Reverse Proxy Template: Apache

The following are example apache configurations with and without SSL termination.

These expect the apache to be running on the same host as Firezone and default['firezone']['phoenix']['port'] to be 13000.

Without SSL termination

Since Firezone requires HTTPS for the web portal, please bear in mind a downstream proxy will need to terminate SSL connections in this scenario.

<server-name> needs to be replaced with your domain name.

This configuration needs to be placed in /etc/sites-available/<server-name>.conf

and activated with a2ensite <server-name>

LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module /usr/lib/apache2/modules/mod_proxy_wstunnel.so
<VirtualHost *:80>
        ServerName <server-name>
        ProxyPassReverse "/" "http://127.0.0.1:13000/"
        ProxyPass "/" "http://127.0.0.1:13000/"
        RewriteEngine on
        RewriteCond %{HTTP:Upgrade} websocket [NC]
        RewriteCond %{HTTP:Connection} upgrade [NC]
        RewriteRule ^/?(.*) "ws://127.0.0.1:13000/$1" [P,L]
</VirtualHost>

With SSL termination

This configuration builds on the one above and uses Firezone's auto-generated self-signed certificates.

LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module /usr/lib/apache2/modules/mod_proxy_wstunnel.so
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
Listen 443
<VirtualHost *:443>
        ServerName <server-name>
        RequestHeader set X-Forwarded-Proto "https"
        ProxyPassReverse "/" "http://127.0.0.1:13000/"
        ProxyPass "/" "http://127.0.0.1:13000/"
        RewriteEngine on
        RewriteCond %{HTTP:Upgrade} websocket [NC]
        RewriteCond %{HTTP:Connection} upgrade [NC]
        RewriteRule ^/?(.*) "ws://127.0.0.1:13000/$1" [P,L]
        SSLEngine On
        SSLCertificateFile "/var/opt/firezone/ssl/ca/acme-test.firez.one.crt"
        SSLCertificateKeyFile "/var/opt/firezone/ssl/ca/acme-test.firez.one.key"
</VirtualHost>