June 10, 2017 at 22:45Configure Reverse Proxy Apache (Debian 8) with Let's Encrypt Automatically Issue
Since often, there are many sites in the organization, and there are few IP addresses, you need to have a solution with Reverse Proxy. For my purposes, Microsoft TMG has always acted before, but it has its drawbacks, as well as its advantages. One of the main disadvantages is that you need to upload certificates of the published resource to TMG, which is rather inconvenient with Let's Encrypt, because certificates are updated every 90 days.
The solution was found: to raise Reverse Proxy on Apache and to make Let's Encrypt automatically issue certificates. And then calmly publish it on the Firewall, while the ports will be redirected from http to https.
We take as a basis that we have pure Debian GNU / Linux 8 (jessie). More details under the cut.
Well, let's go.
Then activate the following modules:
and restart Apache:
Here the first failure awaits us, Apach is missing the mod_xml2enc module for proper operation, BUT! this module does not work in Jessie, we need to make the following commands sequentially:
After which, everything is fine with us, the module is worth it. We go further)
Since we want to publish an HTTPS site, until we install Let's Encrypt, we need to make a self-signed certificate for our site, enter the command:
We need to create a configuration file and name it with a friendly name:
And give the file something like this:
After the completion of the creation, do not forget to include our site:
restart Apache:
After all the procedures, we have configured Reverse Proxy on Apache2, now we can start setting up Let's Encrypt:
Of all the free certificates, only Let's Encrypt is still alive, but its peculiarity is that the certificate is issued for a period of 3 months.
We need to put a certificate, and make an automatic issue at the end of the certification period.
after:
Well, now let's set Let's Encrypt:
We are waiting for the installation process, and try to issue a certificate:
And here failure awaits us:
This is due to the fact that the repositories are still an old version (at the time of writing 0.10.2), in which errors are observed. Namely errors in python scripts. The solution is as usual simple:
Download the latest version of certbot:
After which, we go along the path:
We delete the folders (and better do a backup):
acme
certbot
certbot_apache
And copy the files from the new release:
Now you can calmly start the process of issuing a certificate:
We answer questions and all!
Congratulations, we issued a certificate, now we need to add a certificate auto-renewal script, because Let's Encrypt issues certificates for a period of only 90 days (we remember this).
Everything is simple. We need to add the line in cron:
Those. we type:
And add our line (be sure to go to the next term, otherwise it will not be saved)
And all, repeat an infinite number of times with your other resources.
Good luck, admins!
The solution was found: to raise Reverse Proxy on Apache and to make Let's Encrypt automatically issue certificates. And then calmly publish it on the Firewall, while the ports will be redirected from http to https.
We take as a basis that we have pure Debian GNU / Linux 8 (jessie). More details under the cut.
Well, let's go.
aptitude install -y build-essential
aptitude install -y libapache2-mod-proxy-html libxml2-dev
aptitude install -y apache2Then activate the following modules:
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_ajp
a2enmod rewrite
a2enmod deflate
a2enmod headers
a2enmod proxy_balancer
a2enmod proxy_html
a2enmod proxy_ftp
a2enmod proxy_connect
a2enmod ssland restart Apache:
service apache2 restartHere the first failure awaits us, Apach is missing the mod_xml2enc module for proper operation, BUT! this module does not work in Jessie, we need to make the following commands sequentially:
aptitude install apache2-prefork-dev libxml2 libxml2-dev apache2-dev
mkdir ~/modbuild/ && cd ~/modbuild/
wget http://apache.webthing.com/svn/apache/filters/mod_xml2enc.c
wget http://apache.webthing.com/svn/apache/filters/mod_xml2enc.h
apxs2 -aic -I/usr/include/libxml2 ./mod_xml2enc.c
cd ~
rm -rfd ~/modbuild/
service apache2 restartAfter which, everything is fine with us, the module is worth it. We go further)
Since we want to publish an HTTPS site, until we install Let's Encrypt, we need to make a self-signed certificate for our site, enter the command:
mkdir /etc/apache2/ssl
cd /etc/apache2/ssl
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crtWe need to create a configuration file and name it with a friendly name:
touch /etc/apache2/sites-available/sambi4.confAnd give the file something like this:
ServerName sambi4.ru
Redirect permanent / https://sambi4.ru/ #отвечает за перенаправление на https
SSLEngine On
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyVia full
SSLCertificateFile /etc/apache2/ssl/server.crt #указываем путь к нашему самоподписанному сертификату
SSLCertificateKeyFile /etc/apache2/ssl/server.key #указываем путь к нашему самоподписанному ключу сертификата
ProxyHTMLInterp On
ProxyHTMLExtended On
Order deny,allow
Allow from all
ProxyPass / https://192.168.199.78/ #IP адрес публикуемого ресурса.
ProxyPassReverse / https://192.168.199.78/ #IP адрес публикуемого ресурса.
ServerName sambi4.ru
ServerAdmin sambi4@sambi4.ru #считается хорошим тоном указывать email админа
DocumentRoot "/var/www/html" #эта строка нужна для того чтобы апач запустился, без нее он не сможет опубликовать ваш ресурс.
After the completion of the creation, do not forget to include our site:
a2ensite /etc/apache2/sites-available/sambi4.confrestart Apache:
service apache2 restartAfter all the procedures, we have configured Reverse Proxy on Apache2, now we can start setting up Let's Encrypt:
Of all the free certificates, only Let's Encrypt is still alive, but its peculiarity is that the certificate is issued for a period of 3 months.
We need to put a certificate, and make an automatic issue at the end of the certification period.
echo 'deb http://ftp.debian.org/debian jessie-backports main' | tee /etc/apt/sources.list.d/backports.listafter:
aptitude updateWell, now let's set Let's Encrypt:
aptitude install -y python-certbot-apache -t jessie-backportsWe are waiting for the installation process, and try to issue a certificate:
certbot --apacheAnd here failure awaits us:
ERROR: letsencrypt_apache.configurator: No vhost exists with servername or alias of: sambi4.ru. No vhost was selected. Please specify servernames in the Apache config
This is due to the fact that the repositories are still an old version (at the time of writing 0.10.2), in which errors are observed. Namely errors in python scripts. The solution is as usual simple:
Download the latest version of certbot:
git clone https://github.com/certbot/certbot.gitAfter which, we go along the path:
cd /usr/lib/python2.7/dist-packagesWe delete the folders (and better do a backup):
acme
certbot
certbot_apache
And copy the files from the new release:
cp /root/certbot/certbot /usr/lib/python2.7/dist-packages/
cp /root/certbot/acme/acme/ /usr/lib/python2.7/dist-packages/
cp /root/certbot/certbot-apache/certbot_apache/ /usr/lib/python2.7/dist-packages/Now you can calmly start the process of issuing a certificate:
certbot --apacheWe answer questions and all!
Congratulations, we issued a certificate, now we need to add a certificate auto-renewal script, because Let's Encrypt issues certificates for a period of only 90 days (we remember this).
Everything is simple. We need to add the line in cron:
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.logThose. we type:
crontab -eAnd add our line (be sure to go to the next term, otherwise it will not be saved)
And all, repeat an infinite number of times with your other resources.
Good luck, admins!