Apache Reverse Proxy

From Universal Devices, Inc. Wiki
Revision as of 22:02, 1 July 2016 by MWareman (talk | contribs)
Jump to navigation Jump to search

It is possible to configure Apache to perform a reverse proxy function to the ISY - including support for websockets. It's not completely useful - since the SOAP subscription used by the admin console and Mobilinc is not supported by Apache. This configuration works well with Agave - and allows a very speedy SSL connection to be achieved.

Apache needs to have the following modules enabled:

  • mod_proxy_wstunnel
  • mod_proxy

Please note: mod_proxy_wstunnel is only (officially) available for Apache 2.4. It has been backported to Apache 2.2 - but you'll have to compile it yourself. See this article for details on how to do this.

First, some assumptions.... You have a SSL virtualhost (lights.domain.com) that is going to serve as a proxy to your ISY (IP is using HTTP. You have an SSL certificate (issued in this case by AlphaSSL - good cheap certs - see this link). The directory on your server assigned is /var/www/lights. You can place your own pages in /var/www/lights/custom (for instance, the websocket example). This example forces authentication - and injects the correct authorization header when presented to ISY. This means you can use different credentials for this site - or even multiple user accounts.

Make sure to set the Authorization header to be correct for your ISYs credentials.

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@lights.domain.com
        ServerName lights.domain.com
        DocumentRoot /var/www/lights
        ProxyRequests Off
        ProxyPreserveHost On
        KeepAlive On
        KeepAliveTimeout 5000
        ProxyVia Off
        <Proxy *>
                AuthName "Authentication Required"
                AuthType Basic
                AuthUserFile /etc/htpasswd-isy
                AuthGroupFile /dev/null
                require valid-user
                Order deny,allow
                Allow from all
        RequestHeader set Authorization "Basic xxxxxxxxxxxxxxxxxxxx"
        ProxyPass /custom !
        ProxyPass "/rest/subscribe" "ws://" retry=4
        ProxyPassReverse "/rest/subscribe" "ws://" retry=4
        ProxyPass /
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        ErrorLog ${APACHE_LOG_DIR}/error.log
        SSLEngine on
        SSLCertificateFile    /etc/ssl/certs/wc.domain.com.pem
        SSLCertificateKeyFile /etc/ssl/private/wc.domain.com.key
        SSLCertificateChainFile /etc/ssl/AlphaSSLchain.crt

Create a .htpasswd-isy file:

htpasswd -c /etc/htpasswd-isy username

Set your proxy authentication password when prompted.

Place the following .htaccess file into /var/www/lights:

AuthType Basic
AuthName "Authentication Required"
AuthUserFile "/etc/htpasswd-isy"
Require valid-user

This will proxy everything back to the ISY - with the exceptions of the websocket subscription (handled separately) and /custom (simply allowed to be served by ISY).