Configure Reverse Proxy with ssl support

OS: Debian 9.3 x64 netinstall
Date: 05-08-2019

Installing apache2 and other helpful things

apt-get update && apt-get install apache2 nano

Enable the mods required

a2enmod rewrite
a2enmod ssl
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_ajp
a2enmod deflate
a2enmod headers
a2enmod proxy_balancer
a2enmod proxy_connect
a2enmod proxy_html
a2enmod proxy_wstunnel
systemctl restart apache2

Setting up apache2 for proxy configs

mkdir /etc/apache2/proxys
nano /etc/apache2/apache2.conf

Add to the bottom of the apache2.confg file.

Include /etc/apache2/proxys/*

My Config Files

nano /etc/apache2/proxys/sesipod.info
<VirtualHost *:80>
        ServerName sesipod.info
        Redirect permanent / https://sesipod.info/
</VirtualHost>

<VirtualHost *:443>
    ServerName sesipod.info
    SSLEngine on
    SSLCertificateFile /root/.acme.sh/sesipod.info/fullchain.cer
    SSLCertificateKeyFile /root/.acme.sh/sesipod.info/sesipod.info.key
    SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"
    SSLProxyEngine On
    SSLCipherSuite DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLProtocol -all +TLSv1.2
    SSLHonorCipherOrder On
    SSLCompression off
    SetEnvIf Host "^(.*)$" THE_HOST=$1
    RequestHeader setifempty X-Forwarded-Proto https
    RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
    Header add X-Forwarded-For "%{REMOTE_ADDR}e"
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
    </IfModule>
#
##PROXY##
    ProxyAddHeaders On
    ProxyPass / https://10.8.0.151/
    ProxyPassReverse / https://10.8.0.151/
    ProxyPreserveHost On
    ProxyErrorOverride Off
##PROXY##
#
</VirtualHost>
echo 'include /etc/apache2/proxys/sesipod.info' >> /etc/apache2/apache2.conf
nano /etc/apache2/proxys/cloud.sesipod.info
<VirtualHost *:80>
        ServerName cloud.sesipod.info
        Redirect permanent / https://cloud.sesipod.info/
</VirtualHost>

<VirtualHost *:443>
    ServerName cloud.sesipod.info
    SSLEngine on
    SSLCertificateFile /root/.acme.sh/sesipod.info/fullchain.cer
    SSLCertificateKeyFile /root/.acme.sh/sesipod.info/sesipod.info.key
    SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"
    SSLProxyEngine On
    SSLCipherSuite DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLProtocol -all +TLSv1.2
    SSLHonorCipherOrder On
    SSLCompression off
    SetEnvIf Host "^(.*)$" THE_HOST=$1
    RequestHeader setifempty X-Forwarded-Proto https
    RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
    Header add X-Forwarded-For "%{REMOTE_ADDR}e"
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
    </IfModule>
#
##PROXY##
    ProxyAddHeaders On
    ProxyPass / https://10.8.0.152/
    ProxyPassReverse / https://10.8.0.152/
    ProxyPreserveHost On
    ProxyErrorOverride Off
##PROXY##
#
</VirtualHost>
echo 'include /etc/apache2/proxys/cloud.sesipod.info' >> /etc/apache2/apache2.conf
nano /etc/apache2/proxys/office.sesipod.info
<IfModule unixd_module>
  User daemon
  Group daemon
</IfModule>

#<VirtualHost *:80>
#        ServerName office.sesipod.info
#        Redirect permanent / https://office.sesipod.info/
#</VirtualHost>

<VirtualHost *:443>
    ServerName office.sesipod.info
    SSLEngine on
    SSLCertificateFile /root/.acme.sh/sesipod.info/fullchain.cer
    SSLCertificateKeyFile /root/.acme.sh/sesipod.info/sesipod.info.key
    SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"
    SSLProxyEngine On
    SSLCipherSuite DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLProtocol -all +TLSv1.2
    SSLHonorCipherOrder On
    SSLCompression off
    SetEnvIf Host "^(.*)$" THE_HOST=$1
    RequestHeader setifempty X-Forwarded-Proto https
    RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
    Header add X-Forwarded-For "%{REMOTE_ADDR}e"
################
    ProxyPreserveHost On
    ProxyAddHeaders Off
    ProxyPassMatch (.*)(\/websocket)$ "ws://10.8.0.153/$1$2"
    ProxyPass / "http://10.8.0.153/"
    ProxyPassReverse / "http://10.8.0.153/"
</VirtualHost>
echo 'include /etc/apache2/proxys/office.sesipod.info' >> /etc/apache2/apache2.conf
nano /etc/apache2/proxys/plex.sesipod.info
<VirtualHost *:80>
        ServerName plex.sesipod.info
        Redirect permanent / https://plex.sesipod.info/
</VirtualHost>

<VirtualHost *:443>
    ServerName plex.sesipod.info
    SSLEngine on
    SSLCertificateFile /root/.acme.sh/sesipod.info/fullchain.cer
    SSLCertificateKeyFile /root/.acme.sh/sesipod.info/sesipod.info.key
   #SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"
    SSLProxyEngine On
    SSLCipherSuite DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLProtocol -all +TLSv1.2
    SSLHonorCipherOrder On
    SSLCompression off
#
################ Security not related to SSL CERTS ################
    SetEnvIf Host "^(.*)$" THE_HOST=$1
    RequestHeader setifempty X-Forwarded-Proto https
    RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
	Header add X-Forwarded-For "%{REMOTE_ADDR}e"
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
    </IfModule>
################ Security not related to SSL CERTS #################
#
##PROXY##
    ProxyAddHeaders On
    ProxyPass / http://10.8.0.100:32400/
    ProxyPassReverse / http://10.8.0.100:32400/
    ProxyPreserveHost On
    ProxyErrorOverride Off
##PROXY##
#
</VirtualHost>
echo 'include /etc/apache2/proxys/plex.sesipod.info' >> /etc/apache2/apache2.conf
nano /etc/apache2/proxys/plexstat.sesipod.info
<VirtualHost *:80>
        ServerName plexstat.sesipod.info
        Redirect permanent / https://plexstat.sesipod.info/
</VirtualHost>

<VirtualHost *:443>
    ServerName plexstat.sesipod.info
    SSLEngine on
    SSLCertificateFile /root/.acme.sh/sesipod.info/fullchain.cer
    SSLCertificateKeyFile /root/.acme.sh/sesipod.info/sesipod.info.key
   #SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"
    SSLProxyEngine On
    SSLCipherSuite DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
    SSLProtocol -all +TLSv1.2
    SSLHonorCipherOrder On
    SSLCompression off
#
################ Security not related to SSL CERTS ################
    SetEnvIf Host "^(.*)$" THE_HOST=$1
    RequestHeader setifempty X-Forwarded-Proto https
    RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
	Header add X-Forwarded-For "%{REMOTE_ADDR}e"
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
    </IfModule>
################ Security not related to SSL CERTS #################
#
##PROXY##
    ProxyAddHeaders On
    ProxyPassMatch (.*)(\/websocket)$ "ws://10.8.0.100/$1$2"
    ProxyPass / http://10.8.0.100/
    ProxyPassReverse / http://10.8.0.100/
    ProxyPreserveHost On
    ProxyErrorOverride Off
##PROXY##
#
</VirtualHost>
echo 'include /etc/apache2/proxys/plexstat.sesipod.info' >> /etc/apache2/apache2.conf

EXTRAS

Getting actual client ips instead of reverse proxy servers ip for logs. ( This must be done on the server that is behind the reverse proxy not the reverse proxy server itself. )

Run the following command to enable mod_remoteip.

a2enmod remoteip

Edit the apache2 config and add the following at the bottom.

nano /etc/apache2/apache2.conf
LoadModule remoteip_module modules/mod_remoteip.so
RemoteIPHeader X-Forwarded-For