Objective
By the end of this lesson, you will learn how to:
- Configure Apache 2 to listen on a new HTTPS port (5051).
- Obtain and install an SSL certificate for your domain (
store.hngamers.com). - Set up Apache to forward all HTTPS traffic on port 5051 to an unsecured HTTP service running on port 5000.
Prerequisites
- Basic understanding of Apache configuration.
- Access to Apache configuration files and administrative privileges.
- An active HTTP service running on port 5000 (e.g., a backend application).
- Domain name (
store.hngamers.com) pointing to your server’s IP address.
Lesson Content
Introduction to Port Forwarding, SSL, and Apache Configuration
- Port Forwarding and Reverse Proxying:
Port forwarding allows external clients to connect to a service within a server by mapping an external port to an internal port. Apache can act as a reverse proxy, forwarding client requests to backend services.
- SSL/TLS and HTTPS:
SSL/TLS certificates encrypt data between the client and server, ensuring secure communication. HTTPS is HTTP over SSL/TLS.
- Apache as a Web Server and Reverse Proxy with SSL:
Apache can serve web content, manage SSL certificates, and act as a reverse proxy to secure backend services.
Step 1: Create a Non-SSL Apache Virtual Host for store.hngamers.com
1.1 Create the Virtual Host Configuration File
Create a new Apache configuration file:
sudo nano /etc/apache2/sites-available/store.hngamers.com.conf
1.2 Add the Following Configuration
<VirtualHost *:80>
ServerName store.hngamers.com
DocumentRoot /var/www/store.hngamers.com
ErrorLog ${APACHE_LOG_DIR}/store_error.log
CustomLog ${APACHE_LOG_DIR}/store_access.log combined
<Directory /var/www/store.hngamers.com>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
Explanation:
<VirtualHost *:80>: Listens on port 80 (HTTP).ServerName: Your domain name.DocumentRoot: Directory containing your site’s files.ErrorLogandCustomLog: Log file locations.<Directory>Block: Sets directory permissions.
1.3 Create the Document Root Directory
sudo mkdir -p /var/www/store.hngamers.com
echo "<h1>Welcome to store.hngamers.com</h1>" | sudo tee /var/www/store.hngamers.com/index.html
1.4 Enable the Site and Required Modules
sudo a2ensite store.hngamers.com.conf
sudo a2enmod rewrite
1.5 Reload Apache
sudo systemctl reload apache2
1.6 Test the Configuration
- Open a browser and navigate to
http://store.hngamers.com. - You should see the “Welcome to store.hngamers.com” message.
Step 2: Obtain an SSL Certificate for store.hngamers.com Using Let’s Encrypt
2.1 Install Certbot
sudo apt update
sudo apt install certbot python3-certbot-apache
2.2 Obtain and Install the SSL Certificate
sudo certbot --apache -d store.hngamers.com
During the process:
- Email Address: Enter your email.
- Terms of Service: Agree to proceed.
- Select Domain: Ensure
store.hngamers.comis selected. - Redirect Option: Choose whether to redirect HTTP to HTTPS.
2.3 Verify SSL Certificate Installation
- Navigate to
https://store.hngamers.com. - Confirm that the SSL certificate is valid.
Step 3: Configure Apache to Listen on Port 5051 with SSL and Proxy to Port 5000
3.1 Modify the Apache Virtual Host Configuration
Edit the SSL configuration file:
sudo nano /etc/apache2/sites-available/store.hngamers.com-le-ssl.conf
3.2 Update the Configuration
Replace the existing content with:
<IfModule mod_ssl.c>
<VirtualHost *:5051>
ServerName store.hngamers.com
DocumentRoot /var/www/store.hngamers.com
ErrorLog ${APACHE_LOG_DIR}/store_error.log
CustomLog ${APACHE_LOG_DIR}/store_access.log combined
# Enable SSL
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/store.hngamers.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/store.hngamers.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
# Reverse Proxy Configuration
ProxyRequests Off
ProxyPass / http://localhost:5000/
ProxyPassReverse / http://localhost:5000/
<Proxy *>
Require all granted
</Proxy>
# Compression (optional)
<IfModule mod_brotli.c>
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript application/json application/x-font-ttf application/vnd.ms-fontobject image/x-icon
</IfModule>
</VirtualHost>
</IfModule>
Explanation:
- Changed
<VirtualHost *:443>to<VirtualHost *:5051>to listen on port 5051. - Added reverse proxy settings to forward requests to
http://localhost:5000/.
3.3 Update ports.conf to Listen on Port 5051
Edit the ports.conf file:
sudo nano /etc/apache2/ports.conf
Add:
Listen 5051
3.4 Enable Necessary Apache Modules
sudo a2enmod ssl proxy proxy_http headers brotli
3.5 Restart Apache
sudo systemctl restart apache2
3.6 Adjust Firewall Settings
Allow traffic on port 5051:
sudo ufw allow 5051/tcp
Step 4: Test the New Configuration
4.1 Access the Site
Navigate to:
https://store.hngamers.com:5051
4.2 Verify SSL Certificate
- Ensure the SSL certificate is valid for
store.hngamers.com. - No SSL warnings should appear.
4.3 Check Content Delivery
- Confirm that the content served is from the service running on port 5000.
- Test functionality to ensure proper operation.
Step 5: (Optional) Redirect HTTP Traffic to HTTPS
To redirect all HTTP traffic on port 80 to HTTPS on port 5051:
5.1 Modify the Non-SSL Virtual Host
Edit the configuration:
sudo nano /etc/apache2/sites-available/store.hngamers.com.conf
Add the following within the <VirtualHost *:80> block:
RewriteEngine On
RewriteRule ^(.*)$ https://store.hngamers.com:5051$1 [R=301,L]
Ensure mod_rewrite is enabled:
sudo a2enmod rewrite
5.2 Reload Apache
sudo systemctl reload apache2
5.3 Test the Redirection
- Navigate to
http://store.hngamers.com. - You should be redirected to
https://store.hngamers.com:5051.
Conclusion and Troubleshooting Tips
Recap of Steps
- Created a non-SSL site for
store.hngamers.comon port 80. - Obtained an SSL certificate using Let’s Encrypt.
- Configured Apache to listen on port 5051 with SSL, proxying to port 5000.
- Tested the configuration to ensure it’s working.
- Optional: Redirected HTTP traffic to HTTPS.
Common Troubleshooting Tips
- Site Not Accessible on Port 5051
- Ensure Apache is listening on port 5051.
- Verify firewall settings to allow port 5051.
- Check that the backend service on port 5000 is running.
- SSL Certificate Issues
- Confirm the certificate is correctly installed.
- Ensure the domain name matches the certificate.
- Check the certificate’s validity period.
- Proxy Errors
- Verify that
proxyandproxy_httpmodules are enabled. - Ensure the
ProxyPassdirectives point to the correct backend service.
- Verify that
- Apache Configuration Errors
- Test configuration syntax:
sudo apachectl configtest
- Review Apache logs for errors:
sudo tail /var/log/apache2/error.log
- Test configuration syntax:
Assignment
- Implement the Described SSL Port Forwarding Setup on Your Apache Server
- Follow the steps to configure Apache, obtain an SSL certificate, and set up reverse proxying.
- Test the Setup by Accessing
https://store.hngamers.com:5051- Ensure the site loads securely and proxies to the service on port 5000.
- Document Any Challenges and How You Overcame Them
- Record any issues and their solutions for future reference.
Additional Resources
- Apache Official Documentation:
- Let’s Encrypt Certbot Instructions:
- Apache mod_proxy Module:
- Apache mod_ssl Module:
Feedback and Support
- Apache Community Forums:
- Let’s Encrypt Community Support:
- Consult a Network Administrator
If issues persist, seek assistance from a professional.
Through this lesson, you have learned how to configure Apache 2 to securely forward traffic using SSL certificates, enhancing the security and reliability of your web services.
Happy Configuring!
Note: Replace store.hngamers.com and file paths with your actual domain and server configuration. Ensure all commands are executed with appropriate permissions.