Skip to main content
Help Center

Setting up Apache as a reverse proxy

Configure the Apache web server as a reverse proxy in front of teamspace/projectfacts – with an SSL certificate, projectfacts.conf, security and performance settings under Linux and Windows.

Prerequisites

  • A running teamspace installation (see Linux, Windows or Docker)
  • An SSL certificate or a free one via Let's Encrypt/Certbot

The Apache web server serves as a reverse proxy: it receives the requests on port 80/443, terminates the SSL certificate and forwards them internally to the Tomcat on localhost:8080. This guide covers Linux and Windows. For Linux, Nginx is an alternative.

Linux

Ideally, place your own certificates in /etc/apache2/ssl/. If you do not have an SSL certificate, you can have a free one issued via Let’s Encrypt – the Certbot is recommended.

Enable the required modules:

a2enmod ssl rewrite proxy proxy_wstunnel proxy_http

Create the file projectfacts.conf under /etc/apache2/sites-available:

<VirtualHost *:80>
   ServerAdmin admin@example.de
   ServerName server.example.de

   Redirect / https://server.example.de/
</VirtualHost>

<VirtualHost *:443>
   ServerAdmin admin@example.de
   ServerName server.example.de
   AddDefaultCharset utf-8
   AddCharset utf-8 .html
   AddCharset utf-8 .do

   SSLEngine On
   SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
   SSLHonorCipherOrder On
   SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
   SSLCertificateFile /etc/apache2/ssl/server.example.de.crt
   SSLCertificateKeyFile /etc/apache2/ssl/server.example.de.key
   SSLCACertificateFile /etc/apache2/ssl/server.example.de.intermediate.crt

   ErrorLog /srv/projectfacts/logs/httpd_error_log
   CustomLog /srv/projectfacts/logs/httpd_access_log combined

   HostnameLookups Off
   UseCanonicalName Off
   ServerSignature Off

   Header set Rtime "%D"
   Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

   ProxyPreserveHost on
   RequestHeader set X-Forwarded-Proto "https"

   Redirect permanent /pfea/login/ExternalaccessLoginDialog.do https://[DOMAIN]/htdocs/apps/pfextern
   Redirect permanent /pfea/home/ExternalaccessHomeDialog.do https://[DOMAIN]/htdocs/apps/pfextern

   ProxyRequests Off
   ProxyPass /pfea/home/ExternalaccessHomeDialog.do !
   ProxyPass /pfea/login/ExternalaccessLoginDialog.do !
   ProxyPass /ws/ ws://localhost:8080/ws/ timeout=90
   ProxyPassReverse /ws/ ws://localhost:8080/ws/
   ProxyPass / http://localhost:8080/
   ProxyPassReverse / http://localhost:8080/
</VirtualHost>

To adjust the cipher suite, you can use the Mozilla SSL Config Generator.

Harden the server through /etc/apache2/conf-available/security.conf:

ServerTokens Prod
ServerSignature Off
TraceEnable Off

Adjust /etc/apache2/mods-enabled/ssl.conf:

SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off

Adjust /etc/apache2/mods-enabled/mpm_event.conf:

StartServers 2
MinSpareThreads 320
MaxSpareThreads 320
ThreadLimit 64
ThreadsPerChild 64
MaxRequestWorkers 320
MaxConnectionsPerChild 0

Edit /etc/logrotate.d/apache2 and change the entry from …/apache2 reload to …/apache2 restart. Add the following line above /var/log/apache2/*.log:

/srv/projectfacts/logs/httpd_*_log

Enable the site and restart Apache:

a2ensite projectfacts.conf
systemctl restart apache2.service

To disable a site, use a2dissite <configuration file>. Under /etc/apache2/sites-enabled you can see which configuration is active.

Windows

Ideally, place your own certificates in C:\Apache24\conf\ssl\ (a free certificate is likewise available via Certbot).

  1. Place the Apache web server in C:\apache24.
  2. Start the CMD with administrator rights, change to C:\Apache24\bin and install the service: 
    httpd.exe -k install -n "apache2.4"
  3. Create a file projectfacts.conf under C:\Apache24\conf\extra\ (content as in the Linux example configuration) and include it in the httpd.conf.
  4. Open C:\Apache24\conf\httpd.conf and adjust the modules, mods, ports and the vHost configuration.
Apache httpd.conf on Windows with the modules, ports and the vHost configuration to be adjusted
The httpd.conf on Windows: modules, ports and vHost configuration

Open C:\Apache24\conf\extra\httpd-mpm and add the following under mpm_worker_module:

StartServers 2
MinSpareThreads 320
MaxSpareThreads 320
ThreadLimit 64
ThreadsPerChild 64
MaxRequestWorkers 320
MaxConnectionsPerChild 0

Then restart the Apache server.

Apache connection timeout

Adjust the ProxyPass in the projectfacts.conf (Windows: C:\Apache24\conf\extra\projectfacts.conf, Linux: /etc/apache2/sites-enabled/projectfacts.conf):

ProxyPass "/" "http://example.com" connectiontimeout=10 timeout=600

Common questions & needs

You want to …How to
A free SSL certificateVia Let’s Encrypt with the Certbot.
Redirect HTTP to HTTPSSet Redirect / https://server.example.de/ in the *:80 VirtualHost.
WebSocket connections (live updates)Adopt ProxyPass /ws/ ws://localhost:8080/ws/ from the example configuration.
Long requests are droppedIncrease the ProxyPass timeout (e.g. timeout=600).
Use Nginx instead of ApacheSee Nginx as a reverse proxy (Linux only).