The Apache Software Foundation provides a reverse proxy module named mod_proxy and mod_ssl (which extends functionality into SSL). This is a non-authenticating reverse proxy similar to function to Microsoft’s IIS Application Request Routing module. This article will cover getting a single Web Application on a single SharePoint server behind the reverse proxy over SSL on port TCP/443. We will be starting from the same VM as used in the previous blog post about using CentOS and iptables, so familiarize yourself with that before continuing as that will be the base configuration moving forward. By now I will assume that you’re familiar enough with vi to know how to save files. In addition, I will assume that the Domain Controller on the Hyper-V Internal vSwitch is at 192.168.0.2 and the SharePoint server is at 192.168.0.3. In addition, our SharePoint server is going to have an SSL certificate of sharepoint.corp.nauplius.net, and of course that is what our Web Application will be. This particular SSL certificate has been issued from StartSSL (it’s free).
The first step will be to modify the networking on the CentOS virtual machine.
|
1 |
vi /etc/sysconfig/network-scripts/ifcfg-eth0 |
Add a new line:
|
1 |
PEERDNS=no |
This will disable the DHCP client ( dhclient) from automatically adding the DHCP servers DNS information to /etc/resolv.conf (which is what allows the VM to automatically resolve domain names). Instead, we’re going to manage that using the internal Domain Controller over eth1!
|
1 |
vi /etc/sysconfig/network-scripts/ifcfg-eth1 |
Add a new line:
|
1 |
DNS=192.168.0.2 |
Next, let’s edit the resolv.conf
|
1 |
vi /etc/resolv.conf |
Change it so it reads:
|
1 2 |
search <Active Directory FQDN> 192.168.0.2 |
The next step is to bring up and down both interfaces.
|
1 2 3 4 |
ifcfg down eth0 ifcfg up eth0 ifcfg down eth1 ifcfg up eth1 |
Once both interfaces are back up, your Windows Servers should continue to have name resolution connectivity to the Internet. In addition, /etc/resolv.conf should show the static settings you inputted ( cat /etc/resolv.conf). In addition, you should be able to ping, from the CentOS VM, to the internal servers by IP and FQDN. Next, we need to install a few packages on CentOS. Apache (for mod_proxy), mod_ssl (for SSL support), and bind_utils (for dig, similar to nslookup on Windows).
|
1 2 3 |
yum install httpd yum install mod_ssl yum install bind_utils |
We now need to add a couple of new firewall rules:
|
1 2 |
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT |
And save the rules:
|
1 2 |
service iptables save service iptables restart |
This allows iptables to accept SSL traffic to the reverse proxy (locally).
The next section will not be quite as easy. We will be dealing with SSL certificates on the CentOS VM. In order to do this properly, we’ll need to upload certificates to the CentOS VM and unlike Windows, it isn’t quite the point-and-click affair with PFX.
Most SSL certificate vendors will offer an unencrypted private key as well as public key file. You’ll want both of these. In addition, you’ll also want the appropriate Certificate Authority SSL certificate bundle (this contains the public certificate chain for your SSL certificate). If your SSL vendor does not offer these file types, you’ll need to use OpenSSL to convert the files to the appropriate file formats. For reference, here will be my file names:
Unencrypted private key: sharepoint.key
Public key: sharepoint.cer
CA bundle: startssl-bundle.pem
In addition to this, specifically for mod_ssl, we will need a single file that contains both the public and unencrypted private key in a single file. It should be in the following format:
|
1 2 3 4 5 6 7 |
-----BEGIN CERTIFICATE----- [Public Certificate] -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- [Unencrypted Private Key Certificate] -----END RSA PRIVATE KEY----- |
You can use a program like Notepad++ to edit the sharepoint.key and sharepoint.cer files to create the new files with the public and private key contained within it. This will be the Public-Private key bundle, and saved as sharepointpubpriv.crt. Now all of these files need to be transferred to the CentOS VM. In order to do this, we’ll use a protocol called SCP. This protocol allows you to transfer files over SSH. Thanks to our default iptables rules, SSH is already open on our eth0 interface! Grab a copy of WinSCP and copy these files over to a directory (e.g. /root).
The next step is to copy over the files to the appropriate default locations.
|
1 2 3 4 |
cp sharepointpubpriv.crt /etc/pki/tls/certs/sharepoint.crt cp startssl-bundle.pem /etc/pki/tls/certs/startssl-bundle.pem cp sharepoint.cer /etc/pki/tls/certs/sharepoint.cer cp sharepoint.key /etc/pki/tls/private/sharepoint.key |
Now, using vi, we need to configure httpd.conf (the primary Apache configuration file).
|
1 |
vi /etc/httpd/conf/httpd.conf |
Make sure the following lines exist:
|
1 2 |
ServerName proxy.<FQDN> KeepAlive On #Required for NTLM authentication behind the proxy! |
In my example, I’ve removed the Listen 80 as well as the default VirtualDirectory. This is a reverse proxy intended to only listen on 443 and serve requests to our internal SharePoint server. There are many other settings within here that you can modify and likely should modify, but this is not an in depth lesson on Apache security.
The next step is to modify the ssl.conf file.
|
1 |
vi /etc/httpd/conf.d/ssl.conf |
LoadModule ssl_module modules/mod_ssl.so should be present at the top of this configuration file.
Instead of providing you specific lines to set, here is the entire configuration. Again we’re using my example domain here, so adjust to fit your needs.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
LoadModule ssl_module modules/mod_ssl.so Listen 443 SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin SSLStrictSNIVHostCheck off #not specifically required, but can be used with SNI in the future ## ## SSL Virtual Host Context ## NameVirtualHost *:443 <VirtualHost *:443> ServerName sharepoint.corp.nauplius.net RequestHeader set Front-End-Https "On" SSLProxyEngine On SSLProxyCACertificateFile /etc/pki/tls/certs/startssl-bundle.pem SSLProxyMachineCertificateFile /etc/pki/tls/certs/sharepoint.crt SSLProxyProtocol all -SSLv2 SSLProxyCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW ErrorLog logs/sharepoint_ssl_error_log TransferLog logs/sharepoint_ssl_transfer_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 -SSLv3 -TLS1v1 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/sharepoint.cer SSLCertificateKeyFile /etc/pki/tls/private/sharepoint.key SSLCACertificateFile /etc/pki/tls/certs/startssl-bundle.pem </VirtualHost> <Proxy *> Order Deny,Allow Allow from all </Proxy> ProxyRequests Off ProxyPreserveHost On ProxyPass / https://sharepoint.corp.nauplius.net/ ProxyPassReverse / https://sharepoint.corp.nauplius.net/ |
Make sure at the end of the ProxyPass and ProxyPassReverse lines you end them with a “/” at the end of the path, otherwise relative paths will not be returned properly to the reverse proxy and you’ll see unexpected results.
Once the changes are configured, run
|
1 |
service httpd restart |
Any errors will be logged in the log files at /var/log/httpd/error_log and sharepoint_ssl_error_log. To watch error_log in real time, run:
|
1 |
tail -f /var/log/httpd/error_log |
The last step would be to edit the hosts file on any client computer to target, in this case, sharepoint.corp.nauplius.net at the IP of the eth0 interface. If everything goes well, we should be prompted for credentials and let right through to the SharePoint site!
Hi Trevor,
Very interesting way to approach this problematic.
I wanted to know if you could do some load balancing with that but I found out the solution myself so here is how to do it in case you have multiple WFE’s http://httpd.apache.org/docs/2.2/mod/mod_proxy_balancer.html
In addition to that, you can likely also set up a pre-auth reverse proxy using mod_auth_ntlm_winbind. But that is for another blog post!
Hello Trevor,
thanks a lot for sharing that information. I am actually trying to reverse-proxy the sharepoint to give access from outside. The connection is https (on the proxy server with mod_proxy) and https on the sharepoint server. The proxy also serves a Wiki and a bugtracking system to the outside world therefore ProxyPass / is not possible. Do you probably know a solution to use something like
ProxyPass /sharepoint https://external.url/sharepoint
I have tried a lot including mod_rewrite but it failed.
thanks.
Andreas
Make sure you’re using mod_ssl and have the SSL certificate in use by SharePoint installed and configured on the Apache server. Are you able to allocate multiple IP addresses to the Apache server? That may allow you to use ProxyPass / using VirtualHosts. You could potentially also use SNI if you cannot allocate multiple IPs.
bad thing is that we have only one free external domain/ip with port 443 to serve multiple services via the proxy module. The / in virtualhosts leads to a customer landing page with authentication to access the links behind the proxy.
Probably there is no way arround AAR
Andreas, based on that, I would look into using SNI. This setup is a bit more complex and I did not outline it here, but here is some information to get you started. http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
KeepAlive, not KeepAlives
Fixed, thanks for noticing!
and i guess you have typo in SSLProxyCipherSuite at the end, you’ve missed colon before last plus
I wan’t to use it on apache 2.4.6. I know some lines change because of the version, but httpd still does not want to start. Do you have a working code for 2.4.6?
Pingback: Route request from apache web server to SharePoint * VPN SSL Online
Hi, thanks for your useful and clear how to. I have some question if you have time.
I’m proxying sharepoint from SSL to http (sharepoint). Homepage works well but when I try to access subsites I get the warning from the browser that some parts are not secure.
I try to proxy also the subsite but do not change anything.
Tks
mike
Usually in cases like this it is helpful to use Fiddler to from the client to trace what is being served incorrectly.
Thanks for the Doc ..
Hello Trevor,
does this guide work for all IIS website configured in Windows Authentication? I’m trying to proxying with Apache a Dynamics Navision host, but i can’t make it work with only Windows Authentication (with Basic also, works instead)
Do you have any suggestions?
Thanks
Yes, it should work for generic Windows Auth IIS sites.
Dear Seward,
I am using rhel server for reverse proxy , all are working fine with Active directory, but recently client has changed form AD to LDAP(claim based authentication ) for share point 2010 on windows server using same NTLM feature.
But now it’s not working can you please HELP.
Thanks
Bhanu K