XAMPP how to secure forward proxy for port 443

Question

I need some help with securing my test XAMPP server on ports 80 and 443. I am running Apache 2.4.7 on Windows 7 machine.

The setup is the following:

I am redirecting all traffic coming on my server IP, port 80 and 443 to a java application running on localhost:5000.

The code doing all this in httpd-vhosts.conf file is the following:

<VirtualHost *:80> 
  ServerName demo.website.com
  ServerAlias website.com

  <Location />
    ProxyPass http://localhost:5000/
    ProxyPassReverse http://localhost:5000/
  </Location>
</VirtualHost> 

<VirtualHost *:443>    
  ServerName demo.website.com
  ServerAlias website.com

  <Location />
    ProxyPass /api/socket ws://localhost:5000/api/socket
    ProxyPassReverse /api/socket ws://localhost:5000/api/socket
    ProxyPass http://localhost:5000/
    ProxyPassReverse http://localhost:5000/
  </Location>

  SSLEngine on
  SSLCertificateFile "conf/ssl.crt/cert1.crt"
  SSLCertificateKeyFile "conf/ssl.key/cert1.key"
</VirtualHost>

The above code works for port 80 but when I add it for port 443, apace cannot start. Note: I have enabled LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so.

EDIT1: The error I get in Apache is:

ProxyPass|ProxyPassMatch can not have a path when defined in a location

It seems the issue is with those two lines, when I remove them Apache starts just fine:

ProxyPass /api/socket ws://localhost:5000/api/socket
ProxyPassReverse /api/socket ws://localhost:5000/api/socket

EDIT2

I finally ended up doing this:

<VirtualHost *:443>    
      ServerName demo.website.com
      ServerAlias website.com

      <Location /api/socket>
        ProxyPass ws://localhost:5000/api/socket
        ProxyPassReverse ws://localhost:5000/api/socket
      </Location>

      <Location />
        ProxyPass http://localhost:5000/
        ProxyPassReverse http://localhost:5000/
      </Location>

      SSLEngine on
      SSLCertificateFile "conf/ssl.crt/cert1.crt"
      SSLCertificateKeyFile "conf/ssl.key/cert1.key"
    </VirtualHost>

Is this fine from security point of view?

Answer 1

<VirtualHost *:443>    
      ServerName demo.website.com
      ServerAlias website.com
      <Location /api/socket>
        ProxyPass ws://localhost:5000/api/socket
        ProxyPassReverse ws://localhost:5000/api/socket
      </Location>
      <Location />
        ProxyPass http://localhost:5000/
        ProxyPassReverse http://localhost:5000/
      </Location>
      SSLEngine on
      SSLCertificateFile "conf/ssl.crt/cert1.crt"
      SSLCertificateKeyFile "conf/ssl.key/cert1.key"
    </VirtualHost>

Is this fine from security point of view?

Technically that will work as expected/needed and that is not an immediate security problem (like running an open proxy server) .

For a more secure environment you might want to make some trade-offs and tune much more than just using the the default settings your Apache httpd package shipped with :

• regularly check for and install security updates and big fixes
• https://httpd.apache.org/docs/2.4/misc/security_tips.html is one of many starter guides on hardening your Apache httpd server
• tune your TLS settings.
  Test your server with https://www.ssllabs.com/ssltest/ follow their recommendations and those from https://cipherli.st/
• in particular for API's but also for more generic web sites/applications you might want to limit what http methods are allowed to only a subset of GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK.
• when you only need reverse proxy functionality, use something more lightweight instead of a complete web server such Apache.