Apache server deployment
DNS is a protocol used to associate web address to IP addresses, thus making all the requests made to the specified web address go to its associated IP address. Look at the namespace provider's configurations and search for the DNS settings. Afterwards, create an A record with your web address as the start point, and your server's IP address as the destination. The DNS registration can take up to 48 hours, so configure the DNS record carefully.
To enable/disable reverse-proxy modify the field mentioned below within the server's configuration file
"is_reverse_proxy": false,
Add or remove allowed host names that the server's kestrel service is allowed to process requests to and from. Do not remove the localhost host name, as this is the host name that is used for the reverse proxy. You have to add the host name origin of the web address of your website. If your website is https://cool.web-server.com, the host origin that has to be added is cool.web-server.com.
"AllowedHosts": "cool.web-server.com;localhost",
Forwarded headers are the HTTP headers used in a reverse-proxy configuration that contain information related to the source and the destination. A reverse-proxy is a type of server setup that allows clients to make requests to a set server IP address, which in turn will forward the requests to the destination server's IP address where the application is hosted. Reverse-proxy configurations are used in micro-services architecture to delegate requests across multiple services (which are usually hosted on individual servers), as well as creating a barrier between the service and the client for increased protection and anonymity for both the user and the server as well as well as protecting the server against DDoS attacks. The ThetaFTP server app comes pre-configured with headers that are compatible with a Apache Server 2 reverse-proxy setup. To use custom Forwarded Headers modify the field in the configuration file displayed below:
"ForwardedHeaders": {
"ForwardedHeaders": "XForwardedFor, XForwardedProto"
},
X-Forwarded-For (XFF): Holds information about the client that initiated the request and subsequent proxies in a chain of proxies. This parameter may contain IP addresses and, optionally, port numbers. In a chain of proxy servers, the first parameter indicates the client where the request was first made. Subsequent proxy identifiers follow. The last proxy in the chain isn't in the list of parameters. The last proxy's IP address, and optionally a port number, are available as the remote IP address at the transport layer.
X-Forwarded-Proto (XPF): The value of the originating scheme, HTTP or HTTPS. The value may also be a list of schemes if the request has traversed multiple proxies.
X-Forwarded-Host (XFH): The original value of the Host header field. Usually, proxies don't modify the Host header. See Microsoft Security Advisory CVE-2018-0787 for information on an elevation-of-privileges vulnerability that affects systems where the proxy doesn't validate or restrict Host headers to known good values.
X-Forwarded-Prefix: The original base path requested by the client. This header can be useful for applications to correctly generate URLs, redirects, or links back to the client.
Go to the Apache Lounge and download the appropriate Windows binaries.
sudo apt update
sudo apt install apache2
Your namespace provider will ask you to provide a CSR in order to generate and install an SSL certificate on your website. A CSR is a document used to create a public key certificate (client certificate) and transitive certificates (certificate chain certificates) that will complement the public key certificate to make the certificate as a whole valid and secure, based on a private key.
# Generate a Certificate Singing Request and a Private Key
openssl req -out CSR.csr -new -newkey rsa:2048 -keyout privatekey.key
During the certificate generation you will be prompted to set multiple values. The two most important values are the certificate password and the CN (Common Name) attribute. The CN is the root origin of your website. For example if your website is https://cool-net.com your CN is cool-net.com. If the CN entered is not valid, the website will not be able to perform any TLS/SSL encryption operations on your website.
Once your namespace provider generated and installed the SSL certificates on your website, they will either prompt you to download the certificates or email them to you directly. Once you received the certificates combine all the certificates that you received into one public certificate.
# CMD
type RootCert.crt IntermediaryCert1.crt IntermediaryCert2.crt OtherCert.crt >> public-cert.crt
cat RootCert.crt IntermediaryCert1.crt IntermediaryCert2.crt OtherCert.crt >> public-cert.crt
Because Apache Server will be used to perform reverse-proxy to the server application, and also because the server application uses Web Sockets to allow clients to connect to the server, web socket modules and proxy modules have to be enabled on Apache Server. This is done using the a2enmod utility which stands for Apache2 Enable Module.
sudo a2enmod proxy
sudo a2enmod proxy_wstunnel
sudo a2enmod proxy_http
sudo systemctl restart apache2
Go to the available websites folder in C:\Program Files\Apache Software Foundation\Apache2.2\conf\ on Windows, or /etc/apache2 on Linux and create your website's configuration file (e.g. YourWebsiteName.conf). Within it copy the configuration below. The configuration below is redirecting all the HTTP requests made on port 80 to the website, to TLS/SSL encrypted HTTPS connections at port 443. Then, Apache Server will use the public certificate generated earlier to perform encryption tasks during the TLS/SSL handshake, and the private certificate generated with the CSR to perform decryption tasks during the SSL/TLS handshake. In the configuration file below replace localhost:5000 with the origin of the address where the server application is running locally.
<VirtualHost *:80>
# Name of the server admin
ServerAdmin webmaster@localhost
# Location of the website's directory to pass the requests too
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# Redirect all the requests made on port 80 to the address of your website over TLS/SSL
Redirect permanent / https://your-website-address.org
</VirtualHost>
<VirtualHost _default_:443>
# Name of the server admin
ServerAdmin webmaster@localhost
# The CN of your website
ServerName your-website-address.org
# Allow proxy requests
ProxyRequests On
# Preserve the address of the proxy host
ProxyPreserveHost On
# Pass the Web-Socket and HTTP based requests to the server application's IP address.
# Replace `localhost:5000` with the origin of the web address where the server
# application is running locally.
ProxyPassMatch ^/_blazor/(.*) http://localhost:5000/_blazor/$1
ProxyPass /_blazor ws://localhost:5000/_blazor
ProxyPass / http://localhost:5000/
ProxyPassReverse / http://localhost:5000/
# The path to the public certificate created from all the intermediary and non-intermediary certificates
SSLCertificateFile /etc/apache2/theta-drive-certs/public-cert.crt
# The path to the private key used to create the CSR
SSLCertificateKeyFile /etc/apache2/theta-drive-certs/private.key
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
To load the site config, the configuration must be enabled with the a2ensite utility, which stands for Apache2 Enable Website, and then restarting the Apache Server. When the service will restart, the user will be prompted to enter the password of the private certificate file used to generate the CSR.
sudo a2ensite YourWebsiteName.conf
sudo systemctl restart apache2
a2ensite YourWebsiteName.conf
apache -k restart