-
-
Notifications
You must be signed in to change notification settings - Fork 64
03. Reverse Proxy Setup
This is a basic setup to get ReactMap running with Nginx. It is highly recommended you enable SSL (https) for production systems for both security and "locate me" feature. That is beyond the scope of this documentation and there are many ways to solve this.
sudo apt-get updatesudo apt-get install nginxsudo nano /etc/nginx/conf.d/default.conf- Copy and paste the below into the file
server {
listen 80;
listen [::]:80;
server_name your_map_url.com;
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_request_buffering off;
proxy_buffering off;
proxy_set_header Connection keep-alive;
}
}- Uncomment the nginx section in the
docker-compose.example.ymlfile - Create your config file -
touch server/src/configs/nginx.conf - Copy and paste the below into the file
server {
listen 80;
listen [::]:80;
server_name your_map_url.com;
location / {
proxy_pass http://reactmap:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_request_buffering off;
proxy_buffering off;
proxy_set_header Connection keep-alive;
}
}Credit to: M3G4THEKING
sudo apt-get updatesudo apt install apache2-
sudo ufw app list-sudo ufw allow 'Apache' -sudo ufw status` -
sudo systemctl status apache2-http://your_server_ip
-sudo mkdir /var/www/your_domain
-sudo chown -R $USER:$USER /var/www/your_domain
-sudo chmod -R 755 /var/www/your_domain
-It’s necessary to create a virtual host file with the correct directives, make a new one at /etc/apache2/sites-available/your_domain.conf
-sudo nano /etc/apache2/sites-available/your_domain.conf
- Copy and paste the below into the file
-<VirtualHost *:80>
`ServerAdmin webmaster@localhost`
`ServerName your_domain`
`ServerAlias www.your_domain`
`DocumentRoot /var/www/your_domain`
`ErrorLog ${APACHE_LOG_DIR}/error.log`
`CustomLog ${APACHE_LOG_DIR}/access.log combined`
</VirtualHost>
-sudo a2ensite your_domain.conf
-Disable the default site defined in 000-default.conf
-sudo a2dissite 000-default.conf
-sudo apache2ctl configtest
-sudo systemctl restart apache2
-Apache should now serve your domain name. You can test this by navigating to http://your_domain
-sudo a2enmod proxy proxy_http proxy_balancer lbmethod_byrequests
-sudo systemctl restart apache2
-Modifying the Default Configuration to Enable Reverse Proxy Only for ReactMap
-sudo nano /etc/apache2/sites-available/your_domain.conf
-<VirtualHost *:8080>
ServerAdmin webmaster@your_domain
ServerAlias your_domain
DocumentRoot /var/www/your_domain/
ProxyPreserveHost On
ProxyPass / http://your_ip:8080/
ProxyPassReverse / http://your_ip:8080/
RewriteCond %{HTTP_HOST} !^^reactmap\.your_domain\.net$ [NC]
RewriteRule ^/$ http://%{HTTP_HOST}/ [L,R=301]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
-sudo systemctl restart apache2
-Now you know how to set up Apache as a reverse proxy
-sudo apt install certbot python3-certbot-apache
-sudo apache2ctl configtest
-sudo systemctl reload apache2
-
Allowing HTTPS Through the Firewall
-
To verify what kind of traffic is currently allowed on your server, you can use:
-sudo ufw status
-sudo ufw allow 'Apache Full
-sudo ufw delete allow 'Apache
-Obtaining an SSL Certificate
-sudo certbot --apache
- First, it will ask you for a valid e-mail address.
-Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): you@your_domain After providing a valid e-mail address, hit ENTER to proceed to the next step. You will then be prompted to confirm if you agree to Let’s Encrypt terms of service. You can confirm by pressing A and then ENTER:
Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory
-(A)gree/(C)ancel: A
Next, you’ll be asked if you would like to share your email with the Electronic Frontier Foundation to receive news and other information.
If you do not want to subscribe to their content, type N. Otherwise, type Y. Then, hit ENTER to proceed to the next step.
Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom.
-(Y)es/(N)o: N
The next step will prompt you to inform Certbot of which domains you’d like to activate HTTPS for.
The listed domain names are automatically obtained from your Apache virtual host configuration,
that’s why it’s important to make sure you have the correct ServerName and ServerAlias settings configured in your virtual host.
If you’d like to enable HTTPS for all listed domain names (recommended), you can leave the prompt blank and hit ENTER to proceed.
Otherwise, select the domains you want to enable HTTPS for by listing each appropriate number, separated by commas and/ or spaces, then hit ENTER.
Which names would you like to activate HTTPS for?
-1: your_domain
-2: www.your_domain
Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): You’ll see output like this:
Obtaining a new certificate Performing the following challenges: http-01 challenge for your_domain http-01 challenge for www.your_domain Enabled Apache rewrite module Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/your_domain-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/your_domain-le-ssl.conf Enabling available site: /etc/apache2/sites-available/your_domain-le-ssl.conf Deploying Certificate to VirtualHost /etc/apache2/sites-available/your_domain-le-ssl.conf Next, you’ll be prompted to select whether or not you want HTTP traffic redirected to HTTPS. In practice, that means when someone visits your website through unencrypted channels (HTTP), they will be automatically redirected to the HTTPS address of your website. Choose 2 to enable the redirection, or 1 if you want to keep both HTTP and HTTPS as separate methods of accessing your website.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-1: No redirect - Make no further changes to the webserver configuration.
-2: Redirect - Make all requests redirect to secure HTTPS access.
-Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
After this step, Certbot’s configuration is finished, and you will be presented with the final remarks about your new certificate, where to locate the generated files, and how to test your configuration using an external tool that analyzes your certificate’s authenticity:
-Congratulations! You have successfully enabled https://your_domain and https://www.your_domain
You should test your configuration at:
-https://www.ssllabs.com/ssltest/analyze.html?d=your_domain
-https://www.ssllabs.com/ssltest/analyze.html?d=www.your_domain
IMPORTANT NOTES:
-
Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/your_domain/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/your_domain/privkey.pem Your cert will expire on 2023-07-27. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew all of your certificates, run "certbot renew"
-
Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
-
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Your certificate is now installed and loaded into Apache’s configuration. Try reloading your website using https:// and notice your browser’s security indicator. It should point out that your site is properly secured, typically by including a lock icon in the address bar.
You can use the SSL Labs Server Test to verify your certificate’s grade and obtain detailed information about it, from the perspective of an external service.
In the next and final step, we’ll test the auto-renewal feature of Certbot, which guarantees that your certificate will be renewed automatically before the expiration date.
Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process, as well as to ensure that misused certificates or stolen keys will expire sooner rather than later.
The certbot package we installed takes care of renewals by including a renew script to /etc/cron.d, which is managed by a systemctl service called certbot.timer. This script runs twice a day and will automatically renew any certificate that’s within thirty days of expiration.
To check the status of this service and make sure it’s active and running, you can use:
-sudo systemctl status certbot.timer
-sudo certbot renew --dry-run