This article was written for version 6.3.1 of op5 Monitor, it could work on both lower and higher version if nothing else is stated.
Articles in the Community-Space are not supported by op5 Support.
In this how-to we will configure the Apache HTTP server as a reverse proxy and cover some basics steps for tightening security.
Exposing a op5 Monitor system directly to the Internet or other untrusted networks is not recommended. We encourage you to use a VPN solution or similar to restrict access.
Basic Linux/UNIX knowledge
- Root-privileges on a server with network access to port 443 on the host running Monitor
Installation and configuration
We will start off by installing the Apache HTTP server and it's SSL module:
Create and edit /etc/httpd/conf.d/monitor-api-proxy.conf with your text editor of choice. The content of this file should look something like this:
Replace "monitorhost" with the host name or IP-address of your Monitor server.
Restart the Apache HTTP server:
You should now have a working reverse proxy. You can test the setup with a web browser or with curl from your local system:
Replace "reverseproxy" with the host name or IP-address of your reverse proxying server.
- Restrict access to the reverse proxy server with a firewall or similar
- Use certificates signed by a trusted certificate authority on both the reverse proxy host and the Monitor host
- Limit the reverse proxy to /api/status and /api/filter to only expose "read-only" information
- Configure your reverse proxy to verify the certificate of the Monitor server
- Install and configure the web application firewall mod_security to block brute-force login attempts