Overview

A few members of VG2 have configured Apache to run as a reverse proxy in front of our gateway. This allows us to expose the gateway to the Internet in a secure manner.

Configure Tahoe-LAFS

To configure a reverse proxy in front of your gateway, you will need Apache and the following Apache modules: mod_auth_digest, mod_proxy, mod_proxy_http and mod_authn_file. The following steps are common among all distributions:

Configure the Tahoe web server to only listen on 127.0.0.1. This example assumes the gateway is listening on port 3456.

tahoe.cfg: web.port=tcp:3456:interface=127.0.0.1

Configure Apache to listen on port 3456.

Listen 10.1.1.10:3456

Configure a virtual host in Apache to act as a reverse proxy. For more information, see the distribution specific notes below.

Create the digest password file referenced in the AuthUserFile directive of the virtual host file. This can be done via the htdigest2 or htdigest utility that ships with Apache. In the future, the digest password file will be shared via the grid so that all gateways have a common password.

Creating the tahoe_digest_passwd file

The tahoe_digest_passwd file is an MD5 hash file controlling access to the proxy.

The configurations shown below use the vg2 realm.

Using htdigest/htdigest2 to create tahoe_digest_passwd file

The file can be created with the htdigest or htdigest2 utility (depending on your operating system).

Allowing users to create entries for tahoe_digest_passwd file

Another way to create the tahoe_digest_passwd file is to have each user generate their own entry in the file on their own and send it to you using the following commands:

name=my_name; domain=vg2; password=my_password; echo "$name:$domain:`echo -n $name:$domain:$password|md5sum|sed 's/ -//'`"

This will output a line that looks like:

my_name:vg2:1497e1d30301c0e10cc59d740c15b26c

That line can be included in the tahoe_digest_passwd file.

Apache2 Proxy Configuration

SuSE

/etc/apache2/listen.conf

Listen 10.1.1.10:3456

/etc/apache2/vhost.d/tahoe.conf

NameVirtualHost *:3456

<VirtualHost *:3456>
    #ServerAdmin webmaster@xyz.com
    ServerName gateway.xyz.com

    ProxyRequests Off
    ProxyPass / http://127.0.0.1:3456/
    ProxyPassReverse / http://127.0.0.1:3456/

    <Location "/">
        AuthType Digest
        AuthName "vg2"
        AuthDigestDomain "/"
        AuthDigestProvider file
        AuthUserFile /etc/apache2/tahoe_digest_passwd
        Require valid-user
    </Location>
    
</VirtualHost>

Ubuntu (10.04 server)

For Ubuntu, you will need to enable mod_proxy with /usr/sbin/a2enmod proxy_http. If you use the RewriteRule for favicon.ico, you should also enable mod_rewrite (a2enmod rewrite).

I configured the proxy in a pre-existing domain in /etc/apache2/sites-enabled. If you do not have pre-existing domain that you want to use, you'll need to create and enable the domain or sub-domain.

(Listen is enabled in the domain configuration file instead of in /etc/apache2/listen.conf as with SUSE Linux.)

/etc/apache2/sites-enabled/filename

NameVirtualHost *:2345
Listen 184.106.205.58:2345

<VirtualHost *:2345>
  ServerAdmin user@domain.com
  ServerName domain.com
  
  ProxyRequests Off
  ProxyPass / http://127.0.0.1:2345/
  ProxyPassReverse / http://127.0.0.1:2345/
  
  RewriteEngine On
  RewriteRule /favicon.ico http://bigpig.org/twiki/pub/Main/DraftLogo/favicon.ico [R,L]

  <Location "/">
    Allow from all
    AuthType Digest
    AuthName "vg2"
    AuthDigestDomain "/"
    AuthDigestProvider file
    AuthUserFile /home/path/tahoe_digest_passwd
    Require valid-user
  </Location>
</VirtualHost>

-- ChristophLangguth - 2011-12-11