Changeset 25237 in main
- Timestamp:
- 05/13/22 18:10:46 (5 days ago)
- Location:
- adopters/nm/trunk/src/main/serverconfigs/dmzr2nmibis001/apache_httpd_reverse_proxy
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
adopters/nm/trunk/src/main/serverconfigs/dmzr2nmibis001/apache_httpd_reverse_proxy/extra/httpd-mpm.conf
r24586 r25237 104 104 # MaxConnectionsPerChild: maximum number of connections a server process serves 105 105 <IfModule mpm_winnt_module> 106 ThreadsPerChild 150 107 MaxConnectionsPerChild 0 106 # ThreadsPerChild 150 107 ThreadsPerChild 1024 108 MaxConnectionsPerChild 8192 108 109 </IfModule> 109 110 -
adopters/nm/trunk/src/main/serverconfigs/dmzr2nmibis001/apache_httpd_reverse_proxy/extra/httpd-ssl.conf
r24586 r25237 66 66 #####SSLCipherSuite HIGH:!kRSA:!ADH:!eNULL:!LOW:!EXP:!MD5:!3DES 67 67 #####SSLProxyCipherSuite HIGH:!kRSA:!ADH:!eNULL:!LOW:!EXP:!MD5:!3DES 68 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA38468 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256 69 69 70 70 … … 103 103 ######### what I have been using SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3 104 104 ######### what I have been using SSLProxyProtocol +TLSv1.2 105 SSLProtocol all -SSLv3106 SSLProxyProtocol all -SSLv3105 SSLProtocol +TLSv1.2 +TLSv1.3 106 SSLProxyProtocol +TLSv1.2 +TLSv1.3 107 107 108 108 # Pass Phrase Dialog: -
adopters/nm/trunk/src/main/serverconfigs/dmzr2nmibis001/apache_httpd_reverse_proxy/extra/httpd-vhosts.conf
r24586 r25237 15 15 # configuration. 16 16 17 ### 18 ### VirtualHost example: 19 ### Almost any Apache directive may go into a VirtualHost container. 20 ### The first VirtualHost section is used for all requests that do not 21 ### match a ServerName or ServerAlias in any <VirtualHost> block. 22 ### 23 ###<VirtualHost *:80> 24 ### ServerAdmin webmaster@dummy-host.example.com 25 ### DocumentRoot "${SRVROOT}/docs/dummy-host.example.com" 26 ### ServerName dummy-host.example.com 27 ### ServerAlias www.dummy-host.example.com 28 ### ErrorLog "logs/dummy-host.example.com-error.log" 29 ### CustomLog "logs/dummy-host.example.com-access.log" common 30 ###</VirtualHost> 31 ### 17 ###### VirtualHost ibis.health.state.nm.us ####### 18 ###### redirecting of old DNS name to new DNS name (ibis.doh.nm.gov) ###### 32 19 33 ##### VirtualHost ibisnew.health.state.nm.us ##### 20 <VirtualHost 10.100.2.16:443> 21 ServerName ibis.health.state.nm.us 22 #### use http2, and permit acme to just use 443 23 #### Protocols h2 http/1.1 24 Protocols h2 http/1.1 acme-tls/1 25 26 SSLEngine on 27 28 ErrorLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/old_ibis_error.log 86400" 29 CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/old_ibis_access.log 86400" combined 30 31 ######## This server is listening for ibis.health.state.nm.us It should redirect to ibis.doh.nm.gov/Alert.html 32 RewriteEngine on 33 RewriteCond "%{HTTP_HOST}" "=ibis.health.state.nm.us" 34 RewriteRule ".*" "https://ibis.doh.nm.gov/Alert.html" 35 36 Redirect / https://ibis.doh.nm.gov/Alert.html 37 38 </VirtualHost> 39 40 ###### VirtualHost ibis.doh.nm.gov ###### 41 42 ####### CHANGE ServerName BELOW ####### 34 43 35 44 <VirtualHost 10.100.2.15:443> 36 ServerName ibisnew.health.state.nm.us 37 #### use http2, and permit acme to just use 443 38 #### Protocols h2 http/1.1 39 Protocols h2 http/1.1 acme-tls/1 40 41 SSLEngine on 42 43 # For use of rotatelogs, see https://httpd.apache.org/docs/2.4/programs/rotatelogs.html 44 # am using rotate every day and keep 7 days, could keep more. 45 # you could also rotate at midnight and create a log with date, but keeping only x logs will not work with that 46 ### NOTE: -c not permitted in windows, may be other options also not permitted, see explanation in next section log_conf_module 47 # -v is verbose output for debugging, BUT... 48 # try first with access, if you try with Errorlog, and you have something wrong, no log will be produced. 49 # note daily is 86400, testing is 60 (every minute) 50 # Next line is for testing log rotation every 20 seconds, keep 7 files, verbose output 51 # ErrorLog "|bin/rotatelogs.exe -l -v -n 7 logs/error.log 20" 52 # Next line is for production, rotate every day, keep 14 logs 53 ErrorLog "|bin/rotatelogs.exe -l -v -n 14 logs/ibisnew_error.log 86400" 54 CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/ibisnew_access.log 86400" combined 45 ServerName ibisnew.health.state.nm.us 46 ######## ServerName ibis.doh.nm.gov 47 #### use http2, and permit acme to just use 443 48 #### Protocols h2 http/1.1 49 Protocols h2 http/1.1 acme-tls/1 50 51 SSLEngine on 52 SSLProxyEngine on 53 SSLProxyVerify require 54 SSLProxyVerifyDepth 8 55 SSLProxyCACertificateFile "/SSL/dohr2simnmibis2/dohr2simnmibis2.pem" 56 SSLProxyCheckPeerCN on 57 SSLProxyCheckPeerExpire on 58 SSLProxyCheckPeerName on 59 60 # For use of rotatelogs, see https://httpd.apache.org/docs/2.4/programs/rotatelogs.html 61 # am using rotate every day and keep 7 days, could keep more. 62 # you could also rotate at midnight and create a log with date, but keeping only x logs will not work with that 63 ### NOTE: -c not permitted in windows, may be other options also not permitted, see explanation in next section log_conf_module 64 # -v is verbose output for debugging, BUT... 65 # try first with access, if you try with Errorlog, and you have something wrong, no log will be produced. 66 # note daily is 86400, testing is 60 (every minute) 67 # Next line is for testing log rotation every 20 seconds, keep 7 files, verbose output 68 # ErrorLog "|bin/rotatelogs.exe -l -v -n 7 logs/error.log 20" 69 # Next line is for production, rotate every day, keep 14 logs 70 ErrorLog "|bin/rotatelogs.exe -l -v -n 14 logs/ibis_error.log 86400" 71 CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/ibis_access.log 86400" combined 55 72 56 73 # Reverse proxy for this virtual host 57 74 58 ProxyPreserveHost on 59 ProxyRequests off 60 61 <Proxy *> 62 Require all granted 63 </Proxy> 75 ProxyPreserveHost on 76 ProxyRequests off 77 ProxyTimeout 300 78 79 <Proxy *> 80 Require all granted 81 </Proxy> 64 82 65 83 #### do not proxy the following, but let httpd respond, these directories are Apache httpd related 66 84 #### they are also restricted to certain hosts at bottom of http.conf file 67 85 68 ProxyPass "/server-status" "!" 69 ProxyPass "/md-status" "!" 70 ProxyPass "/.svn" "!" 71 72 ProxyPass / http://dohr2simnmibis2/nmibis-view/ 73 ProxyPassReverse / http://dohr2simnmibis2/nmibis-view/ 74 ProxyPassReverseCookiePath "/" "/nmibis-view" 75 76 ####Once secure has been set up 77 #### ProxyPass / https://dohr2simnmibis2/nmibis-view/ 78 #### ProxyPassReverse / https://dohr2simnmibis2/nmibis-view/ 79 #### ProxyPassReverseCookiePath "/" "/nmibis-view" 86 ProxyPass "/server-status" "!" 87 ProxyPass "/md-status" "!" 88 ProxyPass "/.svn" "!" 89 ProxyPass "/nmibis-admin" "!" 90 91 #### Next line will eath the /nmibis-view I think, it fixes ibis.doh.nm.gov/nmibis-view/nmibis-view/Login.html error 92 ProxyPass /nmibis-view/ https://dohr2simnmibis2/nmibis-view/ 93 ProxyPass / https://dohr2simnmibis2/nmibis-view/ 94 ProxyPassReverse / https://dohr2simnmibis2/nmibis-view/ 95 ########Uncomment next line and delete 2nd line below prior to going live 96 ####ProxyPassReverseCookieDomain dohr2simnmibis2/nmibis-view/ ibis.doh.nm.gov 97 ProxyPassReverseCookieDomain dohr2simnmibis2/nmibis-view/ ibisnew.health.state.nm.us 98 ProxyPassReverseCookiePath / / 80 99 81 100 </VirtualHost> 82 101 83 ############### VirtualHost nmtracknew.nmtracking.org ##### 102 103 ###### VirtualHost nmtracking.org ####### 104 ###### redirecting of old DNS name to new DNS name (nmtracking.doh.nm.gov) ###### 105 106 <VirtualHost 10.100.2.17:443> 107 ServerName nmtracking.org 108 #### use http2, and permit acme to just use 443 109 #### Protocols h2 http/1.1 110 Protocols h2 http/1.1 acme-tls/1 111 112 SSLEngine on 113 114 ErrorLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/old_nmtracking_error.log 86400" 115 CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/old_nmtracking_access.log 86400" combined 116 117 ######## This server is listening for nmtracking.org It should redirect to nmtracking.doh.nm.gov/Alert.html 118 119 RewriteEngine on 120 RewriteCond "%{HTTP_HOST}" "=nmtracking.org" 121 RewriteRule "environment/air/FireAndSmoke.html" "https://nmtracking.doh.nm.gov/environment/air/FireAndSmoke.html" 122 RewriteRule "/environment/air/FireAndSmoke.html" "https://nmtracking.doh.nm.gov/environment/air/FireAndSmoke.html" 123 124 RewriteRule ".*" "https://nmtracking.doh.nm.gov/Alert.html" 125 126 Redirect / https://nmtracking.doh.nm.gov/Alert.html 127 128 </VirtualHost> 84 129 85 130 86 <VirtualHost 10.100.2.17:443> 87 ServerName nmtracknew.nmtracking.org 88 #### use http2, and permit acme to just use 443 89 ##### turn offf acme Protocols h2 http/1.1 acme-tls/1 90 ##### Protocols h2 http/1.1 91 Protocols h2 http/1.1 acme-tls/1 92 SSLEngine on 93 LogLevel debug 94 ErrorLog "|bin/rotatelogs.exe -l -v -n 14 logs/nmtrackingnew_error.log 86400" 95 CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/nmtrackingnew_access.log 86400" combined 131 ############### VirtualHost nmtracknew.nmtracking.org ##### 132 ####### CHANGE ServerName BELOW ####### 96 133 97 #### Reverse proxy for this virtual host #### 134 <VirtualHost 10.100.2.17:443> 135 ServerName nmtracknew.nmtracking.org 136 ######### ServerName nmtracking.doh.nm.gov 137 #### use http2, and permit acme to just use 443 138 ##### turn offf acme Protocols h2 http/1.1 acme-tls/1 139 ##### Protocols h2 http/1.1 140 Protocols h2 http/1.1 acme-tls/1 98 141 99 ProxyPreserveHost on 100 ProxyRequests off 101 102 ##### Password Protect NMEPHT (in this case staging.ibis.dataphilesconsulting.com) 103 104 <Proxy *> 105 ####Require all granted 106 AuthType Basic 107 AuthName "Staging, enter username and password for access" 108 AuthBasicProvider file 109 AuthUserFile "C:\Apache-2.4.52\conf\nmtrackuser.txt" 110 Require user nmtracking 111 </Proxy> 142 SSLEngine on 143 SSLProxyEngine on 144 SSLProxyVerify require 145 SSLProxyVerifyDepth 8 146 SSLProxyCACertificateFile "/SSL/dohr2simnmibis2/dohr2simnmibis2.pem" 147 SSLProxyCheckPeerCN on 148 SSLProxyCheckPeerExpire on 149 SSLProxyCheckPeerName on 150 151 ErrorLog "|bin/rotatelogs.exe -l -v -n 14 logs/nmtracking_error.log 86400" 152 CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/nmtracking_access.log 86400" combined 153 154 #### Reverse proxy for this virtual host #### 155 156 ProxyPreserveHost on 157 ProxyRequests off 158 ProxyTimeout 300 159 160 ###########Remove any Auth*, etc and uncomment Require ##### Password Protect NMEPHT (in this case staging.ibis.dataphilesconsulting.com) 161 162 <Proxy *> 163 ####Require all granted 164 AuthType Basic 165 AuthName "Staging, enter username and password for access" 166 AuthBasicProvider file 167 AuthUserFile "C:\Apache-2.4.52\conf\nmtrackuser.txt" 168 Require user nmtracking 169 </Proxy> 112 170 113 171 #### do not proxy the following, but let httpd respond, these directories are Apache httpd related 114 172 #### they are also restricted to certain hosts at bottom of http.conf file 115 173 116 ProxyPass "/server-status" "!" 117 ProxyPass "/md-status" "!" 118 ProxyPass "/.svn" "!" 174 ProxyPass "/server-status" "!" 175 ProxyPass "/md-status" "!" 176 ProxyPass "/.svn" "!" 177 ProxyPass "/nmibis-admin" "!" 119 178 120 ProxyPass / http://dohr2simnmibis2/nmepht-view/ 121 ProxyPassReverse / http://dohr2simnmibis2/nmepht-view/ 122 ####ProxyPassReverseCookiePath "/" "/nmepht-view" 179 ### WildFireSmoke 180 181 ProxyPass /WildFireSmoke https://dohr2simnmibis2/WildFireSmoke 182 ProxyPassReverse /WildFireSmoke https://dohr2simnmibis2/WildFireSmoke 183 ########Uncomment next line and delete 2nd line below prior to going live 184 ####ProxyPassReverseCookieDomain dohr2simnmibis2/WildFireSmoke/ nmtracking.doh.nm.gov/ 185 ProxyPassReverseCookieDomain dohr2simnmibis2/WildFireSmoke/ nmtracknew.nmtracking.org/ 186 ProxyPassReverseCookiePath / / 187 188 ### NMEPHT-View 189 190 #### Next line will eath the /nmepht-view I think, it fixes nmtrackingnew.nmtracking.org/nmepht-view/nmepht-view/Login.html error 191 ProxyPass /nmepht-view/ https://dohr2simnmibis2/nmepht-view/ 192 ProxyPass / https://dohr2simnmibis2/nmepht-view/ 193 ProxyPassReverse / https://dohr2simnmibis2/nmepht-view/ 194 ########Uncomment next line and delete 2nd line below prior to going live 195 #####ProxyPassReverseCookieDomain dohr2simnmibis2/nmepht-view/ nmtracking.doh.nm.gov/ 196 ProxyPassReverseCookieDomain dohr2simnmibis2/nmepht-view/ nmtracknew.nmtracking.org/ 197 ProxyPassReverseCookiePath / / 123 198 124 199 </VirtualHost> -
adopters/nm/trunk/src/main/serverconfigs/dmzr2nmibis001/apache_httpd_reverse_proxy/httpd.conf
r24586 r25237 59 59 ##### Settings in httpd-vhosts.conf 60 60 #Listen 12.34.56.78:80 61 ######## Listen 443 is already set in extra/httpd-ssl ###### 61 ######## Listen 443 is already set in extra/httpd-ssl ########### 62 62 ##### If Let's Encrypt will not use port 443, uncomment next line 63 Listen 8063 #########Listen 80 64 64 65 65 # … … 154 154 #LoadModule proxy_html_module modules/mod_proxy_html.so 155 155 LoadModule proxy_http_module modules/mod_proxy_http.so 156 #LoadModule proxy_http2_module modules/mod_proxy_http2.so156 LoadModule proxy_http2_module modules/mod_proxy_http2.so 157 157 #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so 158 158 #LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so … … 163 163 #LoadModule request_module modules/mod_request.so 164 164 #LoadModule reqtimeout_module modules/mod_reqtimeout.so 165 #LoadModule rewrite_module modules/mod_rewrite.so165 LoadModule rewrite_module modules/mod_rewrite.so 166 166 #LoadModule sed_module modules/mod_sed.so 167 167 #LoadModule session_module modules/mod_session.so … … 330 330 ######LogLevel info md:trace2 ssl:trace2 proxy:trace2 331 331 ############LogLevel debug md:trace2 ssl:trace2 proxy:trace5 332 ############LogLevel debug md:trace5 ssl:trace5 proxy:trace5 332 333 ####LogLevel warn proxy:trace5 333 334 #####LogLevel warn proxy:debug 334 LogLevel debug md:trace5ssl:trace5 proxy:trace5335 335 #####LogLevel ssl:trace5 proxy:trace5 336 LogLevel warn 336 337 337 338 <IfModule log_config_module> … … 564 565 #EnableSendfile on 565 566 566 # Supplemental configuration567 ##### Supplemental configuration ##### 567 568 # 568 569 # The configuration files in the conf/extra/ directory can be … … 572 573 573 574 # Server-pool management (MPM specific) 574 #Include conf/extra/httpd-mpm.conf575 Include conf/extra/httpd-mpm.conf 575 576 576 577 # Multi-language error messages … … 616 617 </IfModule> 617 618 619 620 ### Virtual hosts Where mod_md for specific hosts is configured ### 621 Include conf/extra/httpd-vhosts.conf 622 623 618 624 #### The following locations are limited to localhost and Paul's home machine 619 625 #### They give the status of the Let's Encrypt Certs (both server-status and md-status have entries … … 622 628 #### Server Status 623 629 ####### Could add internal DOH addresses here as well ######## 630 ##### for some reason Pauls office comes through as 10.138.1.2 ##### 624 631 <Location "/server-status"> 625 632 SetHandler server-status … … 627 634 Require ip ::1 628 635 Require ip 96.77.28.246 636 Require ip 10.138.1.2 629 637 </Location> 630 638 … … 636 644 Require ip ::1 637 645 Require ip 96.77.28.246 646 Require ip 10.138.1.2 638 647 </Location> 648 649 650 ##### This will restict the proxied nmibis-admin to specific IP Addresses ##### 651 ##### <Location "/nmibis-admin/"> 652 ##### Require ip 73.63.119.119 653 ##### Require ip 96.77.28.246 654 ##### Require ip 10.138.1.2 655 ##### </Location> 656 639 657 640 658 ### Intruder IO suggest turning off TraceEnable 641 659 TraceEnable off 642 660 661 ############################################## 643 662 ###### SET MOD_MD GLOBAL SETTING BELOW ####### 644 645 # Virtual hosts 646 Include conf/extra/httpd-vhosts.conf 663 ############################################## 647 664 648 665 ### … … 654 671 655 672 ##### GLOBAL SETTINGS, I think they will work here, if not move into individual Virtual Hosts #### 673 656 674 #### Let's Encrypt testing/staging URL 657 675 #### the MDCertificateAuthority line sets the URL to Production OR testing/staging URL #### 658 659 MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory 676 ##### MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory 660 677 661 678 #### 662 679 #### Let's Encrypt PRODUCTION URL 663 ####MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory680 MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory 664 681 665 682 MDCertificateAgreement accepted 683 684 ##### Used to inform you about renewals or changed terms of service ##### 685 MDContactEmail DOH-Certificates@state.nm.us 666 686 667 687 #### … … 674 694 MDPrivateKeys RSA 4096 675 695 696 <MDomain ibis.doh.nm.gov> 697 #### MDRenewWindow Default - renewsl 36 days before it expires 698 MDRenewWindow 36d 699 </MDomain> 700 701 <MDomain ibis.health.state.nm.us> 702 MDRenewWindow 36d 703 </MDomain> 704 705 <MDomain nmtracking.doh.nm.gov> 706 MDRenewWindow 36d 707 </MDomain> 708 709 <MDomain nmtracking.org> 710 MDRenewWindow 36d 711 </MDomain> 712 713 714 715 ######## Will want to remove these before we go live ####### 716 676 717 <MDomain ibisnew.health.state.nm.us> 677 MDRenewWindow 1d 718 #### MDRenewWindow Default - renewsl 36 days before it expires 719 MDRenewWindow 36d 678 720 </MDomain> 679 721 680 722 <MDomain nmtracknew.nmtracking.org> 681 MDRenewWindow 1d723 MDRenewWindow 36d 682 724 </MDomain>
Note: See TracChangeset
for help on using the changeset viewer.