This article shows an example configuration that will achieve three objectives: Provide GeoIP Fending, Provide SSL/TLS Termination, and server as a Reverse Proxy. In this example we’re using Ubuntu 22.04. Connections coming in on HTTP (port 80) are redirected to HTTPS (port 443) which is where the GeoIP Fencing takes place. You could do that before the redirection as well.
<VirtualHost *:80> ServerAdmin [email protected] DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined TimeOut 1000 <Directory /var/www/html> Options Indexes AllowOverride All Order allow,deny allow from all </Directory> ServerName gateway.example.com.au ServerAdmin [email protected] ErrorLog /var/log/apache2/example-revproxy_com_au_log CustomLog /var/log/apache2/example-revproxy_com_au_log common DocumentRoot /var/www/html/ <Directory /var/www/html> Options Indexes FollowSymLinks </Directory> RewriteEngine on RewriteCond %{SERVER_NAME} =gateway.example.com.au RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> # SSL/TLS <VirtualHost *:443> TimeOut 1000 SSLEngine On SSLProxyEngine On RewriteEngine On ProxyRequests Off ProxyPreserveHost On RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" # This needs to resolve to the back-end application server that # we're reverse proxy'ing to. ProxyPass / https://back-end-gateway.example.com.au/ ProxyPassReverse / https://back-end-gateway.example.com.au/ <Directory /var/www/html> Options Indexes AllowOverride All Order allow,deny allow from all </Directory> ServerName gateway.example.com.au ServerAdmin [email protected] ErrorLog /var/log/apache2/gateway.example_com_au_log CustomLog /var/log/apache2/gateway.example_com_au_log common DocumentRoot /var/www/html <IfModule mod_geoip.c> GeoIPEnable On GeoIPDBFile /usr/share/GeoIP/GeoIP.dat </IfModule> <Location "/"> SetEnvIf GEOIP_COUNTRY_CODE AU AllowCountry SetEnvIf GEOIP_COUNTRY_CODE NZ AllowCountry SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry Deny from all Allow from env=AllowCountry </Location> # These are sample lines to get Apache to start. LetsEncrypt will remove these # lines for you when your new certificate files are ready. SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key # These are example LetsEncrypt lines that LetsEncrypt will generate for you. # They're here (commented out) as an example. # SSLCertificateFile /etc/letsencrypt/live/gateway.example.com.au/fullchain.pem # SSLCertificateKeyFile /etc/letsencrypt/live/gateway.example.com.au/privkey.pem # Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost>
You will need to ensure you have enabled the correct Apache modules as listed here:
a2enmod ssl a2enmod rewrite a2enmod proxy a2enmod headers a2enmod proxy_http
For the GeoIP Fencing, make sure to install this package:
apt install libapache2-mod-geoip
Make sure if you’re using LetsEncrypt to run the following:
apt install certbot python3-certbot-apache certbot --apache