Apache Reverse Proxy

From Universal Devices, Inc. Wiki
Revision as of 22:02, 1 July 2016 by MWareman (talk | contribs)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

It is possible to configure Apache to perform a reverse proxy function to the ISY - including support for websockets. It's not completely useful - since the SOAP subscription used by the admin console and Mobilinc is not supported by Apache. This configuration works well with Agave - and allows a very speedy SSL connection to be achieved.

Apache needs to have the following modules enabled:

  • mod_proxy_wstunnel
  • mod_proxy

Please note: mod_proxy_wstunnel is only (officially) available for Apache 2.4. It has been backported to Apache 2.2 - but you'll have to compile it yourself. See this article for details on how to do this.

First, some assumptions.... You have a SSL virtualhost (lights.domain.com) that is going to serve as a proxy to your ISY (IP is using HTTP. You have an SSL certificate (issued in this case by AlphaSSL - good cheap certs - see this link). The directory on your server assigned is /var/www/lights. You can place your own pages in /var/www/lights/custom (for instance, the websocket example). This example forces authentication - and injects the correct authorization header when presented to ISY. This means you can use different credentials for this site - or even multiple user accounts.

Make sure to set the Authorization header to be correct for your ISYs credentials.

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@lights.domain.com
        ServerName lights.domain.com
        DocumentRoot /var/www/lights
        ProxyRequests Off
        ProxyPreserveHost On
        KeepAlive On
        KeepAliveTimeout 5000
        ProxyVia Off
        <Proxy *>
                AuthName "Authentication Required"
                AuthType Basic
                AuthUserFile /etc/htpasswd-isy
                AuthGroupFile /dev/null
                require valid-user
                Order deny,allow
                Allow from all
        RequestHeader set Authorization "Basic xxxxxxxxxxxxxxxxxxxx"
        ProxyPass /custom !
        ProxyPass "/rest/subscribe" "ws://" retry=4
        ProxyPassReverse "/rest/subscribe" "ws://" retry=4
        ProxyPass /
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        ErrorLog ${APACHE_LOG_DIR}/error.log
        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/wc.domain.com.pem
        SSLCertificateKeyFile /etc/ssl/private/wc.domain.com.key
        SSLCertificateChainFile /etc/ssl/AlphaSSLchain.crt

Create a .htpasswd-isy file:

htpasswd -c /etc/htpasswd-isy username

Set your proxy authentication password when prompted.

Place the following .htaccess file into /var/www/lights:

AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/htpasswd-isy"
Require valid-user

This will proxy everything back to the ISY - with the exceptions of the websocket subscription (handled separately) and /custom (simply allowed to be served by ISY).