How to configure Apache as a reverse proxy to allow concurrent hosting of GCS and other WebApps on port 443
In order to function correctly, Globus Connect Server must be accessible over SSL on port 443.
In instances where you are required to co-host GCS on a server with an application also required to be accessible on port 443, you can configure the Apache web server to act as a reverse proxy, which will route the non-Globus traffic to the appropriate port as specified in your vhost configuration:
-
Configure your application to listen on a port other than 443 (eg. 4443)
-
Create new Apache vhost definition
$ echo "IncludeOptional sites-enabled/*.conf" | sudo tee -a /etc/apache2/apache2.conf $ mkdir /etc/apache2/sites-{available,enabled}/ $ vim /etc/apache2/sites-available/reverse-proxy.conf
$ echo "IncludeOptional sites-enabled/*.conf" | sudo tee -a /etc/httpd/conf/httpd.conf $ mkdir /etc/httpd/sites-{available,enabled}/ $ vim /etc/httpd/sites-available/reverse-proxy.conf
-
Add a vhost entry similar to the below to reverse-proxy.conf (ensure to update ['ServerName', 'ProxyPass', 'ProxyPassReverse', 'SSLCertificateFile' and 'SSLCertificateKeyFile']):
<VirtualHost *:443> SSLEngine on ServerName ${vhostServerName} DocumentRoot /var/www/html/ SSLProxyEngine on ProxyPreserveHost On ProxyPass / https://${proxyDestAndPort} ProxyPassReverse / https://${proxyDestAndPort} Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" LogLevel info SSLCertificateFile ${vhostSSLCert} SSLCertificateKeyFile ${vhostSSLKey} </VirtualHost>
-
Enable and load the configuration by creating a symlink into the Apache 'sites-enabled' directory and restarting the Apache service:
$ sudo ln -s /etc/apache2/sites-available/reverse-proxy.conf /etc/apache2/sites-enabled/reverse-proxy.conf $ sudo systemctl restart apache2.service
$ sudo ln -s /etc/httpd/sites-available/reverse-proxy.conf /etc/httpd/sites-enabled/reverse-proxy.conf $ sudo systemctl restart httpd.service
After completing this process both the GCS Endpoint/Collections hosted on the node as well as the proxied application should be accessible over port 443 on your Endpoint node.