I have an API service with an embedded tomcat running on port 8080 on a CentOS server. I don't want to expose it directory and I want to access this API threw HTTPS (port 443). If I access to it on 'classic' http (port 80)
A simple solution is to deploy an Apache httpd server on my CentOS and use is as reverse proxy.
yum install httpd
yum install mod_ssl
Open /etc/https/conf/httpd.conf file and add the directive Listen 443 after Listen 80 to enable apache to listen to port 443
First all all, you can to install your certificate by copying your three files to a directory of your choice. For me, it's /etc/ssl like this :
000000000 4 -rw-r--r--. 1 root root 1674 9 janv. 18:20 intermediate-CA.key
000000000 4 -rw-r--r--. 1 root root 1708 9 janv. 18:20 private.key
000000000 4 -rw-r--r--. 1 root root 2248 9 janv. 18:20 public.key
Everything is x509 key encoded in base64
"SSLCertificateFile: file '/etc/ssl/mycert.pem' does not exist or is empty"
Once it's done, you have to prepare your apache config file. I use a virtualhost so I neeed declared this config file in the httpd.conf.
You can test your apache configuration with the shell command :
apachectl testconfig
Then restart apache :
systemctl restart httpd
Important : If you get an HTTP 503 error code, that's because CentOS has security rule to prevent localhost proxies. You have t change this with a shell command :
Only for testing :
/usr/sbin/setsebool httpd_can_network_connect 1
Permanently :
/usr/sbin/setsebool -P httpd_can_network_connect 1
A simple solution is to deploy an Apache httpd server on my CentOS and use is as reverse proxy.
Step 1 : install Apache httpd server
yum install httpd
yum install mod_ssl
Open /etc/https/conf/httpd.conf file and add the directive Listen 443 after Listen 80 to enable apache to listen to port 443
Step 2 : Install your certificate files
First all all, you can to install your certificate by copying your three files to a directory of your choice. For me, it's /etc/ssl like this :
000000000 4 -rw-r--r--. 1 root root 1674 9 janv. 18:20 intermediate-CA.key
000000000 4 -rw-r--r--. 1 root root 1708 9 janv. 18:20 private.key
000000000 4 -rw-r--r--. 1 root root 2248 9 janv. 18:20 public.key
Everything is x509 key encoded in base64
- private.key is the key you generated. This key must ot be share to anyone. You need it to generate your CSR (Certificate Service Request) you provide to your SSL provider to obtain your certificate.
- intermediate-CA.key is the key signature of your certificate provider (daddygo, digicert, etc...)
- public.key is the key signature you obtained from your provider you gave your CSR.
"SSLCertificateFile: file '/etc/ssl/mycert.pem' does not exist or is empty"
Step 3 : Configure your Reverse proxy
Once it's done, you have to prepare your apache config file. I use a virtualhost so I neeed declared this config file in the httpd.conf.
<VirtualHost *:80>
ServerName srvapir1
DocumentRoot "/var/www/html"
ErrorLog "logs/error_log"
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>
</VirtualHost>
<VirtualHost *:443>
ServerName srvapir1
DocumentRoot "/var/www/html"
ErrorLog "logs/error_log"
SSLEngine on
SSLVerifyClient None
SSLCertificateFile /etc/ssl/public.key
SSLCACertificateFile /etc/ssl/intermediate-CA.key
SSLCertificateKeyFile /etc/ssl/private.key
SSLProtocol all -SSLv2
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost Off
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
You can test your apache configuration with the shell command :
apachectl testconfig
Then restart apache :
systemctl restart httpd
Step 4 : Update CentOS conf to avoid HTTP 503 errors
Important : If you get an HTTP 503 error code, that's because CentOS has security rule to prevent localhost proxies. You have t change this with a shell command :
Only for testing :
/usr/sbin/setsebool httpd_can_network_connect 1
Permanently :
/usr/sbin/setsebool -P httpd_can_network_connect 1