Apache HTTP Server Configuration
Setting up Apache HTTP Server as a reverse proxy for HPC Dashboard with Let's Encrypt
Apache HTTP Server Configuration
Under Development:
This section is currently being developed and may be expanded in future updates.
Overview
This guide will walk you through setting up Apache HTTP Server (httpd) as a reverse proxy for your HPC Dashboard, enabling HTTPS with Let's Encrypt, and optimizing performance.
Installing Apache HTTP Server
For Debian/Ubuntu:
sudo apt update
sudo apt install apache2
For CentOS/RHEL:
sudo dnf install httpd
Required Apache Modules
Enable the necessary modules for reverse proxying and TLS:
# For Debian/Ubuntu
sudo a2enmod ssl
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_wstunnel
sudo a2enmod rewrite
sudo a2enmod headers
# For CentOS/RHEL
# Modules are typically loaded in /etc/httpd/conf.modules.d/
After enabling modules, restart Apache:
# For Debian/Ubuntu
sudo systemctl restart apache2
# For CentOS/RHEL
sudo systemctl restart httpd
Basic Apache Configuration
Here's a basic Apache configuration to serve as a reverse proxy for your Node.js-based HPC Dashboard:
<VirtualHost *:80>
ServerName servername.com
ServerAdmin admin@servername.com
# Redirect all HTTP requests to HTTPS
Redirect permanent / https://servername.com/
# Logging
ErrorLog ${APACHE_LOG_DIR}/servername.com-error.log
CustomLog ${APACHE_LOG_DIR}/servername.com-access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName servername.com
ServerAdmin admin@servername.com
DocumentRoot /var/www/html
# SSL Configuration
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/servername.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/servername.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/servername.com/chain.pem
# Recommended SSL settings
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionTickets Off
# HSTS (optional but recommended)
Header always set Strict-Transport-Security "max-age=63072000"
# Proxy settings for Node.js application
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
<Proxy *>
Require all granted
</Proxy>
# Proxy for WebSocket connections
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:3000/$1 [P,L]
# Proxy for regular HTTP connections
ProxyPass / http://localhost:3000/
ProxyPassReverse / http://localhost:3000/
# Logging
ErrorLog ${APACHE_LOG_DIR}/servername.com-error.log
CustomLog ${APACHE_LOG_DIR}/servername.com-access.log combined
</VirtualHost>
Save this configuration to /etc/apache2/sites-available/hpc-dashboard.conf (Debian/Ubuntu) or /etc/httpd/conf.d/hpc-dashboard.conf (CentOS/RHEL).
For Debian/Ubuntu, enable the site:
sudo a2ensite hpc-dashboard.conf
sudo apache2ctl configtest
sudo systemctl reload apache2
For CentOS/RHEL, just restart the service:
sudo apachectl configtest
sudo systemctl restart httpd
Setting Up Let's Encrypt with Certbot for Apache
Let's Encrypt provides free, automated SSL/TLS certificates for your web server.
Installation
For Debian/Ubuntu:
sudo apt update
sudo apt install certbot python3-certbot-apache
For CentOS/RHEL:
sudo dnf install epel-release
sudo dnf install certbot python3-certbot-apache
Obtaining Certificates
The easiest way is to let Certbot automatically configure Apache:
sudo certbot --apache -d servername.com -d www.servername.com
This command will:
- Obtain certificates for the specified domains
- Automatically update your Apache configuration
- Set up auto-renewal
Manual Certificate Issuance
If you prefer to manually configure Apache:
sudo certbot certonly --webroot -w /var/www/html -d servername.com -d www.servername.com
Or, for a standalone server (temporarily stops your web server):
sudo certbot certonly --standalone -d servername.com -d www.servername.com
Certificate Renewal
Let's Encrypt certificates are valid for 90 days. Certbot installs a systemd timer or cron job that automatically renews certificates before they expire.
To manually test the renewal process:
sudo certbot renew --dry-run
Certificate Locations
Certificates are stored in:
/etc/letsencrypt/live/servername.com/fullchain.pem(certificate + chain)/etc/letsencrypt/live/servername.com/privkey.pem(private key)/etc/letsencrypt/live/servername.com/cert.pem(certificate only)/etc/letsencrypt/live/servername.com/chain.pem(chain only)
Troubleshooting
Common Issues:
-
503 Service Unavailable: Check if your Node.js application is running
curl -v http://localhost:3000 -
403 Forbidden: Check Apache permissions
sudo chmod 755 /var/www/html -
SSL Certificate not working: Verify certificate paths
sudo ls -la /etc/letsencrypt/live/servername.com/ -
WebSocket connection failing: Ensure the rewrite rules are properly configured
sudo a2enmod rewrite sudo a2enmod proxy_wstunnel
Apache Logs
Check logs for detailed error information:
# For Debian/Ubuntu
sudo tail -f /var/log/apache2/error.log
sudo tail -f /var/log/apache2/access.log
# For CentOS/RHEL
sudo tail -f /var/log/httpd/error_log
sudo tail -f /var/log/httpd/access_log
Production Readiness:
Before deploying to production, test your TLS/SSL configuration with a tool like SSL Labs: https://www.ssllabs.com/ssltest/
Firewall Configuration
Make sure ports 80 and 443 are open:
# For UFW (Ubuntu)
sudo ufw allow 'Apache Full'
# For firewalld (CentOS/RHEL)
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
SELinux Configuration (CentOS/RHEL)
If you're running SELinux, you need to allow Apache to proxy connections:
sudo setsebool -P httpd_can_network_connect 1