All HowTo's Cybersecurity Ubuntu, Mint & Debian Linux Web Servers

Apache Example Configuration for GeoIP Fencing, SSL/TLS Termination, and Reverse Proxy

This article shows an example configuration that will achieve three objectives: Provide GeoIP Fending, Provide SSL/TLS Termination, and server as a Reverse Proxy. In this example we’re using Ubuntu 22.04. Connections coming in on HTTP (port 80) are redirected to HTTPS (port 443) which is where the GeoIP Fencing takes place. You could do that before the redirection as well.

<VirtualHost *:80>
  ServerAdmin [email protected]
  DocumentRoot /var/www/html

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  TimeOut 1000

  <Directory /var/www/html>
    Options Indexes
    AllowOverride All
    Order allow,deny
    allow from all
  </Directory>

  ServerName gateway.example.com.au
  ServerAdmin [email protected]
  ErrorLog /var/log/apache2/example-revproxy_com_au_log
  CustomLog /var/log/apache2/example-revproxy_com_au_log common
  DocumentRoot /var/www/html/

  <Directory /var/www/html>
    Options Indexes FollowSymLinks
  </Directory>

  RewriteEngine on
  RewriteCond %{SERVER_NAME} =gateway.example.com.au
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# SSL/TLS
<VirtualHost *:443>
  TimeOut 1000
  SSLEngine On
  SSLProxyEngine On
  RewriteEngine On
  ProxyRequests Off
  ProxyPreserveHost On

  RequestHeader set X-Forwarded-Proto "https"
  RequestHeader set X-Forwarded-Port "443"

  # This needs to resolve to the back-end application server that 
  # we're reverse proxy'ing to. 
  ProxyPass / https://back-end-gateway.example.com.au/
  ProxyPassReverse / https://back-end-gateway.example.com.au/

  <Directory /var/www/html>
    Options Indexes
    AllowOverride All
    Order allow,deny
    allow from all
  </Directory>

  ServerName gateway.example.com.au
  ServerAdmin [email protected]
  ErrorLog /var/log/apache2/gateway.example_com_au_log
  CustomLog /var/log/apache2/gateway.example_com_au_log common
  DocumentRoot /var/www/html

  <IfModule mod_geoip.c>
    GeoIPEnable On
    GeoIPDBFile /usr/share/GeoIP/GeoIP.dat
  </IfModule>

  <Location "/">
    SetEnvIf GEOIP_COUNTRY_CODE AU AllowCountry
    SetEnvIf GEOIP_COUNTRY_CODE NZ AllowCountry
    SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry
    Deny from all
    Allow from env=AllowCountry
  </Location>

  # These are sample lines to get Apache to start. LetsEncrypt will remove these
  # lines for you when your new certificate files are ready.
  SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
  SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key

  # These are example LetsEncrypt lines that LetsEncrypt will generate for you. 
  # They're here (commented out) as an example. 
  # SSLCertificateFile /etc/letsencrypt/live/gateway.example.com.au/fullchain.pem
  # SSLCertificateKeyFile /etc/letsencrypt/live/gateway.example.com.au/privkey.pem
  # Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

You will need to ensure you have enabled the correct Apache modules as listed here:

a2enmod ssl
a2enmod rewrite
a2enmod proxy
a2enmod headers
a2enmod proxy_http

For the GeoIP Fencing, make sure to install this package:

apt install libapache2-mod-geoip

Make sure if you’re using LetsEncrypt to run the following:

apt install certbot python3-certbot-apache
certbot --apache

Leave a Reply

Your email address will not be published. Required fields are marked *