This is a continuation of Last time. This is what I want to do for the time being.
This time, "Reverse proxy from Apache on GCP to local Raspberry Apache". What I want to do here is to let the local Raspberry Pi connected to the VPN from GCP throw it.
-[1] Obtain a domain using GCP and MyDNS -[2] Set up Softether Server on GCP (Connect from iPhone / Raspberry Pi) -[3] Reverse proxy from Apache on GCP to local Raspberry Apache -[4] Make Raspberry Pi a router -[5] Create a Python script for Wake on LAN.
Install what you need. Since Line Bot must support HTTPS, install Certbot as well.
sudo apt update
sudo apt-get install apache2
sudo apt install certbot # For HTTPS
This is the only installation.
/ var / www / html
and display it if you insert a web page (the default page ʻindex.html` is also included).Open TCP443,40 ports in the same way as before.
Enter the domain or global IP address you obtained the last time and check if Apache is running. (At this time, if forbitten appears, the port is probably not opened correctly.) http://yourdomain_or_ip
If the installation / port is opened correctly, the following screen will be displayed.
Next, make the following settings to minimize server information.
sudo vi /etc/apache2/conf-available/security.conf
/etc/apache2/conf-available/security.conf
ServerTokens Prod
ServerSignature Off
Use certbot
to issue an SSL certificate. The --dry-run
argument is a command that you shouldn't try. You can do it without --dry-run
suddenly, but you should do it just in case.
$ sudo certbot certonly --webroot -w /var/www/html -d {domain} --email {mail address} --agree-tos -n --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for {domain}
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- The dry run was successful.
If it succeeds, it is the production.
sudo certbot certonly --webroot -w /var/www/html -d {domain} --email {mail address} --agree-tos -n
If it succeeds without error,
sudo ls /etc/letsencrypt/live/{domain}/
# >> README cert.pem chain.pem fullchain.pem privkey.pem # -> OK
Check if the certificate is made with.
Enable the certificate and make the web page SSL.
cd /etc/apache2/sites-available/
sudo cp default-ssl.conf default-ssl.conf.bak #Backup just in case
sudo vi default-ssl.conf
Set the e-mail address and the path of the certificate created earlier.
/etc/apache2/sites-available/default-ssl.conf
#About the third line
ServerAdimin {mail address(above address)}
#About the 25th line
SSLEngine on
# 32,About 33rd line
SSLCertificateFile /etc/letsencrypt/live/{domai}/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/{domai}/privkey.pem
#About line 42
SSLCertificateChainFile /etc/letsencrypt/live/{domai}/chain.pem
I may have done it last time, but for the time being.
Reconfigure the SSL settings you edited earlier and the Apache server.
sudo service apache2 start
sudo systemctl reload apache2
sudo a2ensite default-ssl
sudo a2enmod ssl
sudo apachectl -t # >> Syntax OK
sudo systemctl restart apache2
sudo reboot
Now https: // yourdomain_or_ip If you open (Note hhtp ** s **) and it looks like the following, SSL is enabled.
If this is left as it is, the certificate will become invalid over time (I forgot the period. Please check it), so I will renew it regularly.
First, check with --dry-run
to see if the update works.
$ sudo certbot renew --dry-run
- - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/{domain}/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
It's OK if it comes out.
Set with crontab
to update every month.
sudo crontab -e # or crontab -u root -e
# renew ssl certification
0 0 1 * * certbot renew
Since SSL conversion is completed and port 80 is unnecessary, select either one. I will omit closing the port and write the redirect method.
Since there is a /etc/apache2/sites-available/hogehoge.conf
file, write the following (probably the 000-default.conf
file). It is set to forcibly add https with a regular expression.
sudo vi /etc/apache2/sites-available/hogehoge.conf
/etc/apache2/sites-available/hogehoge.conf
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
...
After editing, reload.
sudo a2enmod rewrite
sudo systemctl restart apache2
The installation settings are basically the same, so I will omit them. However, you don't need certbot
because you don't need SSL!
After the installation is complete, start Apache and check it.
For testing purposes, change /var/www/html/index.html
to make it easier to understand.
/var/www/html/index.html
This is vpn server for wake on lan!
GCP → Throw to Raspberry Pi. Connect to GCP with SSH. First, set various settings for the reverse proxy.
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_balancer
sudo a2enmod lbmethod_byrequests
sudo systemctl restart apache2
Then, write the following in the file you edited earlier.
sudo vi /etc/apache2/sites-available/default-ssl.conf
/etc/apache2/sites-available/default-ssl.conf
ProxyPreserveHost On
ProxyPass / http://{raspi's local IP}:80/
ProxyPassReverse / http://{raspi's local IP}:80/
Restart.
sudo systemctl restart apache2
confirm. https: // {domain} If the page is as follows, it is OK.
For the time being, it's long, so it ends here.
Recommended Posts