Tutorial: Apache 2.4 as reverse proxy

This post explains how to configure Apache 2.4 (the version that comes with Ubuntu 14.04) as a fully transparent reverse proxy. If you have a single website that has multiple paths that are actually run by different web applications then this tutorial may be for you.

reverse_proxy

The proxy will serve both web applications from their own virtual host configuration. These may be on the same machine as shown below using the loop-back addresses 127.0.0.1 and 127.0.0.2 or on different machines if you use their (internal) IP addresses.

Site: http://www.yourwebsite.com/
App1: http://www.yourwebsite.com/app1 = http://127.0.0.1/app1
App2: http://www.yourwebsite.com/app2 = http://127.0.0.2/app2

This is the directory structure in which I want to load the various web apps:

maurits@nuc:/var/www/html$ ll
total 28
drwxr-xr-x 4 root root  4096 Dec  1 21:43 ./
drwxr-xr-x 3 root root  4096 Apr 21  2014 ../
-rw-r--r-- 1 root root 11510 Apr 21  2014 index.html
drwxr-xr-x 2 root root  4096 Dec  1 21:45 app1/
drwxr-xr-x 2 root root  4096 Dec  1 21:45 app2/

In this tutorial we run the web applications on the same paths as on the proxy. This means that the web apps run in a subdirectory, even on the machines behind the proxy. This avoids the need of rewriting and thus keeps this setup simple and easy to debug.

Setting up the reverse proxy in Apache 2.4

What we are going to do is setup a reverse proxy. First we load the “proxy_http” module in Apache 2.4 using:

sudo a2enmod proxy_http
sudo service apache2 restart

Let’s setup the reverse proxy virtual host configuration in “/etc/apache2/sites-available/yourwebsite-proxy.conf” like this:

<VirtualHost *:80>
ServerName www.yourwebsite.com
DocumentRoot /var/www/html
ProxyPreserveHost On
ProxyPass /app1 http://127.0.0.1/app1
ProxyPass /app2 http://127.0.0.2/app2
</VirtualHost>

The virtual host configuration of app1 in “/etc/apache2/sites-available/yourwebsite-app1.conf” looks like this:

<VirtualHost 127.0.0.1:80>
ServerName www.yourwebsite.com
DocumentRoot /var/www/html
...
</VirtualHost>

And the virtual host configuration of app2 in “/etc/apache2/sites-available/yourwebsite-app2.conf” looks like this:

<VirtualHost 127.0.0.2:80>
ServerName www.yourwebsite.com
DocumentRoot /var/www/html
...
</VirtualHost>

Lets enable all sites and reload Apache using:

sudo a2ensite yourwebsite-proxy yourwebsite-app1 yourwebsite-app2
sudo service apache2 reload

Note that this works as the virtual host configurations with a specified IP address will be matched first. The “ProxyPreserveHost” will make sure the “Host” header in the request is not rewritten. The lack of a “ProxyPassReverse” will make sure that there is no rewriting done on the response.

Showing the correct remote IP address

It is important to understand that in the above setup, the proxied web application will only see a different “REMOTE_ADDR” environment variable, since there is absolutely no rewriting going on. The real visitor address is passed along in “X-Forwarded-For” header. This is a comma separated list and the last entry holds the real client IP address.

If you are on Apache 2.4, like in Ubuntu 14.04, you can correct the reported remote address by loading the “remoteip” module like this:

sudo a2enmod remoteip
sudo service apache2 restart

Add the “RemoteIPHeader” and “RemoteIPInternalProxy” directives to the virtual host configurations:

<VirtualHost 127.0.0.1:80>
ServerName www.yourwebsite.com
DocumentRoot /var/www/html
RemoteIPHeader X-Forwarded-For
RemoteIPInternalProxy 127.0.0.0/8
...
</VirtualHost>

Note that the “RemoteIPInternalProxy” you must specify the internal IP address of the proxy. To test if you did it right you can run a PHP script that calls “phpinfo()”. If you see that the “REMOTE_ADDR” value is not set to the proxy, then it is working.

Adding headers to the upstream request

We want to make Apache2 add upstream headers and therefor we need to load the “headers” module in Apache 2.4 using:

sudo a2enmod headers
sudo service apache2 restart

Next, we have to adjust the reverse proxy virtual host configuration in “/etc/apache2/sites-available/yourwebsite-proxy.conf” like this:

<VirtualHost *:80>
ServerName www.yourwebsite.com
DocumentRoot /var/www/html
ProxyPreserveHost On
RewriteEngine On
RequestHeader add X-SSL off
RewriteRule ^/app1/(.*) http://127.0.0.1/app1/$1 [P,L]
RewriteRule ^/app2/(.*) http://127.0.0.2/app2/$1 [P,L]
</VirtualHost>

In this example we add a “X-SSL” header with the value “off” to the proxied request. If you want to add headers to the response you can use the “Header” directive.

If you have any questions, please use the comments below.

Fix Ubuntu SSLv3 POODLE issue in Nginx and Apache

Are you running an HTTPS website on Ubuntu (or any other Linux) with Nginx or Apache? You may be at risk! A man-in-the-middle attack may be effective. This is explained yesterday by Google in their publication about the POODLE attack. POODLE is an acronym for “Padding Oracle On Downgraded Legacy Encryption”. The attack uses a fall-back to the 18 year old “SSLv3” protocol. The security researchers propose that the easiest “fix” is to disable this legacy SSL variant. Fortunately only a small part of your visitors will be impacted:

All modern browsers and API clients will support TLSv1 and later. Disabling SSLv3 will inconvenience WindowsXP users who browse using Internet Explorer 6 – nginx blog

The attack is registered as CVE-2014-3566. Now let’s quickly look at the commands we need to execute:

Disable SSLv3 on Apache

1) We need to edit the file that holds the Apache SSL configuration:

sudo nano /etc/apache2/mods-enabled/ssl.conf

2) Find the following line:

SSLProtocol all -SSLv2

3) Add the option “-SSLv3” so that the line will look like this:

SSLProtocol all -SSLv2 -SSLv3

4) Now restart Apache to make the change effective:

sudo service apache2 restart

Disable SSLv3 on Nginx

1) We need to search in all virtualhost configuration files for the use of the “ssl_protocols” directive:

maurits@nuc:~$ grep -R ssl_protocols /etc/nginx/sites-*
/etc/nginx/sites-available/default:    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

2) We need to edit each file that holds the “ssl_protocols” directive:

sudo nano /etc/nginx/sites-available/default

3) Find the following line:

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

4) Remove the option “SSLv3” so that the line will look like this:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

5) Now restart Nginx to make the change effective:

sudo service nginx reload

Bonus: Disable SSLv3 on HAProxy

1) Edit the “/etc/haproxy.cfg" file and find your “bind" line. Append “no-sslv3". For example:

bind :443 ssl crt <crt> ciphers <ciphers> no-sslv3

2) Now restart HAProxy to make the change effective:

sudo service haproxy reload

IMAP/POP3/SMTP

You should disable SSLv3 on all applications you run, so also on your IMAP/POP3/SMTP daemons. Think about Courier-imap, Dovecot, Sendmail and Postfix. For more information read this post on AskUbuntu.

Testing your server

A server that does not support SSLv3 will give the following output when trying to force a SSLv3 connection:

maurits@nuc:~$ openssl s_client -connect www.nginx.com:443 -ssl3 < /dev/null 2>&1 | grep New
New, (NONE), Cipher is (NONE)

A server that is still supporting SSLv3 (and may thus be vulnerable) will give the following output:

maurits@nuc:~$ openssl s_client -connect www.google.com:443 -ssl3 < /dev/null 2>&1 | grep New
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA

NB: You can also test other services with this command, but then you need to change 443 to the appropriate port number.

 

Gaming on Ubuntu with Steam for Linux

Valve-SteamBox

Is gaming this what Linux needs to win the hearts of kids now and thus of the IT managers of the future? I sure hope so.

Many people say that the Linux desktop is not getting popular because Linux can’t play popular game titles. If there is one company that is doing everything to change that, it is “Valve Software”. With their Steam platform they explicitly target Ubuntu Linux. They even released an Ubuntu based Linux distribution called “SteamOS”. They are also working with hardware vendors on SteamBox concept: a game PC with SteamOS pre-installed. With this box they hope to win the most important screen of the house: the TV.

Steam has lots of great commercial (non-free) games for Ubuntu Linux. These games all work flawless and perform just as good as the Windows versions. I will alphabetically list 10 popular titles from their library of over 700 games:

Counter-Strike: Global Offensive (FPS)

Counter-Strike: Global Offensive

Counter-Strike: Source (FPS)

Counter-Strike: Source

Dota 2 (RPG)

Dota 2

Europa Universalis IV (Strategy)

Europa Universalis IV

Football Manager 2014 (Strategy)

Football Manager 2014

Portal 2 (FPS)

Portal 2

Sid Meier’s Civilization® V (Strategy)

Sid Meier's Civilization® V

Team Fortress 2 (FPS)

Team Fortress 2

The Book of Unwritten Tales 2 (Adventure)

The Book of Unwritten Tales 2

Tropico 5 (Strategy)

Tropico 5

Play anytime and anywhere

On the Steam platform you can buy games and all bought games can be downloaded anytime and anywhere. The games are also automatically updated over the Internet. There are people that criticize this system, because the games are bound to an account and you cannot trade the games you have bought on Steam. I think this complaint is understandable, but I feel that the cloud based game storage is extremely convenient and works like a charm so I can live with that flaw.

PHP 5.3 is now officially end-of-life (EOL)

PHP 5.3 last regular release (5.3.27) was done in July 2013, back then we read the following statement on the release notes:

Please Note: This will be the last regular release of the PHP 5.3 series. All users of PHP are encouraged to upgrade to PHP 5.4 or PHP 5.5. The PHP 5.3 series will receive only security fixes for the next year. – php.net

So, back then it was not a big deal, since security fixes would be released for one more year (and a year seems very long). But last week PHP 5.3.29 was released and since that year has passed PHP 5.3 is now officially end-of-life (EOL). This means there are no further updates, not even security fixes, as you can read in the release notes:

This release marks the end of life of the PHP 5.3 series. Future releases of this series are not planned. All PHP 5.3 users are encouraged to upgrade to the current stable version of PHP 5.5 or previous stable version of PHP 5.4, which are supported till at least 2016 and 2015 respectively. – php.net

Ubuntu Linux users that run the still supported (and popular) 12.04 LTS release on their web server should not be worried too much: Ubuntu maintainers will backport security fixes until 2017. But running PHP 5.3 might be cumbersome, especially if you want to develop using the latest PHP frameworks or libraries. These often contain “array short syntax” and thus require PHP version 5.4 or higher . The simplest option is to upgrade your Ubuntu 12.04 LTS to 14.04 LTS, since that comes with PHP 5.5. If you decide to stay at 12.04 for a while, you will be stuck with 5.3.10 from the repo, unless you…

Upgrade PHP from 5.3 to 5.4 in Ubuntu 12.04 LTS

This is more or less the only option you have. Since it is not officially supported you have to install a PPA. I normally do not recommend this, since you could mess up your system badly and/or severely endanger the security of your machine. But I must admit that Ondřej Surý’s PPA is a very famous and widely used one, which would make it a bit more trusted. So, I will include the instructions, but you have been warned:

sudo apt-get install python-software-properties
sudo add-apt-repository ppa:ondrej/php5-oldstable
sudo apt-get update
sudo apt-get dist-upgrade

Why you should not upgrade PHP to 5.5 in Ubuntu 12.04 LTS

PHP 5.5 and it’s dependencies are provided by the “ppa:ondrej/php5” repo. And even though PHP 5.5 is longer supported and more powerful than PHP 5.4, you should probably stick to PHP 5.4. The reason for this is that PHP 5.5 requires Apache 2.4, where Ubuntu 12.04 comes bundled with Apache 2.2 by default. This means that when you upgrade PHP 5.3 to PHP 5.5 you also have to upgrade Apache 2.2 to Apache 2.4 (as a dependency). This could break many things, but it will (most certainly) break your virtual host configuration. So this is something I can’t recommend unless you are really sure what you are doing. Do not upgrade PHP to version 5.5 without having a tested upgrade plan. I’m serious… be very very careful!

Running Plex on your Linux HTPC

Plex.tv (check out their beautiful website) is a media solution for your home that has support for many devices. It is a solution that consists of 2 components: a media server and a media player. Both are available for a wide variety of devices. This compatibility makes Plex an unparalleled media solution. Also, Plex is very good looking. So, in my opinion the top 3 reasons to choose Plex as your home media server are:

  1. Device compatibility
  2. Easy to use (it just works)
  3. Wow.. what a beautiful GUI

Plex device support

No shortage here! There is the media server, which can be installed on a server:

plex_server

Or on a NAS device:

plex_nas

There are media players for your TV:

plex_tv

Or for your mobile devices:

plex_mobile

Or for your PC:

plex_pc

Installing plexmediaserver (server) on Ubuntu Linux

Go to https://plex.tv/downloads, or install from the command line by executing:

wget http://downloads.plexapp.com/plex-media-server/0.9.9.12.504-3e7f93c/plexmediaserver_0.9.9.12.504-3e7f93c_amd64.deb
sudo dpkg -i plexmediaserver_0.9.9.10.458-008ea34_amd64.deb

Now go to http://localhost:32400/web/ to access the built-in HTML5 media player of the server. In this interface, you can also update the server and configure the media folders you want to watch for content.

Install plexhometheater (player) on Ubuntu Linux

If you have a Linux HTPC and your TV is connected as a display, then you can install the plex home theater (player) software. In that case, you would install it on the same machine as where you install the server (plexmediaserver) software. The following commands install the plexhometheater on Ubuntu Linux:

sudo add-apt-repository ppa:plexapp/plexht
sudo add-apt-repository ppa:pulse-eight/libcec
sudo apt-get update
sudo apt-get install plexhometheater

Is Plex media server free?

Plex Media Center’s source code was initially forked from XBMC Media Center on May 21, 2008; this fork is still used today as a front-end media player on Linux for Plex’s media server back-end media host component. – Wikipedia

Plex Media Server, unlike the open source plexhometheater, is proprietary software. Still, you can enjoy most of it’s features without buying the monthly subscription or a paid app. Enjoy a revolutionary TV experience!