Changeset 25237 in main


Ignore:
Timestamp:
05/13/22 18:10:46 (7 months ago)
Author:
Paul Leo
Message:

Updating Production proxy httpd configuration files, prior to changes for going live

Location:
adopters/nm/trunk/src/main/serverconfigs/dmzr2nmibis001/apache_httpd_reverse_proxy
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • adopters/nm/trunk/src/main/serverconfigs/dmzr2nmibis001/apache_httpd_reverse_proxy/extra/httpd-mpm.conf

    r24586 r25237  
    104104# MaxConnectionsPerChild: maximum number of connections a server process serves
    105105<IfModule mpm_winnt_module>
    106     ThreadsPerChild        150
    107     MaxConnectionsPerChild   0
     106#   ThreadsPerChild        150
     107    ThreadsPerChild        1024
     108    MaxConnectionsPerChild   8192
    108109</IfModule>
    109110
  • adopters/nm/trunk/src/main/serverconfigs/dmzr2nmibis001/apache_httpd_reverse_proxy/extra/httpd-ssl.conf

    r24586 r25237  
    6666#####SSLCipherSuite HIGH:!kRSA:!ADH:!eNULL:!LOW:!EXP:!MD5:!3DES
    6767#####SSLProxyCipherSuite HIGH:!kRSA:!ADH:!eNULL:!LOW:!EXP:!MD5:!3DES
    68 SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
     68SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    6969
    7070
     
    103103######### what I have been using  SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.3
    104104######### what I have been using  SSLProxyProtocol +TLSv1.2
    105 SSLProtocol all -SSLv3
    106 SSLProxyProtocol all -SSLv3
     105SSLProtocol +TLSv1.2 +TLSv1.3
     106SSLProxyProtocol +TLSv1.2 +TLSv1.3
    107107
    108108#   Pass Phrase Dialog:
  • adopters/nm/trunk/src/main/serverconfigs/dmzr2nmibis001/apache_httpd_reverse_proxy/extra/httpd-vhosts.conf

    r24586 r25237  
    1515# configuration.
    1616
    17 ###
    18 ### VirtualHost example:
    19 ### Almost any Apache directive may go into a VirtualHost container.
    20 ### The first VirtualHost section is used for all requests that do not
    21 ### match a ServerName or ServerAlias in any <VirtualHost> block.
    22 ###
    23 ###<VirtualHost *:80>
    24 ###    ServerAdmin webmaster@dummy-host.example.com
    25 ###    DocumentRoot "${SRVROOT}/docs/dummy-host.example.com"
    26 ###    ServerName dummy-host.example.com
    27 ###    ServerAlias www.dummy-host.example.com
    28 ###    ErrorLog "logs/dummy-host.example.com-error.log"
    29 ###    CustomLog "logs/dummy-host.example.com-access.log" common
    30 ###</VirtualHost>
    31 ###
     17###### VirtualHost ibis.health.state.nm.us  #######
     18###### redirecting of old DNS name to new DNS name (ibis.doh.nm.gov) ######
    3219
    33 ##### VirtualHost ibisnew.health.state.nm.us #####
     20        <VirtualHost 10.100.2.16:443>
     21                ServerName ibis.health.state.nm.us
     22                #### use http2, and permit acme to just use 443
     23                #### Protocols h2 http/1.1
     24                Protocols h2 http/1.1 acme-tls/1
     25               
     26                SSLEngine on
     27
     28                ErrorLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/old_ibis_error.log 86400"
     29                CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/old_ibis_access.log 86400" combined
     30
     31                ######## This server is listening for ibis.health.state.nm.us It should redirect to ibis.doh.nm.gov/Alert.html
     32                RewriteEngine  on
     33                RewriteCond "%{HTTP_HOST}" "=ibis.health.state.nm.us"
     34                RewriteRule  ".*" "https://ibis.doh.nm.gov/Alert.html"
     35               
     36                Redirect / https://ibis.doh.nm.gov/Alert.html
     37               
     38        </VirtualHost>
     39
     40###### VirtualHost ibis.doh.nm.gov ######
     41
     42####### CHANGE ServerName BELOW #######
    3443
    3544        <VirtualHost 10.100.2.15:443>
    36           ServerName ibisnew.health.state.nm.us
    37           #### use http2, and permit acme to just use 443
    38           #### Protocols h2 http/1.1
    39           Protocols h2 http/1.1 acme-tls/1
    40          
    41           SSLEngine on
    42 
    43           # For use of rotatelogs, see https://httpd.apache.org/docs/2.4/programs/rotatelogs.html
    44           # am using rotate every day and keep 7 days, could keep more.
    45           # you could also rotate at midnight and create a log with date, but keeping only x logs will not work with that
    46           ### NOTE: -c not permitted in windows, may be other options also not permitted, see explanation in next section log_conf_module
    47           # -v is verbose output for debugging, BUT...
    48           # try first with access, if you try with Errorlog, and you have something wrong, no log will be produced.
    49           # note daily is 86400, testing is 60 (every minute)
    50           # Next line is for testing log rotation every 20 seconds, keep 7 files, verbose output
    51           # ErrorLog "|bin/rotatelogs.exe -l -v -n 7 logs/error.log 20"
    52           # Next line is for production, rotate every day, keep 14 logs
    53           ErrorLog "|bin/rotatelogs.exe -l -v -n 14 logs/ibisnew_error.log 86400"
    54           CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/ibisnew_access.log 86400" combined
     45                ServerName ibisnew.health.state.nm.us
     46                ######## ServerName ibis.doh.nm.gov 
     47                #### use http2, and permit acme to just use 443
     48                #### Protocols h2 http/1.1
     49                Protocols h2 http/1.1 acme-tls/1
     50               
     51                SSLEngine on
     52                SSLProxyEngine on
     53                SSLProxyVerify require
     54                SSLProxyVerifyDepth 8
     55                SSLProxyCACertificateFile "/SSL/dohr2simnmibis2/dohr2simnmibis2.pem"
     56                SSLProxyCheckPeerCN on
     57                SSLProxyCheckPeerExpire on
     58                SSLProxyCheckPeerName on
     59       
     60                # For use of rotatelogs, see https://httpd.apache.org/docs/2.4/programs/rotatelogs.html
     61                # am using rotate every day and keep 7 days, could keep more.
     62                # you could also rotate at midnight and create a log with date, but keeping only x logs will not work with that
     63                ### NOTE: -c not permitted in windows, may be other options also not permitted, see explanation in next section log_conf_module
     64                # -v is verbose output for debugging, BUT...
     65                # try first with access, if you try with Errorlog, and you have something wrong, no log will be produced.
     66                # note daily is 86400, testing is 60 (every minute)
     67                # Next line is for testing log rotation every 20 seconds, keep 7 files, verbose output
     68                # ErrorLog "|bin/rotatelogs.exe -l -v -n 7 logs/error.log 20"
     69                # Next line is for production, rotate every day, keep 14 logs
     70                ErrorLog "|bin/rotatelogs.exe -l -v -n 14 logs/ibis_error.log 86400"
     71                CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/ibis_access.log 86400" combined       
    5572         
    5673                # Reverse proxy for this virtual host
    5774                       
    58                         ProxyPreserveHost on
    59                         ProxyRequests off
    60                        
    61                         <Proxy *>
    62                                 Require all granted 
    63                         </Proxy>
     75                ProxyPreserveHost on
     76                ProxyRequests off
     77                ProxyTimeout 300
     78               
     79                <Proxy *>
     80                        Require all granted 
     81                </Proxy>
    6482
    6583                #### do not proxy the following, but let httpd respond, these directories are Apache httpd related
    6684                #### they are also restricted to certain hosts at bottom of http.conf file
    6785               
    68                         ProxyPass "/server-status" "!"
    69                         ProxyPass "/md-status" "!"
    70                         ProxyPass "/.svn" "!"
    71                        
    72                         ProxyPass / http://dohr2simnmibis2/nmibis-view/
    73                         ProxyPassReverse / http://dohr2simnmibis2/nmibis-view/
    74                         ProxyPassReverseCookiePath "/" "/nmibis-view"
    75                        
    76                 ####Once secure has been set up
    77                 ####    ProxyPass / https://dohr2simnmibis2/nmibis-view/
    78                 ####    ProxyPassReverse / https://dohr2simnmibis2/nmibis-view/
    79                 ####    ProxyPassReverseCookiePath "/"  "/nmibis-view"
     86                ProxyPass "/server-status" "!"
     87                ProxyPass "/md-status" "!"
     88                ProxyPass "/.svn" "!"
     89                ProxyPass "/nmibis-admin" "!"
     90               
     91                #### Next line will eath the /nmibis-view I think, it fixes ibis.doh.nm.gov/nmibis-view/nmibis-view/Login.html error
     92                ProxyPass /nmibis-view/ https://dohr2simnmibis2/nmibis-view/
     93                ProxyPass / https://dohr2simnmibis2/nmibis-view/
     94                ProxyPassReverse / https://dohr2simnmibis2/nmibis-view/
     95        ########Uncomment next line and delete 2nd line below prior to going live
     96                ####ProxyPassReverseCookieDomain dohr2simnmibis2/nmibis-view/ ibis.doh.nm.gov
     97                ProxyPassReverseCookieDomain dohr2simnmibis2/nmibis-view/ ibisnew.health.state.nm.us
     98                ProxyPassReverseCookiePath / /
    8099                       
    81100        </VirtualHost>
    82101
    83 ############### VirtualHost nmtracknew.nmtracking.org #####
     102
     103###### VirtualHost nmtracking.org  #######
     104###### redirecting of old DNS name to new DNS name (nmtracking.doh.nm.gov) ######
     105
     106        <VirtualHost 10.100.2.17:443>
     107                ServerName nmtracking.org
     108                #### use http2, and permit acme to just use 443
     109                #### Protocols h2 http/1.1
     110                Protocols h2 http/1.1 acme-tls/1
     111               
     112                SSLEngine on
     113
     114                ErrorLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/old_nmtracking_error.log 86400"
     115                CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/old_nmtracking_access.log 86400" combined
     116
     117                ######## This server is listening for nmtracking.org It should redirect to nmtracking.doh.nm.gov/Alert.html
     118
     119                RewriteEngine  on
     120                RewriteCond "%{HTTP_HOST}" "=nmtracking.org"
     121                RewriteRule  "environment/air/FireAndSmoke.html" "https://nmtracking.doh.nm.gov/environment/air/FireAndSmoke.html"
     122                RewriteRule  "/environment/air/FireAndSmoke.html" "https://nmtracking.doh.nm.gov/environment/air/FireAndSmoke.html"
     123               
     124                RewriteRule  ".*" "https://nmtracking.doh.nm.gov/Alert.html"
     125               
     126                Redirect / https://nmtracking.doh.nm.gov/Alert.html
     127               
     128        </VirtualHost>
    84129
    85130
    86 <VirtualHost 10.100.2.17:443>
    87           ServerName nmtracknew.nmtracking.org
    88           #### use http2, and permit acme to just use 443
    89           ##### turn offf acme Protocols h2 http/1.1 acme-tls/1
    90           ##### Protocols h2 http/1.1
    91           Protocols h2 http/1.1 acme-tls/1
    92           SSLEngine on
    93           LogLevel debug
    94           ErrorLog "|bin/rotatelogs.exe -l -v -n 14 logs/nmtrackingnew_error.log 86400"
    95           CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/nmtrackingnew_access.log 86400" combined
     131############### VirtualHost nmtracknew.nmtracking.org #####
     132####### CHANGE ServerName BELOW #######
    96133
    97         #### Reverse proxy for this virtual host ####
     134        <VirtualHost 10.100.2.17:443>
     135                ServerName nmtracknew.nmtracking.org
     136                ######### ServerName nmtracking.doh.nm.gov 
     137                #### use http2, and permit acme to just use 443
     138                ##### turn offf acme Protocols h2 http/1.1 acme-tls/1
     139                ##### Protocols h2 http/1.1
     140                Protocols h2 http/1.1 acme-tls/1
    98141               
    99                         ProxyPreserveHost on
    100                         ProxyRequests off
    101                        
    102                         ##### Password Protect NMEPHT (in this case staging.ibis.dataphilesconsulting.com)
    103                        
    104                         <Proxy *>
    105                                 ####Require all granted
    106                                 AuthType Basic
    107                                 AuthName "Staging, enter username and password for access"
    108                                 AuthBasicProvider file
    109                                 AuthUserFile "C:\Apache-2.4.52\conf\nmtrackuser.txt"
    110                                 Require user nmtracking
    111                         </Proxy>
     142                SSLEngine on
     143                SSLProxyEngine on
     144                SSLProxyVerify require
     145                SSLProxyVerifyDepth 8
     146                SSLProxyCACertificateFile "/SSL/dohr2simnmibis2/dohr2simnmibis2.pem"
     147                SSLProxyCheckPeerCN on
     148                SSLProxyCheckPeerExpire on
     149                SSLProxyCheckPeerName on
     150       
     151                ErrorLog "|bin/rotatelogs.exe -l -v -n 14 logs/nmtracking_error.log 86400"
     152                CustomLog "|bin/rotatelogs.exe -l -f -v -n 14 logs/nmtracking_access.log 86400" combined
     153
     154                #### Reverse proxy for this virtual host ####
     155               
     156                ProxyPreserveHost on
     157                ProxyRequests off
     158                ProxyTimeout 300
     159               
     160###########Remove any Auth*, etc and uncomment Require  ##### Password Protect NMEPHT (in this case staging.ibis.dataphilesconsulting.com)
     161               
     162                <Proxy *>
     163                        ####Require all granted
     164                        AuthType Basic
     165                        AuthName "Staging, enter username and password for access"
     166                        AuthBasicProvider file
     167                        AuthUserFile "C:\Apache-2.4.52\conf\nmtrackuser.txt"
     168                        Require user nmtracking
     169                </Proxy>
    112170                       
    113171                #### do not proxy the following, but let httpd respond, these directories are Apache httpd related
    114172                #### they are also restricted to certain hosts at bottom of http.conf file
    115173               
    116                         ProxyPass "/server-status" "!"
    117                         ProxyPass "/md-status" "!"
    118                         ProxyPass "/.svn" "!"
     174                ProxyPass "/server-status" "!"
     175                ProxyPass "/md-status" "!"
     176                ProxyPass "/.svn" "!"
     177                ProxyPass "/nmibis-admin" "!"
    119178
    120                         ProxyPass / http://dohr2simnmibis2/nmepht-view/
    121                         ProxyPassReverse / http://dohr2simnmibis2/nmepht-view/
    122                         ####ProxyPassReverseCookiePath "/" "/nmepht-view"
     179                ### WildFireSmoke
     180               
     181        ProxyPass /WildFireSmoke https://dohr2simnmibis2/WildFireSmoke
     182        ProxyPassReverse /WildFireSmoke https://dohr2simnmibis2/WildFireSmoke
     183        ########Uncomment next line and delete 2nd line below prior to going live
     184                ####ProxyPassReverseCookieDomain dohr2simnmibis2/WildFireSmoke/ nmtracking.doh.nm.gov/
     185                ProxyPassReverseCookieDomain dohr2simnmibis2/WildFireSmoke/ nmtracknew.nmtracking.org/
     186                ProxyPassReverseCookiePath / /
     187                       
     188        ### NMEPHT-View
     189               
     190                #### Next line will eath the /nmepht-view I think, it fixes nmtrackingnew.nmtracking.org/nmepht-view/nmepht-view/Login.html error
     191                ProxyPass /nmepht-view/ https://dohr2simnmibis2/nmepht-view/
     192                ProxyPass / https://dohr2simnmibis2/nmepht-view/
     193                ProxyPassReverse / https://dohr2simnmibis2/nmepht-view/
     194        ########Uncomment next line and delete 2nd line below prior to going live       
     195                #####ProxyPassReverseCookieDomain dohr2simnmibis2/nmepht-view/ nmtracking.doh.nm.gov/
     196                ProxyPassReverseCookieDomain dohr2simnmibis2/nmepht-view/ nmtracknew.nmtracking.org/
     197                ProxyPassReverseCookiePath / /
    123198                       
    124199        </VirtualHost>
  • adopters/nm/trunk/src/main/serverconfigs/dmzr2nmibis001/apache_httpd_reverse_proxy/httpd.conf

    r24586 r25237  
    5959##### Settings in httpd-vhosts.conf
    6060#Listen 12.34.56.78:80
    61 ######## Listen 443 is already set in extra/httpd-ssl ######
     61######## Listen 443 is already set in extra/httpd-ssl ###########
    6262##### If Let's Encrypt will not use port 443, uncomment next line
    63 Listen 80
     63#########Listen 80
    6464
    6565#
     
    154154#LoadModule proxy_html_module modules/mod_proxy_html.so
    155155LoadModule proxy_http_module modules/mod_proxy_http.so
    156 #LoadModule proxy_http2_module modules/mod_proxy_http2.so
     156LoadModule proxy_http2_module modules/mod_proxy_http2.so
    157157#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
    158158#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
     
    163163#LoadModule request_module modules/mod_request.so
    164164#LoadModule reqtimeout_module modules/mod_reqtimeout.so
    165 #LoadModule rewrite_module modules/mod_rewrite.so
     165LoadModule rewrite_module modules/mod_rewrite.so
    166166#LoadModule sed_module modules/mod_sed.so
    167167#LoadModule session_module modules/mod_session.so
     
    330330######LogLevel info md:trace2 ssl:trace2 proxy:trace2
    331331############LogLevel debug md:trace2 ssl:trace2 proxy:trace5
     332############LogLevel debug md:trace5 ssl:trace5 proxy:trace5
    332333####LogLevel warn proxy:trace5
    333334#####LogLevel warn proxy:debug
    334 LogLevel debug md:trace5 ssl:trace5 proxy:trace5
    335 
     335#####LogLevel ssl:trace5 proxy:trace5
     336LogLevel warn
    336337
    337338<IfModule log_config_module>
     
    564565#EnableSendfile on
    565566
    566 # Supplemental configuration
     567#####  Supplemental configuration #####
    567568#
    568569# The configuration files in the conf/extra/ directory can be
     
    572573
    573574# Server-pool management (MPM specific)
    574 #Include conf/extra/httpd-mpm.conf
     575Include conf/extra/httpd-mpm.conf
    575576
    576577# Multi-language error messages
     
    616617</IfModule>
    617618
     619
     620### Virtual hosts  Where mod_md for specific hosts is configured ###
     621Include conf/extra/httpd-vhosts.conf
     622
     623
    618624#### The following locations are limited to localhost and Paul's home machine
    619625#### They give the status of the Let's Encrypt Certs (both server-status and md-status have entries
     
    622628#### Server Status
    623629####### Could add internal DOH addresses here as well ########
     630##### for some reason Pauls office comes through as 10.138.1.2 #####
    624631<Location "/server-status">
    625632  SetHandler server-status
     
    627634        Require ip ::1
    628635        Require ip 96.77.28.246
     636        Require ip 10.138.1.2
    629637</Location>
    630638
     
    636644        Require ip ::1
    637645        Require ip 96.77.28.246
     646        Require ip 10.138.1.2
    638647</Location>
     648
     649
     650##### This will restict the proxied nmibis-admin to specific IP Addresses #####
     651##### <Location "/nmibis-admin/">
     652#####   Require ip 73.63.119.119
     653#####   Require ip 96.77.28.246
     654#####   Require ip 10.138.1.2
     655##### </Location>       
     656
    639657
    640658### Intruder IO suggest turning off TraceEnable
    641659TraceEnable off
    642660
     661##############################################
    643662###### SET MOD_MD GLOBAL SETTING BELOW #######
    644 
    645 # Virtual hosts
    646 Include conf/extra/httpd-vhosts.conf
     663##############################################
    647664
    648665###
     
    654671
    655672##### GLOBAL SETTINGS, I think they will work here, if not move into individual Virtual Hosts ####
     673
    656674#### Let's Encrypt testing/staging  URL
    657675#### the MDCertificateAuthority line sets the URL to Production OR  testing/staging URL ####
    658 
    659 MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory
     676##### MDCertificateAuthority https://acme-staging-v02.api.letsencrypt.org/directory
    660677
    661678####
    662679#### Let's Encrypt PRODUCTION URL
    663 #### MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory
     680MDCertificateAuthority https://acme-v02.api.letsencrypt.org/directory
    664681
    665682MDCertificateAgreement accepted
     683
     684##### Used to inform you about renewals or changed terms of service #####
     685MDContactEmail DOH-Certificates@state.nm.us
    666686
    667687####
     
    674694MDPrivateKeys RSA 4096
    675695
     696<MDomain ibis.doh.nm.gov>
     697        #### MDRenewWindow Default - renewsl 36 days before it expires
     698        MDRenewWindow 36d
     699</MDomain>
     700
     701<MDomain ibis.health.state.nm.us>
     702        MDRenewWindow 36d
     703</MDomain>
     704
     705<MDomain nmtracking.doh.nm.gov>
     706        MDRenewWindow 36d
     707</MDomain>
     708
     709<MDomain nmtracking.org>
     710        MDRenewWindow 36d
     711</MDomain>
     712
     713
     714
     715######## Will want to remove these before we go live #######
     716
    676717<MDomain ibisnew.health.state.nm.us>
    677         MDRenewWindow 1d
     718        #### MDRenewWindow Default - renewsl 36 days before it expires
     719        MDRenewWindow 36d
    678720</MDomain>
    679721
    680722<MDomain nmtracknew.nmtracking.org>
    681         MDRenewWindow 1d
     723        MDRenewWindow 36d
    682724</MDomain>
Note: See TracChangeset for help on using the changeset viewer.