Difference between revisions of "Apache Reverse Proxy"

From Universal Devices, Inc. Wiki
Jump to: navigation, search
m
m
Line 6: Line 6:
 
* mod_proxy_http
 
* mod_proxy_http
 
* mod_proxy_html
 
* mod_proxy_html
 +
* mod_headers
  
 
Please note: mod_proxy_wstunnel is only (officially) available for Apache 2.4. It has been backported to Apache 2.2 - but you'll have to compile it yourself. See [http://stackoverflow.com/questions/30443999/how-to-add-mod-proxy-wstunnel-to-apache2-2-2-on-raspberry-pi-backport-mod-proxy this article] for details on how to do this.
 
Please note: mod_proxy_wstunnel is only (officially) available for Apache 2.4. It has been backported to Apache 2.2 - but you'll have to compile it yourself. See [http://stackoverflow.com/questions/30443999/how-to-add-mod-proxy-wstunnel-to-apache2-2-2-on-raspberry-pi-backport-mod-proxy this article] for details on how to do this.

Revision as of 22:44, 2 July 2016

It is possible to configure Apache to perform a reverse proxy function to the ISY - including support for websockets. It's not completely useful - since the SOAP subscription used by the admin console and Mobilinc is not supported by Apache. This configuration works well with Agave - and allows a very speedy SSL connection to be achieved, once you add SSL to the virtual.

Apache needs to have the following modules enabled:

  • mod_proxy_wstunnel
  • mod_proxy
  • mod_proxy_http
  • mod_proxy_html
  • mod_headers

Please note: mod_proxy_wstunnel is only (officially) available for Apache 2.4. It has been backported to Apache 2.2 - but you'll have to compile it yourself. See this article for details on how to do this.

First, some assumptions.... You have a SSL virtualhost (lights.domain.com) that is going to serve as a proxy to your ISY (IP is 192.168.1.2) using HTTP. The directory on your server assigned is /var/www/lights. You can place your own pages in /var/www/lights (for instance, the websocket example). This example forces authentication - and injects the correct authorization header when presented to ISY. This means you can use different credentials for this site - or even multiple user accounts.

Make sure to set the Authorization header to be correct for your ISYs credentials.

<VirtualHost *:80>
  ServerAdmin webmaster@lights.domain.com
  DocumentRoot /var/www/html
  ProxyRequests Off
  ProxyPreserveHost On
  KeepAlive On
  KeepAliveTimeout 5000
  ProxyVia Off
  <Proxy *>
    AuthName "Authentication Required"
    AuthType Basic
    AuthUserFile /etc/htpasswd-isy
    require valid-user
    Order deny,allow
    Allow from all
  </Proxy>
  RequestHeader set Authorization "Basic xxxxxxxxxxxxxxxxx"
  ProxyPass "/rest/subscribe" "ws://192.168.1.2/rest/subscribe" retry=4
  ProxyPass "/rest" "http://192.168.1.2/rest"
  ProxyPass "/services" "http://192.168.1.2/services"
  ProxyPass "/WEB" "http://192.168.1.2/WEB"
  ProxyPass "/USER" "http://192.168.1.2/USER"
  ProxyPassReverse "/rest/subscribe" "ws://192.168.1.2/rest/subscribe" retry=4
  ProxyPassReverse "/rest" "http://192.168.1.2/rest"
  ProxyPassReverse "/services" "http://192.168.1.2/services"
  ProxyPassReverse "/WEB" "http://192.168.1.2/WEB"
  ProxyPassReverse "/USER" "http://192.168.1.2/USER"
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  ErrorLog ${APACHE_LOG_DIR}/error.log
</VirtualHost>

Create a .htpasswd-isy file:

htpasswd -c /etc/htpasswd-isy username

Set your proxy authentication password when prompted.

Place the following .htaccess file into /var/www/html (or wherever the web root directory is!):

AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/htpasswd-isy"
Require valid-user

This will proxy certain paths back to the ISY - with the exceptions of the REST endpoints, the /WEB and /USER paths (allowing UDajax and HAD to function, as well as custom web space on the ISY itself).

You should wrap this in SSL! Otherwise - you are sending password in plain text. This is beyond the scope of this article though.