Skip to content

Apache Reverse Proxy Server with Let’s Encrypt on Ubuntu 16.04

  1. Install apache
    apt-get install apache2
  2. Install letsencrypt
    apt-get install letsencrypt
  3. Configure letsencrypt
    • Run letsencrypt once to create the necessary file base
    • vi /etc/letsencrypt/cli.ini
      rsa-key-size = 4096
      email = your@email.com
      domains = server1.contoso.com, server2.contoso.com
    • Stop apache
      service apache2 stop
    • Run letsencrypt to get your certificate(s)
      letsencrypt certonly --standalone
  4. Configure apache
    cd /etc/apache2/sites-enabled/I recommend removing the other files in here and creating two files.
    0-httpd.conf# Globals
    RewriteEngine   On
    ProxyPreserveHost On
    ProxyRequests Off# Default http vhost and redirect configuration
    <VirtualHost *:80>
    RewriteEngine   On
    RewriteCond %{HTTPS} !on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>

    # Default https vhost configuration
    <IfModule mod_ssl.c>
    <VirtualHost _default_:443>
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # Baseline setting to Include for SSL sites
    SSLEngine on

    # Intermediate configuration, tweak to your needs
    SSLProtocol             all -SSLv2 -SSLv3
    SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-$
    SSLHonorCipherOrder     on
    SSLCompression          off
    SSLCertificateChainFile /etc/letsencrypt/live/server.contoso.com/chain.pem
    SSLCertificateFile      /etc/letsencrypt/live/server.contoso.com/cert.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/server.contoso.com/privkey.pem
    SSLOptions +StrictRequire

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
    </FilesMatch>

    <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
    <Directory>

    </VirtualHost>
    </IfModule>

    1-contoso.com.conf

    <IfModule mod_ssl.c>
    <VirtualHost *:443>
    ServerName server1.contoso.com

    ProxyPass / http://internal1.contoso.loc:8080/
    ProxyPassReverse / http://internal1.contoso.loc:8080/

    ErrorLog ${APACHE_LOG_DIR}/server1.contoso.com-error.log
    CustomLog ${APACHE_LOG_DIR}/server1.contoso.com-access.log combined
    </VirtualHost>

    <VirtualHost *:443>
    ServerName server2.contoso.com

    ProxyPass / http://internal2.contoso.loc:5050/
    ProxyPassReverse / http://internal2.contoso.loc:5050/

    ErrorLog ${APACHE_LOG_DIR}/server2.contoso.com-error.log
    CustomLog ${APACHE_LOG_DIR}/server2.contoso.com-access.log combined
    </VirtualHost>
    </IfModule>

  5. service apache2 start
  6. Configure letsencrypt cron job to auto renew certificates
    # Certbot weekly update

    0 3 * * 2 systemctl stop apache2; certbot certonly --standalone --expand; systemctl start apache2 >/dev/null 2>&1
Published inGuides

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *