Add reverse proxy apache instructions (2600hz#6237)

shnoppel · Jan 7, 2020 · ad31e22 · ad31e22
1 parent 9c70683
commit ad31e22
Showing 1 changed file with 38 additions and 1 deletion.
diff --git a/applications/crossbar/doc/securing_crossbar.md b/applications/crossbar/doc/securing_crossbar.md
@@ -1,4 +1,4 @@
-### Setup SSL support for Crossbar
+# Setup SSL support for Crossbar
 
 Note: all commands are run from `$KAZOO/applications/crossbar/priv/ssl/`.
 
@@ -156,3 +156,40 @@ CApath: /etc/ssl/certs
 * Closing connection #0
 * SSLv3, TLS alert, Client hello (1):
 ```
+
+# Reverse Proxies
+
+Apache, nginx, HAProxy, and others can be used for SSL/TLS termination instead of Crossbar itself.
+
+Ideally on a separate server (or two), these can be setup to load balance across multiple instances of Crossbar in your cluster.
+
+## Apache
+
+In `httpd.conf` add `Listen 8443` (or whatever port you want clients to connect on with TLS).
+
+Add this virtual host:
+
+```
+<VirtualHost *:8443>
+    ServerName api.your.domain.com:8443
+    ProxyPreserveHost On
+
+    SSLEngine on
+    SSLCertificateKeyFile "/etc/path/to/privkey.pem"
+    SSLCertificateFile "/etc/path/to/cert.pem"
+
+    # Servers to proxy the connection, or;
+    # List of application servers:
+    # Usage:
+    # ProxyPass / http://[IP Addr.]:[port]/
+    # ProxyPassReverse / http://[IP Addr.]:[port]/
+    # Example:
+    ProxyPass / http://crossbar.server:8000/
+    ProxyPassReverse / http://crossbar.server:8000/
+</VirtualHost>
+```
+
+Save the virtual host and restart httpd/apache2.
+
+!!! note
+    This is just a basic example. Other configurations are likely more efficient and better suited to a production environment.