Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
PackageDrone/HowTo/ReverseProxy
This page describes a few ways on how to put a reverse proxy (like Apache, NGINX) in front of Package Drone so that the initial HTTP request is served by another HTTP server and then forwarded to Package Drone.
There are a few pros and cons for using a reverse proxy. If you want a reverse proxy, this is the page which describes how to do it.
Contents
Ubuntu
Ubuntu 14.04 LTS
- Enable "proxy" and "deflate". Run as root:/
a2enmod proxy a2enmod proxy_http a2enmod deflate
- Create a new file:
/etc/apache2/sites-available/pdrone.conf
with the content of pdrone.conf (see below). - Activate site. Run as root:
a2ensite pdrone /etc/init.d/apache2 reload
RHEL / CentOS
RHEL 7 / CentOS 7
yum install httpd
Create a new file - /etc/httpd/conf.d/pdrone.conf
with the content of pdrone.conf (see below).
OpenSUSE
OpenSuse 13 & Apache
SUSE has probably two ways of doing this. I am not a SUSE-guy, so there may be an easier way ;-)
- Install Apache 2 ->
zypper install apache2
- Start YAST and
- Enable Apache 2
- Enable modules:
proxy
,mod_proxy_http
and optionallydeflate
andfilter
- Create a new file:
/etc/apache2/vhosts.d/pdrone.conf
(content see below) - Add
ProxyRequests Off
to/etc/apache2/default-server.conf
Files
pdrone.conf
NameVirtualHost *:80 <VirtualHost *:80> ServerName your.server.name ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://localhost:8080/ disablereuse=on ProxyPassReverse / http://localhost:8080/ ProxyTimeout 300 <Location /> Order allow,deny Allow from all </Location> DefaultType None <IfModule mod_filter.c> <IfModule mod_deflate.c> FilterDeclare gzip CONTENT_SET FilterProtocol gzip change=yes;byteranges=no FilterProvider gzip DEFLATE "%{Content_Type} = 'text/html'" FilterProvider gzip DEFLATE "%{Content_Type} = 'text/plain'" FilterProvider gzip DEFLATE "%{Content_Type} = 'text/xml'" FilterProvider gzip DEFLATE "%{Content_Type} = 'text/css'" FilterProvider gzip DEFLATE "%{Content_Type} = 'text/javascript'" FilterProvider gzip DEFLATE "%{Content_Type} = 'application/javascript'" FilterChain gzip </IfModule> </IfModule> </VirtualHost>
Securing Package Drone
Localhost only
Once you have a reverse proxy installed, it is possible to limit access to "localhost" only, so that no remote user can access Package Drone on port 8080.
Edit the file /etc/default/package-drone-server
and add -Dorg.ops4j.pax.web.listening.addresses=localhost
to the JAVA_OPTS
variable.
RHEL 7 / CentOS 7
Enable httpd
for the firewall:
firewall-cmd --permanent --zone public --add-service httpd firewall-cmd --reload
Let's encrypt
In order to add a free TLS certificate from Let's encrypt you will need to install the Let's encrypt client and modify the pdrone.conf
file to allow requests for /.well-known
to the local file system.
DocumentRoot /var/www/html … ProxyPass /.well-known ! ProxyPass / http://localhost:8080/ disablereuse=on
This will forward all requests for /.well-known
to /var/www/html/.well-known
. So Let's encrypt can be used with the webroot module on /var/www/html
.