Setting Up a Secure Proxy for Web and App Servers

In modern web infrastructures, ensuring secure communication between servers is crucial, especially when dealing with sensitive environments. In this guide, we’ll walk through setting up a secure, HTTPS-based reverse proxy between a web server and an app server, while also enabling SSH and SCP access to the app server via the web server.

Server Roles and Tools

• App Server: Hosts the application and has httpd (Apache) installed to handle HTTPS traffic. It also supports nginx for reverse proxy setups and provides SSH for administrative access.
• Web Server: Acts as a gateway for public users. It runs nginx for reverse proxy and supports httpd for additional configurations.

Flow Overview

The communication flow for this setup is as follows:

1. Public User [HTTPS] ➔ Accesses the web server.
2. Web Server [HTTPS] ➔ Proxies traffic securely to the app server.
3. App Server [HTTPS] ➔ Handles application requests.
4. App Server [SSH as localhost] ➔ Provides secure administrative access via the web server.

Step 1: Setting Up HTTPS on the App Server

1.1 Generate a Self-Signed SSL Certificate

If your app server doesn’t already have an SSL certificate:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/app_server.key -out /etc/ssl/certs/app_server.crt

• Place the certificate and key in secure directories, such as /etc/ssl/.

1.2 Configure Apache (httpd) for HTTPS

Edit the Apache configuration file:

sudo nano /etc/httpd/conf.d/ssl.conf

Add or modify the following:

<VirtualHost *:443>
    ServerName app-server-ip
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/app_server.crt
    SSLCertificateKeyFile /etc/ssl/private/app_server.key

    <Directory /var/www/html>
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

Restart the httpd service:

sudo systemctl restart httpd

1.3 Configure Nginx (Optional)

If you prefer using nginx on the app server instead of Apache, configure it as follows:

server {
    listen 443 ssl;
    server_name app-server-ip;

    ssl_certificate /etc/ssl/certs/app_server.crt;
    ssl_certificate_key /etc/ssl/private/app_server.key;

    location / {
        proxy_pass http://localhost:your_application_port;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Restart the nginx service:

sudo systemctl restart nginx

1.4 Restrict Access to the App Server

Use a firewall to allow only the web server to access the app server’s HTTPS and SSH ports:

sudo ufw allow from web-server-ip to any port 443
sudo ufw allow from web-server-ip to any port 22
sudo ufw enable

Step 2: Configuring the Web Server as a Reverse Proxy

2.1 Install Nginx and Configure HTTPS

If not already installed:

sudo apt update
sudo apt install nginx

Generate or install an SSL certificate for the web server. For a self-signed certificate:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/web_server.key -out /etc/ssl/certs/web_server.crt

2.2 Set Up the Reverse Proxy

Edit the Nginx configuration:

sudo nano /etc/nginx/sites-available/reverse_proxy

Add the following:

server {
    listen 443 ssl;
    server_name web-server-ip;

    ssl_certificate /etc/ssl/certs/web_server.crt;
    ssl_certificate_key /etc/ssl/private/web_server.key;

    location / {
        proxy_pass https://app-server-ip;
        proxy_ssl_verify off; # Optional if using self-signed certs
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Enable the configuration:

sudo ln -s /etc/nginx/sites-available/reverse_proxy /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginx

Step 3: Enabling SSH Access to the App Server

Since direct SSH access to the app server isn’t exposed, use the web server as an intermediary.

3.1 Set Up an SSH Tunnel

On the app server, establish a reverse SSH tunnel to the web server:

ssh -R 2222:localhost:22 user@web-server-ip

• This command forwards port 2222 on the web server to port 22 on the app server.

3.2 Automate the Tunnel

To make the tunnel persistent, add the following to the app server’s SSH config (~/.ssh/config):

Host web-server
    HostName web-server-ip
    User user
    ServerAliveInterval 60
    RemoteForward 2222 localhost:22

3.3 Access the App Server via the Web Server

From a public machine, SSH into the app server through the web server:

ssh -p 2222 user@web-server-ip

3.4 Transfer Files to the App Server Using SCP

To securely copy files to the app server via the web server:

scp -P 2222 your_file user@web-server-ip:/path/on/app-server

Step 4: Accessing the App Server from Public Internet

To securely access your app server from the public internet, always connect to the web server first via HTTPS. The web server handles all public traffic and securely proxies the requests to the app server. For SSH and file transfer:

1. Establish a tunnel as described in Step 3.1.
2. Use the web server’s public-facing IP address and specified port to access the app server through SSH or SCP.

Security Best Practices

1. Restrict Access:

   • Use firewalls (ufw or iptables) to limit traffic between servers.
   • Allow only trusted IPs to access the web server’s HTTPS port.

2. Use Strong SSL/TLS Configurations:

   • Configure Nginx and Apache to use strong ciphers and protocols:

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
   

3. Enable Logging:

   • Monitor logs on both servers to detect suspicious activity.
     • Apache: /var/log/httpd/access_log
     • Nginx: /var/log/nginx/access.log

4. Regular Updates:

   • Keep your servers and software updated to patch security vulnerabilities.

5. SSH Security:

   • Use key-based authentication for SSH and disable password-based logins.
   • Add this to /etc/ssh/sshd_config:

    PermitRootLogin no
    PasswordAuthentication no
   

Conclusion

This configuration ensures secure, encrypted communication between public users, the web server, and the app server. By leveraging HTTPS and reverse proxies, alongside SSH tunneling for administrative tasks, you can maintain a robust and secure infrastructure for sensitive environments. This setup also provides seamless SSH and SCP access to the app server via the web server, ensuring both security and usability.