Wrapping insecure web apps with Apache

When dealing with a web service which for one reason or another cannot or should not be allowed on the web. Apache has several wonderful modules which allows the services to be wrapped and behave like a web app should (working SSL certificates, forced encryption, authentication ...)

In this article I will discuss and show some examples on how to create an authenticated reverse proxy with mod_authnz, mod_proxy,mod_rewrite and mod_security.

1. Prerequisites
2. Installation of Apache
3. Configuration of Apache

4. Configuration of mod_rewrite
5. Configuration of mod_proxy
6. Configuration of mod_authnz(optional)
7. Configuration of mod_security
8. Summary

9. Informative Resources
1. Prerequisites

In this example you will need:

  • Ubuntu Linux
  • LDAP compatible server with valid SSL certificate
  • Apache2
  • Wildcard ssl certificate or valid certificates for each service published
  • Apache mod_rewrite
  • Apache mod_proxy
  • Apache mod_authnz
  • Apache mod_security
2. Installation of Apache
Install Apache2 by any of your favorite package managers or at the prompt:
sudo apt-get install apache2
3. Configuration of Apache
Then create a new config file for each of your new relays.
Inside of the virtual host tag:
UseCanonicalName Off
LogFormat "%V %h %l %u %t \"%r\" %s %b" vcommon
#incase you have a self signed certificate on the ldap server

LDAPVerifyServerCert off
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/generic/example.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/generic/example.com.key
Servername weirdone_wrapped.example.com
CustomLog /var/log/apache2/access_log.relay-weird.vhost vcommon

4. Configuration of mod_rewrite
(mod-rewrite is included with apache2)
To enable mod_rewrite:
a2enmod rewrite
Then add the following virtual host entry to redirect http traffic:
RewriteEngine On

#Force HTTPS
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L]

5. Configuration of mod_proxy
First install additional mod_proxy:
sudo apt-get install libapache2-mod-proxy-html
Then enable the modules:
a2enmod proxy proxy_connect proxy_html proxy_http
Insert the proxy section and commands into the SSL (port 443) vhost section:
Order deny,allow ProxyPreserveHost On ProxyPass / http://weirdapp.example.com:50281/ ProxyPassReverse / http://weirdapp.example.com:50281/
6. Configuration of mod_authnz(optional)
First install mod_authnz:
apt-get install libapache2-mod-authnz-external
Then insert the following into the proxy block for ldap authentication of the connection:
AuthType Basic AuthBasicProvider ldap
AuthName "Please authenticate your connection using your network login."
#Some Ldap servers will reject un-encrypted simple authentication, plus this is

#just a good idea any way.

AuthLDAPURL "ldaps://" SSL

AuthzLDAPAuthoritative on
AuthLDAPBindDN cn=authbot,ou=users,o=org
AuthLDAPBindPassword password
AuthLDAPRemoteUserAttribute uid

AuthLDAPRemoteUserIsDN on

AuthLDAPGroupAttributeIsDN on

AuthLDAPGroupAttribute member

Require ldap-group cn=Staff,ou=groups,o=org
Satisfy All

7. Configuration of mod_security
First install mod_security:
apt-get install libapache-mod-security
Then enable it:
a2enmod mod-security
Mod_security is fairly tricky, I am using a default configuration but I am only logging errors and not preventing them. Configuration beyond this is outside the scope of this article.

Edit /etc/apache2/mods-available/mod_security.conf and use the configuration example in
"/usr/share/doc/mod-security-common/examples/" as a template.

If it proves to be too restrictive, you can switch the part which says:

SecRuleEngine On


SecRuleEngine DetectionOnly

8. Summary
So, after this is installed, Apache will listen to a static IP then relay a a website to the end user over SSL after authenticating the connection with an LDAP server. And if anything fishy happens it will be logged/(or blocked) with mod-security.

This is not a 100% silver bullet solution. Apache http authentication is generally a bad idea, especially over an unencrypted session. In this example it is partially mitigated with mod_rewrite but at this time Apache does not natively support any modern authentication technologies with hooks for LDAP or any other authentication service. If you have the opportunity to prevent the need to do this then make it so.

The best way is to do it right the first time and write into your web application (or specify in the RFQ) the correct security measures.

9. Informative Resources

Breach Security "Mod Security home page". (Accessed April 2009)

The Apache Software foundation. "Apache webserver website". (accessed Jan 2010)

See also :
Asmodian X's Securing php web applications:

Ax0n's OAMP (Apache, Mysql, PHP on OpenBSD) Article:

Asmodian X's Name based hosting mini-howto:

Asmodian X's Workbench - Suhosin :

blog comments powered by Disqus