DetectionOnly, to avoid problems with the web server because of a too high level of security.
Then restart apache service.
The apache configuration file should be ready with default configuration.
You must create in
folder a file named WhatYouWant.conf, for example ReverseProxy.conf, what I put in this file will be executed when httpd demon will restart.
Here you can find the configuration that I’ve tried, with some comments to understand how you can adjust your web sites.
I’ve configured 2 web sites: “elearning.mydomain.it” and “spc-it.mydomain.com”, the first only on http connections, the second both http and https (secure) connection
We assume that:
1) Connections (clients) from outside can/must arrive on reverse proxy machine, on his private address. For example 10.238.3.10, in his network, from firewall
2) Reverse proxy is capable to reach the right ports, in the right lan, of the right machines
3) DNS may be not configured on reverse proxy, some entry in /etc/hosts file may be more secure.
4) Optionally a local firewall, like iptables, can make a bit more secure the network, permit input only from firewall, permit output only to web services, deny forwards, and so on.
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
ServerName elearning.mydomain.it <- url of server
<Proxy *>
Order Deny,Allow
Allow from My_Firewall_IP_Address <- ip address from I receive the internet traffic
</Proxy>
ProxyPreserveHost On
ProxyPass / http://elearning.mydomain.it/<- url of server
ProxyPassReverse / http://elearning.mydomain.it/<- url of server
</VirtualHost>
<VirtualHost *:80>
ServerName spc-it.mydomain.com<- url of server
<Proxy *>
Order Deny,Allow
Allow from My_Firewall_IP_Address <- ip address from from I receive the internet traffic
</Proxy>
ProxyPreserveHost On
ProxyPass / http://spc-it.mydomain.com/<- url of server
ProxyPassReverse / http://spc-it.mydomain.com/<- url of server
</VirtualHost>
<VirtualHost *:443>
ServerName spc-it.mydomain.com<- url of server
<Proxy *>
Order Deny,Allow
Allow from My_Firewall_IP_Address <- ip address from I receive the internet traffic
</Proxy>
SSLProxyEngine On
SSLEngine on
SSLCertificateFile /certs/spc-it.cert.pem <- certificates / private key
SSLCertificateKeyFile /certs/spc-it.key <- certificates / private key
SSLCertificateChainFile /certs/spc-it-intermediate.crt <- certificates / private key
ProxyPreserveHost On
ProxyPass / https://spc-it.mydomain.com:443/<- url of server
ProxyPassReverse / https://spc-it.mydomain.com:443/<- url of server
</VirtualHost>
IMPORTANT NOTE: in ProxyPass and ProxyPassReverse statement the “/” at the end of url
http://elearning.mydomain.it/ <- this “/”
is ABSOLUTELY MANDATORY, without it the reverse proxy does not work.
