Guide Apache HTTPS to HTTPS reverse proxy with basic auth

[ben53252642]

This is an apache "Domoticz.conf" file for /etc/apache2/sites-enabled

The purpose is to reverse proxy from https://domoticz:443 unsecured self signed SSL to an Apache2 web server with a signed SSL certificate on a different port (444) in this case.

The reverse proxy basic authenticates to Domoticz as a defined user making access via the reverse proxy transparent BUT not really because the configuration adds ANOTHER basic authentication in its place.

The idea is that unless the user basic authenticates via Apache2 on the signed ssl, Domoticz is not open to attack externally (this significantly increases security for external Domoticz access).

I've tried to make it as easy to follow as possible, read comments in the below config:

Code: Select all

Listen 444
<VirtualHost *:444>
ServerName enteryourdomain.com
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost On
ProxyRequests off
ProxyPass /favicon.ico !
Alias /favicon.ico "/var/www/domoticz/favicon.ico"
ProxyPass / https://domoticzipaddress:443/
ProxyTimeout 5400
Timeout 5400

# We need to specify which user in Domoticz the reverse proxy will connect to and convert it to base64 format using: echo -n "USERNAME:PASSWORD" | base64, it will look something like the sample below:
RequestHeader set Authorization "Basic T5345mtrk34534tgfdg=="

<Proxy *>
Order deny,allow
Allow from all
Authtype Basic
Authname "Password Required"
# We need to generate an apache .htaccess password file containing a username and password that will be used for the Apache2 basic authentication using (note you may need to create the domoticz directory in /var/www: htpasswd -c /var/www/domoticz/.htpasswd USERNAMEYOUWANT
AuthUserFile /var/www/domoticz/.htpasswd
Require valid-user
</Proxy>

SSLEngine on
SSLCACertificateFile /etc/ssl/domain/domain.ca-bundle
SSLCertificateFile /etc/ssl/domain/domain.crt
SSLCertificateKeyFile /etc/ssl/domain/private.key

</VirtualHost>

Download the favicon from Domoticz http://domoticzip/favicon.ico and put it in /var/www/domoticz The config sets apache to serve this file directly without authentication. I found that without it the Domoticz icon would not show in Chrome browser tabs.

I've also tested this configuration with the Android Domoticz app and can confirm that it works without issues.

Knowledge of Apache is required, I take no responsibility for the security settings used. You will need to assess on your own if they are suitable for your network environment.

[BazsoDombiAndras]

Hi there!

I'm trying to follow this guide to set up Domoticz to work over https behind a reverse proxy.
With this VirtualHost configuration it loads the Domoticz page but it asks for a username and a password over and over again and never logs in. I've tried setting the permissions of the .htpasswd file to 777, doesn't help. The authentication type in the Domoticz settings is set to Basic Auth.

Any idea how to make it work?

Thanks!

[ben53252642]

It sounds like you haven't properly configured: RequestHeader set Authorization

Follow instructions on the line above it.

[BazsoDombiAndras]

Thanks, I'll check it!

[pragma]

Wouldn't it be easier and more logical to set the domoticz SSL port to 443?