Guide Apache HTTPS to HTTPS reverse proxy with basic auth
Posted: Tuesday 14 November 2017 19:58
This is an apache "Domoticz.conf" file for /etc/apache2/sites-enabled
The purpose is to reverse proxy from https://domoticz:443 unsecured self signed SSL to an Apache2 web server with a signed SSL certificate on a different port (444) in this case.
The reverse proxy basic authenticates to Domoticz as a defined user making access via the reverse proxy transparent BUT not really because the configuration adds ANOTHER basic authentication in its place.
The idea is that unless the user basic authenticates via Apache2 on the signed ssl, Domoticz is not open to attack externally (this significantly increases security for external Domoticz access).
I've tried to make it as easy to follow as possible, read comments in the below config:
Download the favicon from Domoticz http://domoticzip/favicon.ico and put it in /var/www/domoticz The config sets apache to serve this file directly without authentication. I found that without it the Domoticz icon would not show in Chrome browser tabs.
I've also tested this configuration with the Android Domoticz app and can confirm that it works without issues.
Knowledge of Apache is required, I take no responsibility for the security settings used. You will need to assess on your own if they are suitable for your network environment.
The purpose is to reverse proxy from https://domoticz:443 unsecured self signed SSL to an Apache2 web server with a signed SSL certificate on a different port (444) in this case.
The reverse proxy basic authenticates to Domoticz as a defined user making access via the reverse proxy transparent BUT not really because the configuration adds ANOTHER basic authentication in its place.
The idea is that unless the user basic authenticates via Apache2 on the signed ssl, Domoticz is not open to attack externally (this significantly increases security for external Domoticz access).
I've tried to make it as easy to follow as possible, read comments in the below config:
Code: Select all
Listen 444
<VirtualHost *:444>
ServerName enteryourdomain.com
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost On
ProxyRequests off
ProxyPass /favicon.ico !
Alias /favicon.ico "/var/www/domoticz/favicon.ico"
ProxyPass / https://domoticzipaddress:443/
ProxyTimeout 5400
Timeout 5400
# We need to specify which user in Domoticz the reverse proxy will connect to and convert it to base64 format using: echo -n "USERNAME:PASSWORD" | base64, it will look something like the sample below:
RequestHeader set Authorization "Basic T5345mtrk34534tgfdg=="
<Proxy *>
Order deny,allow
Allow from all
Authtype Basic
Authname "Password Required"
# We need to generate an apache .htaccess password file containing a username and password that will be used for the Apache2 basic authentication using (note you may need to create the domoticz directory in /var/www: htpasswd -c /var/www/domoticz/.htpasswd USERNAMEYOUWANT
AuthUserFile /var/www/domoticz/.htpasswd
Require valid-user
</Proxy>
SSLEngine on
SSLCACertificateFile /etc/ssl/domain/domain.ca-bundle
SSLCertificateFile /etc/ssl/domain/domain.crt
SSLCertificateKeyFile /etc/ssl/domain/private.key
</VirtualHost>
I've also tested this configuration with the Android Domoticz app and can confirm that it works without issues.
Knowledge of Apache is required, I take no responsibility for the security settings used. You will need to assess on your own if they are suitable for your network environment.