[LINUX] Reverse proxy from Apache on GCP to local Raspberry Pi Apache (NAT traversal Wake on LAN [3])

Introduction

This is a continuation of Last time. This is what I want to do for the time being.

network_detail.png

This time, "Reverse proxy from Apache on GCP to local Raspberry Apache". What I want to do here is to let the local Raspberry Pi connected to the VPN from GCP throw it.

-[1] Obtain a domain using GCP and MyDNS -[2] Set up Softether Server on GCP (Connect from iPhone / Raspberry Pi) -[3] Reverse proxy from Apache on GCP to local Raspberry Apache -[4] Make Raspberry Pi a router -[5] Create a Python script for Wake on LAN.

GCP side

Apache installation

Install what you need. Since Line Bot must support HTTPS, install Certbot as well.

sudo apt update
sudo apt-get install apache2
sudo apt install certbot # For HTTPS

This is the only installation.

Opening TCP443,40Port

Open TCP443,40 ports in the same way as before.

port1

port2

Verification

Enter the domain or global IP address you obtained the last time and check if Apache is running. (At this time, if forbitten appears, the port is probably not opened correctly.) http://yourdomain_or_ip

If the installation / port is opened correctly, the following screen will be displayed.

1.png

Setting

Next, make the following settings to minimize server information.

sudo vi /etc/apache2/conf-available/security.conf

/etc/apache2/conf-available/security.conf


ServerTokens Prod
ServerSignature Off

SSL

Certificate issuance

Use certbot to issue an SSL certificate. The --dry-run argument is a command that you shouldn't try. You can do it without --dry-run suddenly, but you should do it just in case.

$ sudo certbot certonly --webroot -w /var/www/html -d {domain} --email {mail address} --agree-tos -n --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for {domain}
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - The dry run was successful.

If it succeeds, it is the production.

sudo certbot certonly --webroot -w /var/www/html -d {domain} --email {mail address} --agree-tos -n

If it succeeds without error,

sudo ls /etc/letsencrypt/live/{domain}/
# >> README  cert.pem  chain.pem  fullchain.pem  privkey.pem # -> OK

Check if the certificate is made with.

Validate the certificate

Enable the certificate and make the web page SSL.

cd /etc/apache2/sites-available/
sudo cp default-ssl.conf default-ssl.conf.bak #Backup just in case
sudo vi default-ssl.conf

Set the e-mail address and the path of the certificate created earlier.

/etc/apache2/sites-available/default-ssl.conf


#About the third line
ServerAdimin {mail address(above address)}
#About the 25th line
SSLEngine on
# 32,About 33rd line
SSLCertificateFile /etc/letsencrypt/live/{domai}/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/{domai}/privkey.pem
#About line 42
SSLCertificateChainFile /etc/letsencrypt/live/{domai}/chain.pem

Close 443 port of Softether server

I may have done it last time, but for the time being.

2.PNG

Enable services and systems

Reconfigure the SSL settings you edited earlier and the Apache server.

sudo service apache2 start 
sudo systemctl reload apache2
sudo a2ensite default-ssl
sudo a2enmod ssl 
sudo apachectl -t # >> Syntax OK
sudo systemctl restart apache2
sudo reboot

Now https: // yourdomain_or_ip If you open (Note hhtp ** s **) and it looks like the following, SSL is enabled.

3.png

certbot update

If this is left as it is, the certificate will become invalid over time (I forgot the period. Please check it), so I will renew it regularly. First, check with --dry-run to see if the update works.

$ sudo certbot renew --dry-run
- - - - - - - - - - - - - - - - - 
- - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/{domain}/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

It's OK if it comes out. Set with crontab to update every month.

sudo crontab -e # or crontab -u root -e
# renew ssl certification
0 0 1 * * certbot renew

Close port 80 or redirect

Since SSL conversion is completed and port 80 is unnecessary, select either one. I will omit closing the port and write the redirect method.

Since there is a /etc/apache2/sites-available/hogehoge.conf file, write the following (probably the 000-default.conf file). It is set to forcibly add https with a regular expression.

sudo vi /etc/apache2/sites-available/hogehoge.conf 

/etc/apache2/sites-available/hogehoge.conf


<VirtualHost *:80>
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
        ...

After editing, reload.

sudo a2enmod rewrite
sudo systemctl restart apache2

Raspberry Pi side

The installation settings are basically the same, so I will omit them. However, you don't need certbot because you don't need SSL!

After the installation is complete, start Apache and check it.

For testing purposes, change /var/www/html/index.html to make it easier to understand.

/var/www/html/index.html


This is vpn server for wake on lan!

Throw with a reverse proxy

GCP → Throw to Raspberry Pi. Connect to GCP with SSH. First, set various settings for the reverse proxy.

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_balancer
sudo a2enmod lbmethod_byrequests
sudo systemctl restart apache2

Then, write the following in the file you edited earlier.

sudo vi /etc/apache2/sites-available/default-ssl.conf

/etc/apache2/sites-available/default-ssl.conf


ProxyPreserveHost On
ProxyPass / http://{raspi's local IP}:80/
ProxyPassReverse / http://{raspi's local IP}:80/

Restart.

sudo systemctl restart apache2

confirm. https: // {domain} If the page is as follows, it is OK.

4.png

in conclusion

For the time being, it's long, so it ends here.

Recommended Posts

Reverse proxy from Apache on GCP to local Raspberry Pi Apache (NAT traversal Wake on LAN [3])
Turn Raspberry Pi into a router (Wake on LAN [4] over NAT)
Get a domain using GCP and MyDNS (NAT traversal Wake on LAN [1])
Reverse proxy from Apache on GCP to local Raspberry Pi Apache (NAT traversal Wake on LAN [3])
Turn Raspberry Pi into a router (Wake on LAN [4] over NAT)
Get a domain using GCP and MyDNS (NAT traversal Wake on LAN [1])
Create a Python script for Wake on LAN (NAT traversal Wake on LAN [5])
Set swap space on Ubuntu on Raspberry Pi
Boot CentOS 8 from Windows 10 with Wake On LAN
Connect to MySQL with Python on Raspberry Pi
Create a Python script for Wake on LAN (NAT traversal Wake on LAN [5])
How to install NumPy on Raspberry Pi
Boot CentOS 8 from Windows 10 with Wake On LAN
Reverse proxy with Apache 2.4 on Ubuntu 19.10 Eoan Ermine
Connect to MySQL with Python on Raspberry Pi
Memo of migrating Django's DB from SQLite 3 to MySQL on Docker on Raspberry Pi 4B
From setting up Raspberry Pi to installing Python environment
Output to "7-segment LED" using python on Raspberry Pi 3!
I want to do Wake On LAN fully automatically