[LINUX] Reverse proxy from Apache on GCP to local Raspberry Pi Apache (NAT traversal Wake on LAN [3])
Introduction
This is a continuation of Last time. This is what I want to do for the time being.
This time, "Reverse proxy from Apache on GCP to local Raspberry Apache". What I want to do here is to let the local Raspberry Pi connected to the VPN from GCP throw it.
-[1] Obtain a domain using GCP and MyDNS -[2] Set up Softether Server on GCP (Connect from iPhone / Raspberry Pi) -[3] Reverse proxy from Apache on GCP to local Raspberry Apache -[4] Make Raspberry Pi a router -[5] Create a Python script for Wake on LAN.
GCP side
Apache installation
Install what you need. Since Line Bot must support HTTPS, install Certbot as well.
sudo apt update
sudo apt-get install apache2
sudo apt install certbot # For HTTPS
This is the only installation.
- This will create
/ var / www / htmland display it if you insert a web page (the default page ʻindex.html` is also included).
Opening TCP443,40Port
Open TCP443,40 ports in the same way as before.
Verification
Enter the domain or global IP address you obtained the last time and check if Apache is running. (At this time, if forbitten appears, the port is probably not opened correctly.) http://yourdomain_or_ip
If the installation / port is opened correctly, the following screen will be displayed.
Setting
Next, make the following settings to minimize server information.
sudo vi /etc/apache2/conf-available/security.conf
/etc/apache2/conf-available/security.conf
ServerTokens Prod
ServerSignature Off
SSL
Certificate issuance
Use certbot to issue an SSL certificate. The --dry-run argument is a command that you shouldn't try. You can do it without --dry-run suddenly, but you should do it just in case.
$ sudo certbot certonly --webroot -w /var/www/html -d {domain} --email {mail address} --agree-tos -n --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for {domain}
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- The dry run was successful.
If it succeeds, it is the production.
sudo certbot certonly --webroot -w /var/www/html -d {domain} --email {mail address} --agree-tos -n
If it succeeds without error,
sudo ls /etc/letsencrypt/live/{domain}/
# >> README cert.pem chain.pem fullchain.pem privkey.pem # -> OK
Check if the certificate is made with.
Validate the certificate
Enable the certificate and make the web page SSL.
cd /etc/apache2/sites-available/
sudo cp default-ssl.conf default-ssl.conf.bak #Backup just in case
sudo vi default-ssl.conf
Set the e-mail address and the path of the certificate created earlier.
/etc/apache2/sites-available/default-ssl.conf
#About the third line
ServerAdimin {mail address(above address)}
#About the 25th line
SSLEngine on
# 32,About 33rd line
SSLCertificateFile /etc/letsencrypt/live/{domai}/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/{domai}/privkey.pem
#About line 42
SSLCertificateChainFile /etc/letsencrypt/live/{domai}/chain.pem
Close 443 port of Softether server
I may have done it last time, but for the time being.
Enable services and systems
Reconfigure the SSL settings you edited earlier and the Apache server.
sudo service apache2 start
sudo systemctl reload apache2
sudo a2ensite default-ssl
sudo a2enmod ssl
sudo apachectl -t # >> Syntax OK
sudo systemctl restart apache2
sudo reboot
Now https: // yourdomain_or_ip If you open (Note hhtp ** s **) and it looks like the following, SSL is enabled.
certbot update
If this is left as it is, the certificate will become invalid over time (I forgot the period. Please check it), so I will renew it regularly.
First, check with --dry-run to see if the update works.
$ sudo certbot renew --dry-run
- - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/{domain}/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
It's OK if it comes out.
Set with crontab to update every month.
sudo crontab -e # or crontab -u root -e
# renew ssl certification
0 0 1 * * certbot renew
Close port 80 or redirect
Since SSL conversion is completed and port 80 is unnecessary, select either one. I will omit closing the port and write the redirect method.
Since there is a /etc/apache2/sites-available/hogehoge.conf file, write the following (probably the 000-default.conf file). It is set to forcibly add https with a regular expression.
sudo vi /etc/apache2/sites-available/hogehoge.conf
/etc/apache2/sites-available/hogehoge.conf
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
...
After editing, reload.
sudo a2enmod rewrite
sudo systemctl restart apache2
Raspberry Pi side
The installation settings are basically the same, so I will omit them. However, you don't need certbot because you don't need SSL!
After the installation is complete, start Apache and check it.
- When checking, the port is not opened, so check with the local IP of Raspberry Pi. (Example: http://192.168.5.111, etc.)
For testing purposes, change /var/www/html/index.html to make it easier to understand.
/var/www/html/index.html
This is vpn server for wake on lan!
Throw with a reverse proxy
GCP → Throw to Raspberry Pi. Connect to GCP with SSH. First, set various settings for the reverse proxy.
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_balancer
sudo a2enmod lbmethod_byrequests
sudo systemctl restart apache2
Then, write the following in the file you edited earlier.
sudo vi /etc/apache2/sites-available/default-ssl.conf
/etc/apache2/sites-available/default-ssl.conf
ProxyPreserveHost On
ProxyPass / http://{raspi's local IP}:80/
ProxyPassReverse / http://{raspi's local IP}:80/
Restart.
sudo systemctl restart apache2
confirm. https: // {domain} If the page is as follows, it is OK.
in conclusion
For the time being, it's long, so it ends here.
Recommended Posts