IPCop reverse webproxy

Profile picture for user theyosh

Finally, IPCop with reverse webproxy. It is possible, but you have to recompile the IPCop system by hand and hack into the perl files of IPCOP. This takes some time.

1. So first make sure you are able to recompile IPCop as explained on http://ipcop.org/index.php?module=pnWikka&tag=IPCop1BuildingHowto .

2. After compilation, delete the log file apache so that when you rebuild your IPCop, only apache will be rebuild. Look for the example in the howto above.

3. Change the file lfs/apche in your unpacked source dir. You should add the line '--enable-module=proxy' after the option '--enable-module=ssl'. So that the configure command would look like:

# Apache
cd $(DIR_APP) && CFLAGS="$(CFLAGS)" \
EAPI_MM=$(DIR_SRC)/mm-1.4.2 ./configure \
--prefix=/home/httpd --exec-prefix=/usr \
--sysconfdir=/etc/httpd/conf --logfiledir=/var/log/httpd \
--includedir=/usr/include/apache --mandir=/usr/share/man \
--localstatedir=/var --runtimedir=/var/run \
--disable-rule=SHARED_CHAIN --disable-rule=SHARED_CORE \
--disable-rule=EXPAT --disable-rule=WANTHSREGEX \
--enable-rule=EAPI --enable-module=rewrite \
--disable-module=negotiation --disable-module=status \
--disable-module=include --disable-module=autoindex \
--disable-module=asis \
--disable-module=imap --disable-module=actions \
--disable-module=userdir \
--enable-module=ssl \
--enable-module=proxy

this will enable apache's reverse webproxy options and functions.

 

4. After compilation of apache, place the file 'build/usr/sbin/httpd' to your IPCop server on location: '/usr/sbin/httpd'. This would overwrite the old original httpd file.

5. Restart the apache server and check if your IPCop is still accessible with your webbrowser. This is part 1 of the modification.

6. Now we are going to edit some files. First touch '/etc/httpd/conf/webproxy.conf'. This will be the file where all DMZ machines will be redirected. Than you edit the file '/etc/httpd/conf/httpd.conf' and add the following line at the bottom:
'include /etc/httpd/conf/webproxy.conf' . This will make apache also load the webproxy.conf file when apache is restarted.
Make directory called '/home/httpd/dmz'. This will be the folder that contains a static file telling you are at a DMZ server.

7. Nou the last part, we have to hack the file 'host.cgi'. You can find it at: '/home/httpd/cgi-bin'. Open it for editing and add the following part of code at the end of the file:

sub BuildReverseWebProxyRules {

# Should be moved to somewhere in the settings files.....
my %ipaddresses;
&General::readhash("${General::swroot}/ethernet/settings", \%ipaddresses);
my $webProxyFile = "/etc/httpd/conf/webproxy.conf";
my $webDMZDomain = "<strong>dmz.company.com</strong>";
my $webDMZIP = $ipaddresses{'ORANGE_ADDRESS'};
if (open(FILE, ">$webProxyFile")) {
print FILE "# Reverse webproxy sites. First site is a 'Catch all' site\n";
print FILE "Listen $webDMZIP:80\n";
print FILE "NameVirtualHost $webDMZIP:80\n";
print FILE "\n";
print FILE "<VirtualHost $webDMZIP:80>\n";
print FILE " ServerName $webDMZDomain\n";
print FILE " ServerAlias *.$webDMZDomain\n";
print FILE " DocumentRoot /home/httpd/dmz\n";
print FILE "</VirtualHost>\n";
print FILE "\n";
foreach my $line (@current) {
chomp( $line);
my @temp = split(',',$line);
if ($temp[0] eq "on" && "$temp[2].$temp[3]" ne $webDMZDomain) {
print FILE "<VirtualHost $webDMZIP:80>\n";
print FILE " ServerName $temp[2].$temp[3]\n";
print FILE " ProxyPass / http://$temp[2].$temp[3]/\n";
print FILE " ProxyPassReverse / http://$temp[2].$temp[3]/\n";
print FILE "</VirtualHost>\n\n";
}
}
close (FILE);
}
system('killall httpd; sleep 3; /usr/sbin/httpd');

}

After you have added this function, you should change the lines in bold. Because these are server specific. They should be red out of a config file or something. That is for later.

 

8. Finally, you have to add a call to this function in the function 'BuildConfiguration'. So the function (sub) 'BuildConfiguration' will be:

sub BuildConfiguration {

system '/usr/local/bin/rebuildhosts';
&BuildReverseWebProxyRules;

}

9. Login into your ipcop with a browser. When you go to the section 'servers' -> 'edit hosts' you can add new hosts. All hosts that will be added here, will end up as a dmz server. So you add a new host, that host will be loaded as a reverse proxy host. Save the new host and you are ready.

10. Last step(s). Open youre IPCop on post 80 from outside. So go to 'Firewall' -> 'External Access'. Open there port 80 on TCP. This will allow webtraffic to you IPCop machine. Next go to 'Firewall' -> 'Port forwarding'. Here you have to forward you webtraffic to the DMZ ip. So that when someone from outside enters a dmz address, it will go to the apache server in DMZ. When a host exists, it will be redirected, if not you will see the index.htm file in the folder '/home/httpd/dmz'.

that's all folks.

TODO: Make a own section for DMZ in stead of (mis)using the hosts part. Read DMZ name from IPCop webinterface rather than setting it in the code.

Story type