The Network Manager at Westminster School presents solutions to sticky problems...

Monday 19 September 2011

IPv6 Reverse Proxy using Apache on Windows

Moving to IPv6 poses certain problems. The biggest of which is application compatibility. Of Course, as one would expect, Microsoft is on the bandwagon for IPv6. Unexpectedly, their web proxying product, Forefront TMG, does not play happy with IPv6. Maybe Microsoft are expecting us to put all our web servers out there straight on to the IPv6 web, bolts and all. We have all our web servers safely in our intranet, and use a single firewall/reverse proxy application to serve pages to the outside from multiple sources inside without the need to expose those servers, or multi-home them.

So what is out there that can do the job? Thankfully, Apache comes to the rescue. Apache makes proxying fairly simple, if you like text configuration files. After tinkering with it for a little bit, you'll see why I say that. Unfortunately, the IPv6 troll strikes again. In the standard Apache binaries, compiled for Windows, IPv6 is not built into the listening stack. But that is not the end of the world, because you can compile Apache yourself with Visual Studio's command line tools. I used Visual Studio 2010 professional in my attempt.

So, this document details how to build your own Apache binaries, with IPv6 listeners enabled:

To start off with you will need the locations of perl and awk.exe to be in the path variable. Check out where to get these from the Compiling Apache for Windows page.

Download the latest source versions. You are going to need the source code for Apache, Openssl and zlib. Create a working directory for the Apache source code and extract it there. You will find amongst the directory structure a directory called srclib. In this directory, create a sub-directory called openssl. Extract the Openssl source there. In the srclib directory, create another folder called zlib. Extrack the zlib source in there.

Build the components in the following order: zlib - Openssl - Apache

Building zlib: Open srclib\zlib\win32\makefile.msc. Add 'inffast.obj' to the OBJS= line and save the file. From your visual studio command prompt navigate to srclib\zlib. Build using the following two commands:
nmake -f win32\Makefile.msc
nmake -f win32\Makefile.msc test
If this is successful, you will see a series of tests where a file is created, compressed and decompressed.

Building openssl: From your visual studio command prompt navigate to srclib\openssl. the following commands:
perl Configure VC-WIN32 enable-camellia no-idea no-rc5
ms\do_ms.bat
nmake -f ms\ntdll.mak
Finally, create an empty file and name it store.h and place it in srclib\openssl\inc32\openssl

Building Apache: Open the file srclib\apr\include\apr.hw. Fine the line:
#define APR_HAVE_IPV6    0
Change the 0 for a 1. From your visual studio command prompt, navigate to the root of your Apache source code. Compile with the following commands:
nmake /f Makefile.win _apacher
nmake /f Makefile.win installr INSTDIR=D:\Apache2
(For D:\Apache2 put in a blank directory of your choice. Once compiled, this will contain the complete programme file structure for Apache.)

Now move the whole installation to your destination server. We used server 2008 R2. Place into the Program Files directory of your choice. Once located run httpd.exe -k to install the application as a service.

Now a little cheat. I had previously downloaded the msi installation files off the Apache website and had been fiddling around with that until I discovered that they had compiled it without IPv6 support. If you want to get up and running quickly, run the installer and answer all the questions. Your conf file is then set up to run for your server. I then deleted the contents of the programme files and inserted my compiled version, keeping the original working configuration.

So to add an IPv6 listener to Apache open the main httpd.conf file and add, for example:
listen [2xxx:xxxx:xxxx:xxxx::xxxx]:80
listen [2xxx:xxxx:xxxx:xxxx::xxxx]:443
Make sure your ssl certificates are all in place, by un-commenting the httpd-ssl.conf (in httpd.conf) and changing the settings accordingly. Thankfully, the Apache configuration files are well commented and set up is not rocket science.

Un-comment the httpd-vhosts.conf (in httpd.conf) and add your own site in place. Here are two examples:

Permanent redirection to https:

<VirtualHost [2xxx:xxxx:xxxx:xxxx::xxxx]:80>
 ServerAdmin admin@s.org.uk
 ServerName host.s.org.uk
 ServerAlias *.s.org.uk
 ErrorLog "logs/host.s.org.uk-error.log"
 CustomLog "logs/host.s.org.uk-access.log" common

 ProxyRequests Off
 

http://host.s.org.uk/*>
  Order deny,allow
  Allow from all
 


 redirect permanent / https://host.s.org.uk/
VirtualHost>
Proxy a http site over https

<VirtualHost [2xxx:xxxx:xxxx:xxxx::xxxx]:443>
 SSLEngine on
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 SSLCertificateFile "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\cert.pem"
 SSLCertificateKeyFile "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\cert.key"

 ServerAdmin
admin@s.org.uk
 ServerName host.s.org.uk
 ServerAlias *.s.org.uk

 ErrorLog "logs/ssl.host.s.org.uk-error.log"
 CustomLog "logs/ssl.host.s.org.uk-access.log" common

 ProxyRequests Off

 http://host.s.org.uk/*>
  Order deny,allow
  Allow from all
 


 ProxyPass /
http://host.s.org.uk/
 ProxyPassreverse / http://host.s.org.uk/
 ProxyPreserveHost Off

VirtualHost>

There are a few configuration gotchas in Apache to watch out for:
SSLPassPhraseDialog: No doubt you will want to run https on this. Unfortunately, the default setting (builtin) does not work on Windows. So you have to point this setting to an application. I pointed it to notepad. Having removed the need to enter a pass phrase this never gets called.

SSLSessionCache: This setting requires a path not broken by spaces. If you have placed your installation in Programme Files, this setting does not work. To get round it, create a shortcut in the root of the drive that points to your Apache directory. Then use that shortcut in the setting. (e.g. shmcb:c:\Apache\etc...)

Maybe Microsoft and other vendors will get their IPv6 act together before people start realising that the products they paid for are not up to scratch, and before freeware products like Apache start stealing their thunder...