Context Navigation

← Previous Changeset
Next Changeset →

Changeset 25237 in main

Timestamp:

05/13/22 18:10:46 (7 months ago)

Author:

Paul Leo

Message:

Updating Production proxy httpd configuration files, prior to changes for going live

Location:

adopters/nm/trunk/src/main/serverconfigs/dmzr2nmibis001/apache_httpd_reverse_proxy

Files:

: 4 edited

extra/httpd-mpm.conf (modified) (1 diff)
extra/httpd-ssl.conf (modified) (2 diffs)
extra/httpd-vhosts.conf (modified) (1 diff)
httpd.conf (modified) (12 diffs)

Legend:

: Unmodified
: Added
: Removed

adopters/nm/trunk/src/main/serverconfigs/dmzr2nmibis001/apache_httpd_reverse_proxy/extra/httpd-mpm.conf

-                      r24586
+                      r25237
 # MaxConnectionsPerChild: maximum number of connections a server process serves
 <IfModule mpm_winnt_module>
+    ThreadsPerChild        150
+    MaxConnectionsPerChild   0
+#   ThreadsPerChild        150
+    ThreadsPerChild        1024
+    MaxConnectionsPerChild   8192
 </IfModule>

adopters/nm/trunk/src/main/serverconfigs/dmzr2nmibis001/apache_httpd_reverse_proxy/extra/httpd-ssl.conf

-                      r24586
+                      r25237
 #####SSLCipherSuite HIGH:!kRSA:!ADH:!eNULL:!LOW:!EXP:!MD5:!3DES
 #####SSLProxyCipherSuite HIGH:!kRSA:!ADH:!eNULL:!LOW:!EXP:!MD5:!3DES
 SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
 …
 ######### what I have been using  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3
 ######### what I have been using  SSLProxyProtocol +TLSv1.2
 SSLProtocol all -SSLv3
 SSLProxyProtocol all -SSLv3
+SSLProtocol +TLSv1.2 +TLSv1.3
+SSLProxyProtocol +TLSv1.2 +TLSv1.3
 #   Pass Phrase Dialog:

adopters/nm/trunk/src/main/serverconfigs/dmzr2nmibis001/apache_httpd_reverse_proxy/extra/httpd-vhosts.conf

-                      r24586
+                      r25237
 # configuration.
+###
+### VirtualHost example:
+### Almost any Apache directive may go into a VirtualHost container.
+### The first VirtualHost section is used for all requests that do not
+### match a ServerName or ServerAlias in any <VirtualHost> block.
+###
+###<VirtualHost *:80>
+###    ServerAdmin webmaster@dummy-host.example.com
+###    DocumentRoot "${SRVROOT}/docs/dummy-host.example.com"
+###    ServerName dummy-host.example.com
+###    ServerAlias www.dummy-host.example.com
+###    ErrorLog "logs/dummy-host.example.com-error.log"
+###    CustomLog "logs/dummy-host.example.com-access.log" common
+###</VirtualHost>
+###
+###### VirtualHost ibis.health.state.nm.us  #######
+###### redirecting of old DNS name to new DNS name (ibis.doh.nm.gov) ######
+##### VirtualHost ibisnew.health.state.nm.us #####
+        <VirtualHost 10.100.2.16:443>
+                ServerName ibis.health.state.nm.us
+                #### use http2, and permit acme to just use 443
+                #### Protocols h2 http/1.1
+                Protocols h2 http/1.1 acme-tls/1
+                SSLEngine on
+                ErrorLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/old_ibis_error.log 86400"
+                CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/old_ibis_access.log 86400" combined
+                ######## This server is listening for ibis.health.state.nm.us It should redirect to ibis.doh.nm.gov/Alert.html
+                RewriteEngine  on
+                RewriteCond "%{HTTP_HOST}" "=ibis.health.state.nm.us"
+                RewriteRule  ".*" "https://ibis.doh.nm.gov/Alert.html"
+                Redirect / https://ibis.doh.nm.gov/Alert.html
+        </VirtualHost>
+###### VirtualHost ibis.doh.nm.gov ######
+####### CHANGE ServerName BELOW #######
         <VirtualHost 10.100.2.15:443>
+          ServerName ibisnew.health.state.nm.us
+          #### use http2, and permit acme to just use 443
+          #### Protocols h2 http/1.1
+          Protocols h2 http/1.1 acme-tls/1
+          SSLEngine on
+          # For use of rotatelogs, see https://httpd.apache.org/docs/2.4/programs/rotatelogs.html
+          # am using rotate every day and keep 7 days, could keep more.
+          # you could also rotate at midnight and create a log with date, but keeping only x logs will not work with that
+          ### NOTE: -c not permitted in windows, may be other options also not permitted, see explanation in next section log_conf_module
+          # -v is verbose output for debugging, BUT...
+          # try first with access, if you try with Errorlog, and you have something wrong, no log will be produced.
+          # note daily is 86400, testing is 60 (every minute)
+          # Next line is for testing log rotation every 20 seconds, keep 7 files, verbose output
+          # ErrorLog "|bin/rotatelogs.exe -l -v -n 7 logs/error.log 20"
+          # Next line is for production, rotate every day, keep 14 logs
+          ErrorLog "|bin/rotatelogs.exe -l -v -n 14 logs/ibisnew_error.log 86400"
+          CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/ibisnew_access.log 86400" combined
+                ServerName ibisnew.health.state.nm.us
+                ######## ServerName ibis.doh.nm.gov
+                #### use http2, and permit acme to just use 443
+                #### Protocols h2 http/1.1
+                Protocols h2 http/1.1 acme-tls/1
+                SSLEngine on
+                SSLProxyEngine on
+                SSLProxyVerify require
+                SSLProxyVerifyDepth 8
+                SSLProxyCACertificateFile "/SSL/dohr2simnmibis2/dohr2simnmibis2.pem"
+                SSLProxyCheckPeerCN on
+                SSLProxyCheckPeerExpire on
+                SSLProxyCheckPeerName on
+                # For use of rotatelogs, see https://httpd.apache.org/docs/2.4/programs/rotatelogs.html
+                # am using rotate every day and keep 7 days, could keep more.
+                # you could also rotate at midnight and create a log with date, but keeping only x logs will not work with that
+                ### NOTE: -c not permitted in windows, may be other options also not permitted, see explanation in next section log_conf_module
+                # -v is verbose output for debugging, BUT...
+                # try first with access, if you try with Errorlog, and you have something wrong, no log will be produced.
+                # note daily is 86400, testing is 60 (every minute)
+                # Next line is for testing log rotation every 20 seconds, keep 7 files, verbose output
+                # ErrorLog "|bin/rotatelogs.exe -l -v -n 7 logs/error.log 20"
+                # Next line is for production, rotate every day, keep 14 logs
+                ErrorLog "|bin/rotatelogs.exe -l -v -n 14 logs/ibis_error.log 86400"
+                CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/ibis_access.log 86400" combined
                 # Reverse proxy for this virtual host
+                        ProxyPreserveHost on
+                        ProxyRequests off
+                        <Proxy *>
+                                Require all granted
+                        </Proxy>
+                ProxyPreserveHost on
+                ProxyRequests off
+                ProxyTimeout 300
+                <Proxy *>
+                        Require all granted
+                </Proxy>
                 #### do not proxy the following, but let httpd respond, these directories are Apache httpd related
                 #### they are also restricted to certain hosts at bottom of http.conf file
+                        ProxyPass "/server-status" "!"
+                        ProxyPass "/md-status" "!"
+                        ProxyPass "/.svn" "!"
+                        ProxyPass / http://dohr2simnmibis2/nmibis-view/
+                        ProxyPassReverse / http://dohr2simnmibis2/nmibis-view/
+                        ProxyPassReverseCookiePath "/" "/nmibis-view"
+                ####Once secure has been set up
+                ####    ProxyPass / https://dohr2simnmibis2/nmibis-view/
+                ####    ProxyPassReverse / https://dohr2simnmibis2/nmibis-view/
+                ####    ProxyPassReverseCookiePath "/"  "/nmibis-view"
+                ProxyPass "/server-status" "!"
+                ProxyPass "/md-status" "!"
+                ProxyPass "/.svn" "!"
+                ProxyPass "/nmibis-admin" "!"
+                #### Next line will eath the /nmibis-view I think, it fixes ibis.doh.nm.gov/nmibis-view/nmibis-view/Login.html error
+                ProxyPass /nmibis-view/ https://dohr2simnmibis2/nmibis-view/
+                ProxyPass / https://dohr2simnmibis2/nmibis-view/
+                ProxyPassReverse / https://dohr2simnmibis2/nmibis-view/
+        ########Uncomment next line and delete 2nd line below prior to going live
+                ####ProxyPassReverseCookieDomain dohr2simnmibis2/nmibis-view/ ibis.doh.nm.gov
+                ProxyPassReverseCookieDomain dohr2simnmibis2/nmibis-view/ ibisnew.health.state.nm.us
+                ProxyPassReverseCookiePath / /
         </VirtualHost>
+############### VirtualHost nmtracknew.nmtracking.org #####
+###### VirtualHost nmtracking.org  #######
+###### redirecting of old DNS name to new DNS name (nmtracking.doh.nm.gov) ######
+        <VirtualHost 10.100.2.17:443>
+                ServerName nmtracking.org
+                #### use http2, and permit acme to just use 443
+                #### Protocols h2 http/1.1
+                Protocols h2 http/1.1 acme-tls/1
+                SSLEngine on
+                ErrorLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/old_nmtracking_error.log 86400"
+                CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/old_nmtracking_access.log 86400" combined
+                ######## This server is listening for nmtracking.org It should redirect to nmtracking.doh.nm.gov/Alert.html
+                RewriteEngine  on
+                RewriteCond "%{HTTP_HOST}" "=nmtracking.org"
+                RewriteRule  "environment/air/FireAndSmoke.html" "https://nmtracking.doh.nm.gov/environment/air/FireAndSmoke.html"
+                RewriteRule  "/environment/air/FireAndSmoke.html" "https://nmtracking.doh.nm.gov/environment/air/FireAndSmoke.html"
+                RewriteRule  ".*" "https://nmtracking.doh.nm.gov/Alert.html"
+                Redirect / https://nmtracking.doh.nm.gov/Alert.html
+        </VirtualHost>
+<VirtualHost 10.100.2.17:443>
+          ServerName nmtracknew.nmtracking.org
+          #### use http2, and permit acme to just use 443
+          ##### turn offf acme Protocols h2 http/1.1 acme-tls/1
+          ##### Protocols h2 http/1.1
+          Protocols h2 http/1.1 acme-tls/1
+          SSLEngine on
+          LogLevel debug
+          ErrorLog "|bin/rotatelogs.exe -l -v -n 14 logs/nmtrackingnew_error.log 86400"
+          CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/nmtrackingnew_access.log 86400" combined
+############### VirtualHost nmtracknew.nmtracking.org #####
+####### CHANGE ServerName BELOW #######
+        #### Reverse proxy for this virtual host ####
+        <VirtualHost 10.100.2.17:443>
+                ServerName nmtracknew.nmtracking.org
+                ######### ServerName nmtracking.doh.nm.gov
+                #### use http2, and permit acme to just use 443
+                ##### turn offf acme Protocols h2 http/1.1 acme-tls/1
+                ##### Protocols h2 http/1.1
+                Protocols h2 http/1.1 acme-tls/1
+                        ProxyPreserveHost on
+                        ProxyRequests off
+                        ##### Password Protect NMEPHT (in this case staging.ibis.dataphilesconsulting.com)
+                        <Proxy *>
+                                ####Require all granted
+                                AuthType Basic
+                                AuthName "Staging, enter username and password for access"
+                                AuthBasicProvider file
+                                AuthUserFile "C:\Apache-2.4.52\conf\nmtrackuser.txt"
+                                Require user nmtracking
+                        </Proxy>
+                SSLEngine on
+                SSLProxyEngine on
+                SSLProxyVerify require
+                SSLProxyVerifyDepth 8
+                SSLProxyCACertificateFile "/SSL/dohr2simnmibis2/dohr2simnmibis2.pem"
+                SSLProxyCheckPeerCN on
+                SSLProxyCheckPeerExpire on
+                SSLProxyCheckPeerName on
+                ErrorLog "|bin/rotatelogs.exe -l -v -n 14 logs/nmtracking_error.log 86400"
+                CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/nmtracking_access.log 86400" combined
+                #### Reverse proxy for this virtual host ####
+                ProxyPreserveHost on
+                ProxyRequests off
+                ProxyTimeout 300
+###########Remove any Auth*, etc and uncomment Require  ##### Password Protect NMEPHT (in this case staging.ibis.dataphilesconsulting.com)
+                <Proxy *>
+                        ####Require all granted
+                        AuthType Basic
+                        AuthName "Staging, enter username and password for access"
+                        AuthBasicProvider file
+                        AuthUserFile "C:\Apache-2.4.52\conf\nmtrackuser.txt"
+                        Require user nmtracking
+                </Proxy>
                 #### do not proxy the following, but let httpd respond, these directories are Apache httpd related
                 #### they are also restricted to certain hosts at bottom of http.conf file
+                        ProxyPass "/server-status" "!"
+                        ProxyPass "/md-status" "!"
+                        ProxyPass "/.svn" "!"
+                ProxyPass "/server-status" "!"
+                ProxyPass "/md-status" "!"
+                ProxyPass "/.svn" "!"
+                ProxyPass "/nmibis-admin" "!"
+                        ProxyPass / http://dohr2simnmibis2/nmepht-view/
+                        ProxyPassReverse / http://dohr2simnmibis2/nmepht-view/
+                        ####ProxyPassReverseCookiePath "/" "/nmepht-view"
+                ### WildFireSmoke
+        ProxyPass /WildFireSmoke https://dohr2simnmibis2/WildFireSmoke
+        ProxyPassReverse /WildFireSmoke https://dohr2simnmibis2/WildFireSmoke
+        ########Uncomment next line and delete 2nd line below prior to going live
+                ####ProxyPassReverseCookieDomain dohr2simnmibis2/WildFireSmoke/ nmtracking.doh.nm.gov/
+                ProxyPassReverseCookieDomain dohr2simnmibis2/WildFireSmoke/ nmtracknew.nmtracking.org/
+                ProxyPassReverseCookiePath / /
+        ### NMEPHT-View
+                #### Next line will eath the /nmepht-view I think, it fixes nmtrackingnew.nmtracking.org/nmepht-view/nmepht-view/Login.html error
+                ProxyPass /nmepht-view/ https://dohr2simnmibis2/nmepht-view/
+                ProxyPass / https://dohr2simnmibis2/nmepht-view/
+                ProxyPassReverse / https://dohr2simnmibis2/nmepht-view/
+        ########Uncomment next line and delete 2nd line below prior to going live
+                #####ProxyPassReverseCookieDomain dohr2simnmibis2/nmepht-view/ nmtracking.doh.nm.gov/
+                ProxyPassReverseCookieDomain dohr2simnmibis2/nmepht-view/ nmtracknew.nmtracking.org/
+                ProxyPassReverseCookiePath / /
         </VirtualHost>

adopters/nm/trunk/src/main/serverconfigs/dmzr2nmibis001/apache_httpd_reverse_proxy/httpd.conf

-                      r24586
+                      r25237
 ##### Settings in httpd-vhosts.conf
 #Listen 12.34.56.78:80
 ######## Listen 443 is already set in extra/httpd-ssl ######
+######## Listen 443 is already set in extra/httpd-ssl ###########
 ##### If Let's Encrypt will not use port 443, uncomment next line
 Listen 80
+#########Listen 80
+#
 …
 #LoadModule proxy_html_module modules/mod_proxy_html.so
 LoadModule proxy_http_module modules/mod_proxy_http.so
 #LoadModule proxy_http2_module modules/mod_proxy_http2.so
+LoadModule proxy_http2_module modules/mod_proxy_http2.so
 #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
 #LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
 …
 #LoadModule request_module modules/mod_request.so
 #LoadModule reqtimeout_module modules/mod_reqtimeout.so
 #LoadModule rewrite_module modules/mod_rewrite.so
+LoadModule rewrite_module modules/mod_rewrite.so
 #LoadModule sed_module modules/mod_sed.so
 #LoadModule session_module modules/mod_session.so
 …
 ######LogLevel info md:trace2 ssl:trace2 proxy:trace2
 ############LogLevel debug md:trace2 ssl:trace2 proxy:trace5
+############LogLevel debug md:trace5 ssl:trace5 proxy:trace5
 ####LogLevel warn proxy:trace5
 #####LogLevel warn proxy:debug
 LogLevel debug md:trace5 ssl:trace5 proxy:trace5
+#####LogLevel ssl:trace5 proxy:trace5
+LogLevel warn
 <IfModule log_config_module>
 …
 #EnableSendfile on
 # Supplemental configuration
+#####  Supplemental configuration #####
+#
 # The configuration files in the conf/extra/ directory can be
 …
 # Server-pool management (MPM specific)
 #Include conf/extra/httpd-mpm.conf
+Include conf/extra/httpd-mpm.conf
 # Multi-language error messages
 …
 </IfModule>
+### Virtual hosts  Where mod_md for specific hosts is configured ###
+Include conf/extra/httpd-vhosts.conf
 #### The following locations are limited to localhost and Paul's home machine
 #### They give the status of the Let's Encrypt Certs (both server-status and md-status have entries
 …
 #### Server Status
 ####### Could add internal DOH addresses here as well ########
+##### for some reason Pauls office comes through as 10.138.1.2 #####
 <Location "/server-status">
   SetHandler server-status
 …
         Require ip ::1
         Require ip 96.77.28.246
+        Require ip 10.138.1.2
 </Location>
 …
         Require ip ::1
         Require ip 96.77.28.246
+        Require ip 10.138.1.2
 </Location>
+##### This will restict the proxied nmibis-admin to specific IP Addresses #####
+##### <Location "/nmibis-admin/">
+#####   Require ip 73.63.119.119
+#####   Require ip 96.77.28.246
+#####   Require ip 10.138.1.2
+##### </Location>
 ### Intruder IO suggest turning off TraceEnable
 TraceEnable off
+##############################################
 ###### SET MOD_MD GLOBAL SETTING BELOW #######
+# Virtual hosts
+Include conf/extra/httpd-vhosts.conf
+##############################################
 ###
 …
 ##### GLOBAL SETTINGS, I think they will work here, if not move into individual Virtual Hosts ####
 #### Let's Encrypt testing/staging  URL
 #### the MDCertificateAuthority line sets the URL to Production OR  testing/staging URL ####
+MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory
+##### MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory
 ####
 #### Let's Encrypt PRODUCTION URL
 #### MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory
+MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory
 MDCertificateAgreement accepted
+##### Used to inform you about renewals or changed terms of service #####
+MDContactEmail DOH-Certificates@state.nm.us
 ####
 …
 MDPrivateKeys RSA 4096
+<MDomain ibis.doh.nm.gov>
+        #### MDRenewWindow Default - renewsl 36 days before it expires
+        MDRenewWindow 36d
+</MDomain>
+<MDomain ibis.health.state.nm.us>
+        MDRenewWindow 36d
+</MDomain>
+<MDomain nmtracking.doh.nm.gov>
+        MDRenewWindow 36d
+</MDomain>
+<MDomain nmtracking.org>
+        MDRenewWindow 36d
+</MDomain>
+######## Will want to remove these before we go live #######
 <MDomain ibisnew.health.state.nm.us>
+        MDRenewWindow 1d
+        #### MDRenewWindow Default - renewsl 36 days before it expires
+        MDRenewWindow 36d
 </MDomain>
 <MDomain nmtracknew.nmtracking.org>
         MDRenewWindow 1d
+        MDRenewWindow 36d
 </MDomain>

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: