configuring a secure front-end for a non-secure service

The goal is to enable https only access for a pre-existing http service.

Let us assume that a service is running on http://myserver.com:8000/service. The goal is to make no changes to the pre-existing service and still allow https only access to it.

One way this can be accomplished, is using apache redirects. We are going to use ProxyPass and ProxyPassReverse directives.

Add the following to httpd.conf

<VirtualHost myserver.com:443>

# set the SSL options


# Enable ProxyPass
SSLProxyEngine On
RewriteEngine On
#ProxyPreserveHost On        #Important to comment this
ProxyPass /service http://myserver.com:8000/service/ nocanon
ProxyPassReverse /service http://myserver.com:8000/service/

</VirtualHost>

The above would expose https://myserver.com/service and internally redirect it to http://myserver.com:8000/service. The ProxyPass directive does that. ProxyPassReverse makes sure that what is sent back to the browser is again converted back to https://msyserver.com/service format.

Now, https access should be working. But we still need to disable the http access. The below allows all access between internal services (https to http in this case), but disables access to port 8000 from outside.

sudo /sbin/iptables -A INPUT -p tcp -i lo -j ACCEPT 
sudo /sbin/iptables -A INPUT -p tcp --dport 8000 -j DROP

Done!