Reverse Proxy - Apache & Nginx

Apache Reverse Proxy

# Make sure mod_ssl, mod_rewrite, mod_headers, mod_proxy,
# mod_proxy_http and mod_proxy_balancer are enabled
# Advanced Apache reverse proxy - Rails
# Oh so cleverly adapted from this https://gist.github.com/MrZYX/719014 

<VirtualHost *:80>
    ServerName www.example11.com
    RedirectPermanent / https://www.example11.com/
</VirtualHost>
<VirtualHost *:443>
    ServerName www.example11.com
    DocumentRoot /path/to/example11/public

    RewriteEngine On

    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
    RewriteRule ^/(.*)$ balancer://upstream%{REQUEST_URI} [P,QSA,L]

    <Proxy balancer://upstream>
        BalancerMember http://127.0.0.1:3000
    </Proxy>

    ProxyRequests Off
    ProxyVia On
    ProxyPreserveHost On
    RequestHeader set X_FORWARDED_PROTO https

    <Proxy *>
        Order allow,deny
        Allow from all
    </Proxy>

    <Directory /path/to/example11/public>
        Allow from all
        AllowOverride all
        Options -MultiViews
    </Directory>

    SSLEngine On
    SSLCertificateFile /path/to/cert
    SSLCertificateKeyFile /path/to/private_key
    # maybe not needed, need for example for startssl to point to a local
    # copy of http://www.startssl.com/certs/sub.class1.server.ca.pem
    SSLCertificateChainFile /path/to/chain_file
</VirtualHost>

Nginx Reverse Proxy

# Nginx Passenger reverse proxy
# This is not a complete Nginx configuration! It only shows the relevant parts for integrating Example11.
# [...]
 
http {
 
  # Your standard server configuration goes here
 
  # [...]
 
  # This vhost just redirects to HTTPS
 
  server {
    # If your host is not IPv6 ready use listen 80; here.
    # Add ipv6only=off to your listen directive that has default_server.
    # Or this one if this is your only vhost. Do not add it to both!
    listen [::]:80;
    
 
    server_name www.example11.com www.www.example11.com;
    rewrite ^/(.*) https://www.example11.com/$1 permanent;
 
  }
 
  server {
    listen [::]:443 ssl spdy;  # Same rules as for listen [::]:80 apply.
 
    server_name www.www.example11.com;
    rewrite ^/(.*) https://www.example11.com/$1 permanent;
 
    # SSL setup
 
    # This file should also include any necessary intermediate certificates
    # For example for StartSSL that would be http://www.startssl.com/certs/sub.class1.server.ca.pem
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private_key.key;
 
    # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
    # You might want to make these global
 
    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
    ssl_dhparam /path/to/dhparam.pem;
 
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
    ssl_session_timeout 5m;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;
  }
 
  # Actual proxy
 
  server {
    listen [::]:443 ssl spdy; # Same rules as for listen [::]:80 apply.
    server_name www.example11.com;
    root /path/to/example11/public;
 
    # Configure maximum picture size
    # Note that Example11 has a client side check set at 4M
    client_max_body_size 5M;
 
    # SSL setup
 
    # This file should also include any necessary intermediate certificates
    # For example for StartSSL that would be http://www.startssl.com/certs/sub.class1.server.ca.pem
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private_key.key;
 
    # Taken from https://wiki.mozilla.org/Security/Server_Side_TLS
    # You might want to make these global
 
    # generate with openssl dhparam 2048 > /path/to/dhparam.pem
    ssl_dhparam /path/to/dhparam.pem;
 
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
    ssl_session_timeout 5m;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;
 
    # Proxy if requested file not found
    try_files $uri @example11;
 
    location @example11 {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header Host $http_host;
      proxy_redirect off;
 
      proxy_pass http://example11_server;
    }
  }
 
  # Proxy destination
  # Add as many server directives as you want
  # Also takes a socket, like unix:/path/to/some/socket.sock
  upstream example11_server {
    server 127.0.0.1:3000;
  }
}
 
# [...]