Thursday, January 21, 2016

Simple Complexity - By Proxy

UPDATED:
Added Details and Links

For sometime I have struggled with how to allow public access to my home web servers and Esp8266 modules without opening up my network to abuse. In the past I have managed public access via my Router, by changing its configuration of Port Forwarding and NAT.  This works, but it is a pain to manage and generally requiring a re-boot of the network for each change.

Recently, I have discovered (actually re-discovered) that an Apache2 Web Proxy Server is much easier to manage, but it has a bit of a steep learning curve, with a lot of manual pages to read. One key concept is that Apache2 ReWriteRules are a super-set of the functionality of ProxyPass, each have their own documentation web pages.

After building the Required Config files

Now, on my Router I allow only Ports: http 80, 8040, 8160, and a private ssh port for access from the Internet. Ports 8040, and 8160 are still open for historical reasons, that is, they are used for my published Web Pages at: http://www.WA0UWH.com:8040, and my Esp8266 Server Farm devices.

The Apache2 Web Server supports: Virtual Host Names with Proxy Redirects, ReWriteRules, and ProxPass. By setting up "*.wa0uwh.com" as a CNAME (an aliases) to "www.wa0uwh.com" at my DNS Provider, I can use any "device name" I would like in the config files to initiate a proxy process. For example: I can now use and publish "http://node129.wa0uwh.com" for one of my Esp8266 Web Server modules. The actual connection details and security are all hidden behind the proxy curtains.

The normal web page port 80 is setup with a default virtual host page of; "Error 404", only configured virtual hosts and named devices are let through the proxy.

Note: The service and/or host that is selected is a combination of both Port Number and Host Name (or alias). For an incoming connection, the file is scanned from top to bottom, only the first match is used to select the service.

The following are excerpts from my Apache2 Default Virtual Host configuration file.


ServerName default.wa0uwh.com
LogLevel alert rewrite:trace1

<VirtualHost *:80>

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/DEFAULT/Public

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

# End



The following are excerpts from my Apache2 Named Virtual Host configuration file.


## Main Web Pages

## Loft Raspberry PI
<VirtualHost *:8040 *:80 >

    ServerName  rp21.wa0uwh.com
        RewriteEngine on
        ServerSignature Off
        RewriteRule /(.*)$      http://192.168.___.___/$1 [P,L]

</VirtualHost

## Loft Raspberry PI
<VirtualHost *:8040 *:80 >

    ServerName  rp22.wa0uwh.com
        RewriteEngine on
        ServerSignature Off
        RewriteRule /(.*)$      http://192.168.___.___/$1 [P,L]

</VirtualHost>

# Esp8266 Node on Published Port 8160
<VirtualHost *:8160 >

    ServerName  node.wa0uwh.com
    ServerAlias node*.wa0uwh.*
    ServerAlias localhost
        RewriteEngine on
        RewriteRule /(.*)$    http://192.168.___.___/$1 [P,L]

</VirtualHost>

## Loft Esp8266 Nodes
<VirtualHost *:8040 *:80 >

    ServerName  node.wa0uwh.com
    ServerAlias node*.wa0uwh.com
        RewriteEngine on
        ServerSignature Off
        RewriteCond %{HTTP_HOST} ^node(129|162|164|168|169|170|172)\.wa0uwh\.com [NC]
        RewriteRule /(.*)$      http://192.168.___.%1/$1 [P,L]
        RewriteRule /(.*)$ -  [R=404,L]

</VirtualHost>


## Loft WA0UWH Web Server
<VirtualHost *:8040 *:80>

    ServerName www.wa0uwh.com
    ServerAlias *.wa0uwh.com
    ServerAlias localhost 192.168.__.__ 
        DocumentRoot    /var/www/WA0UWH/Public
        Alias /gallery  /var/www/WA0UWH/Public/Gallery

</VirtualHost>

# End



Note, the above is just an excerpt from my Apache2 Virtual Host config file. For security reasons, the details; actual IPA's (___), BlackListing, Hacker Traps, Web Abuse Traps, and HoneyPots, are NOT included . Google is your friend for suggested configurations.

Now, with simple edits of the Apache2 Virtual Host config file, I can turn ON or OFF, devices and/or services as desired, while leaving only the http and ssh ports open for public access at the router.

Also note: each of my Raspberry PI Web Servers also have similar Apache2 Virtual Host config files, that is: Proxies are serving Proxies, and most often the actual destination is at different physical locations, and on different Networks! All unseen for my Internet users.


-- Home Page: https://WA0UWH.blogspot.com

1 comment:

  1. You can also do this pretty easily with the nginx webserver, with the added advantage that it is much more memory efficient.

    If you try nginx, pay attention to the buffering settings. For this application, an ideal configuration is for nginx to quickly buffer the entire response from the esp8266, and then serve it out to the client, eliminating any time/memory being occupied while serving the data to potentially slow clients.

    ReplyDelete