Apache2 SSL/HTTPS Reverse Proxy Configuration

I wanted to use Senaite with Apache2 as HTTPS terminating reverse proxy. After the help of the community i came up with this working virtualhost config. Maybe somebody needs it as well.

<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
ServerName lis.example.com
ProxyPreserveHost On
RewriteEngine On
RewriteRule ^/(.*) http://localhost:8071/VirtualHostBase/https/%{HTTP_HOST}/senaite/VirtualHostRoot/$1 [P,L]
SSLSessionCacheTimeout  300
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
</VirtualHost>

Useful links were:

There is definitely room for improvement and anwers are welcome.

BR,
Johannes

2 Likes

Thanks so much Johannes. Your links and code was super useful - although I haven’t implemented SSL yet - it helped to see your RewriteRule. Since being a rookie I struggled to just get Apache2 in front of Plone to host port 8080 on port 80.
I know this is very basic knowledge for some, but being the first time running Apache server and working with rewrite rules, I thought I’d post my hosts file here, for testing purposes over LAN (http) since I couldn’t find it anywhere on the internet. I didn’t have a GUI on my Ubuntu server, hence needed to access Senaite from my physical host pc’s explorer.

<VirtualHost *:80>
    ServerName 127.0.0.1
    ProxyPreserveHost On
    RewriteEngine On
    RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/http/%{HTTP_HOST}:80/senaite/VirtualHostRoot/$1 [P,L]
</VirtualHost>

Note that “senaite” in the RewriteRule above can also be omitted, i.e.

<VirtualHost *:80>
    ServerName 127.0.0.1
    ProxyPreserveHost On
    RewriteEngine On
    RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/http/%{HTTP_HOST}:80/VirtualHostRoot/$1 [P,L]
</VirtualHost>

On my main PC via Virtualbox I forwarded host port 80 to guest port 80 on the NAT network and via web browser Senaite was then accessible on 127.0.0.1