# configure SSL proxy for web service



## cbrace (Dec 9, 2019)

Hi all,

I've installed www/rubywarden on my VPS running v12.1. I connect to it from bitwarden clients on this address: http://myserver:4567

The connection is thus unencrypted. Various web searches indicate one solution is to set up a forwarding/reverse proxy, routing external traffic via SSL. On my VPS, I'm running www/apache24 which handles www/joomla, www/nexcloud and some other web applications. I thought I could add something like the following to my http-vhosts file. But it doesn't work:

```
<VirtualHost ###.###.###.###:4567>
    ServerName hostname
    SSLEngine on
    SSLStrictSNIVHostCheck off
    SSLCACertificateFile /etc/ssl/root.pem
    SSLCertificateFile      /usr/local/etc/letsencrypt/live/hostname/fullchain.pem
    SSLCertificateKeyFile   /usr/local/etc/letsencrypt/live/hostname/privkey.pem
    SSLProtocol all -SSLv2 -SSLv3
    SSLProxyEngine On
    SSLHonorCipherOrder On
    SSLCipherSuite EECDH+AESGCM:EECDH+AES:EDH+AES
    ProxyPass / http://127.0.0.1:4567/
    ProxyPassReverse / http://127.0.0.1:4567/
</VirtualHost>
```
I clearly have no idea what I am doing here 

How do I:
1. bind rubyguardian to 127.0.0.1?
2. pass the in and outgoing rubyguardian connection though a proxy (apache24?) so that clients connect via SSL?with


----------



## SirDice (Dec 9, 2019)

If you're looking for an "easy" reverse proxy that can terminate SSL you might want to have a look at net/haproxy. On my VPS I have HAProxy running on the host and a few jails running various websites. The HAProxy terminates the SSL, connections to the backends are "plain" HTTP.


----------



## cbrace (Dec 10, 2019)

Thanks for the tip. I installed haproxy and had a look. I found some pages explaining how to set it up, but I can't get it working and I can't figure out why because I can't get logging working. I created this file:

```
$ cat /usr/local/etc/syslog.d/haproxy
local0.*            /var/log/haproxy.log
```

and added this to /usr/local/etc/haproxy.conf under "general"

```
log             127.0.0.1 local0
```
If you have a moment, could you take a look at your haproxy.conf file to see what settings you have? That is, if you have logging enabled.

TIA


----------



## SirDice (Dec 10, 2019)

You've set up a remote logging actually but are sending it to localhost. For this to work your syslog needs to be listening on the network. If you just want to use the local syslog you can use this:

```
log /dev/log local2
```

My whole config is a bit large and has a bunch of information in it I would need to edit before posting. But the whole set up is in parts:

```
global
   # Set some global settings
    log /dev/log local2

        user nobody
        group nobody
defaults
   # Default settings 
   mode http

frontend http-in
  bind 0.0.0.0:80
  
  acl is_mail hdr_dom(host) -i webmail.example.com

  redirect scheme https if is_mail !{ ssl_fc }

  use_backend mail if is_mail
  
  default_backend local

frontend https-in
  bind 0.0.0.0:443 ssl crt /usr/local/etc/haproxy/ssl/ 

  default_backend local

  acl is_mail hdr_dom(host) -i webmail.example.com
  
   use_backend mail if is_mail

backend local
   server localhost 127.0.0.1:80 

backend mail
   server mail 192.168.10.20:80 # jail with webmail
```

This is a basic set up. You have a frontend and one or more backends. There's some logic that looks at the HTTP Host header (`hdr_dom(host)`) and switches to the mail backend accordingly. If it's webmail.example.com a HTTP request will get redirected to HTTPS too.


----------

