Amin El-Zein
asked on
apache as a reverse proxy
Hello,
I install apache on ubuntu Linux 18.4 with mod security + mod Proxy
form example I have domain name test.com that is point to above server
I want when I request test.com to be going to for example to other server for example i9 1.1.1.1 that is on internet.
in short I want to creat somting like a cloudflare
could you please give me the correct configuration ?
please note that the client should not knowing the 1.1.1.1 server.
thanks.
I install apache on ubuntu Linux 18.4 with mod security + mod Proxy
form example I have domain name test.com that is point to above server
I want when I request test.com to be going to for example to other server for example i9 1.1.1.1 that is on internet.
in short I want to creat somting like a cloudflare
could you please give me the correct configuration ?
please note that the client should not knowing the 1.1.1.1 server.
thanks.
ASKER
i am using ha proxy for ssloffloading on my pfsense firewall
but i want to have a mod sec as web firewall.
nginx does not support ntlm
thanks
but i want to have a mod sec as web firewall.
nginx does not support ntlm
thanks
+1 for HAProxy.
Normally only people who've never used mod_security think about using mod_security.
If you use this module, you'll have to train it + then once you move out of training mode to live mode, you'll always end up with traffic patterns which will cause false positives + lots of real traffic blocked incorrectly.
Maybe this is acceptable.
If you're going to run a public service like CloudFlare, having massive traffic dropped due to mod_security false positives will likely be unacceptable for paying customers.
Better to use fail2ban for security, as fail2ban blocks traffic at the Kernel so is a near zero resource drain for bad traffic.
Using mod_security means every single request (real traffic + attack traffic) has to process through Apache.
When machines come under attack, blocking traffic at the Kernel level is the only way machines can survive, many times.
The way I handle this is simple.
Apache + fail2ban + nothing else between to slow down real traffic.
Keep in mind every tech you go through, NGINX, HAProxy, whatever, will roughly drop request throughput by 50%.
Again, maybe acceptable for a personal site with very little traffic. Completely unacceptable for high traffic sites.
Normally only people who've never used mod_security think about using mod_security.
If you use this module, you'll have to train it + then once you move out of training mode to live mode, you'll always end up with traffic patterns which will cause false positives + lots of real traffic blocked incorrectly.
Maybe this is acceptable.
If you're going to run a public service like CloudFlare, having massive traffic dropped due to mod_security false positives will likely be unacceptable for paying customers.
Better to use fail2ban for security, as fail2ban blocks traffic at the Kernel so is a near zero resource drain for bad traffic.
Using mod_security means every single request (real traffic + attack traffic) has to process through Apache.
When machines come under attack, blocking traffic at the Kernel level is the only way machines can survive, many times.
The way I handle this is simple.
Apache + fail2ban + nothing else between to slow down real traffic.
Keep in mind every tech you go through, NGINX, HAProxy, whatever, will roughly drop request throughput by 50%.
Again, maybe acceptable for a personal site with very little traffic. Completely unacceptable for high traffic sites.
This would be useful - most common way of proxying requests is based on the ProxyPass directive. Particularly ProxyPassReverse
Redirect responses from the backend are fully qualified in http-compliant form. Such as https://backend.example.com/service1, for example. The address is however not accessible by the client. For this reason, the reverse proxy has to rewrite the backend’s location header, backend.example.com, replacing it with its own name and thus mapping it back to its own namespace.https://www.netnea.com/cms/apache-tutorial-9_setting-up-a-reverse-proxy/
ProxyPassReverse, with such a great name, only has a simple search and replace feature touching the location headers.
SecRuleEngine is what enables ModSecurity in the first place. We then enable access to the request body and set two limits: By default only the header lines of the request are examined. This is like looking only at the envelope of a letter. Inspecting the body and thus the content of the request of course involves more work and takes more time, but a large number of attacks are not detectable from outside, which is why we are enabling thishttps://www.netnea.com/cms/apache-tutorial-6_embedding-modsecurity/
ASKER
Hello,
I done it and its work fine right now.
my problem now is to hide the server type.
for example when I request example.com the request is forward it ha proxy then to my apache rp then to orginal server
I want to hide the original server to show the server type or to change it or to make it the rp apache.
thanks.
I done it and its work fine right now.
my problem now is to hide the server type.
for example when I request example.com the request is forward it ha proxy then to my apache rp then to orginal server
I want to hide the original server to show the server type or to change it or to make it the rp apache.
thanks.
mod_header comes to mind..., but i am not an Apache user.
Indeed mod header - pls see "Removing the HTTP Proxy Header with Apache" section. Mainly is to add this
RequestHeader unset Proxy earlyhttps://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-httpoxy-vulnerability
ASKER
hello,
I do it on my reverse proxy ,, I still get the server apache
thanks.
I do it on my reverse proxy ,, I still get the server apache
thanks.
RequestHeader unset Proxy - for request header
Header unset Proxy - for response header
Note bolded one should be your server name..the below example is "Server"
What this will do is remove the server header returned by the "backend" and show you the one from the reverse proxy.
Default is late mode not early mode
http://httpd.apache.org/docs/current/mod/mod_headers.html#early
If by any chance you want to remove or change this header even from the response of the reverse proxy, you will have to use mod_security installed, or others..
Also do restart Apache server.
Header unset Proxy - for response header
Note bolded one should be your server name..the below example is "Server"
curl -I https://x.y.z.
HTTP/1.1 200 OK
Date: Fri, 13 Jan 2017 09:19:02 GMT
Server: Apache24 (or even something else)
Content-Type: text/html
Content-Length: 1220
Last-Modified: Tue, 17 Aug 2018 11:15:29....
What this will do is remove the server header returned by the "backend" and show you the one from the reverse proxy.
Default is late mode not early mode
http://httpd.apache.org/docs/current/mod/mod_headers.html#early
If by any chance you want to remove or change this header even from the response of the reverse proxy, you will have to use mod_security installed, or others..
SecServerSignature " "http://sysadminstepbystep.com/how-to-remove-server-information-from-http-header-in-apache-2-4/
Also do restart Apache server.
ASKER
Hello,
I set the SecServerSignature " " as you the article you posted but nothing changes it's still returned server apache
my structure is : wan -- haproxy ssl offloading --- ubuntu (apache + mod sec + mod Poxy) --- backend server (apache)
my ubuntu server vhost config is:
I set the SecServerSignature " " as you the article you posted but nothing changes it's still returned server apache
my structure is : wan -- haproxy ssl offloading --- ubuntu (apache + mod sec + mod Poxy) --- backend server (apache)
my ubuntu server vhost config is:
<VirtualHost *:80>
ServerName site.com
SecRuleEngine On
ProxyPreserveHost On
ProxyRequests Off
KeepAlive On
ProxyPass / http://1.1.1.1/
ProxyPassReverse / http:/1.1.1.1/
</VirtualHost>ASKER
I tired to test to change the reverse proxy sig to on to see which server header is sent.
the header sent from the original …. how I can make it from the reverse proxy ?
thanks.
the header sent from the original …. how I can make it from the reverse proxy ?
thanks.
The server ID/token header is controlled by "ServerTokens" directive (provided by mod_core). I am thinking to simplify and with the mod_security approach, you can disable all of the module's directives/functions in the modsecurity.conf file, and leverage only the server header ID directive. Once you get mod_security installed, you only need a few directives:
<IfModule security2_module>
SecRuleEngine on
ServerTokens Full
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>
That's for mod_security 2.7.7. Do restart Apache server.
<IfModule security2_module>
SecRuleEngine on
ServerTokens Full
SecServerSignature "Microsoft-IIS/6.0"
</IfModule>
That's for mod_security 2.7.7. Do restart Apache server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
(haproxy will not do modsecurity funcionality though).