Setting Up Apache2 as a Reverse Proxy for the Mutexer Agent
This guide walks you through to set up Apache as a reverse proxy on Ubuntu.
Prerequisites
- Debian-based operating system with root access (Ubuntu, Debian, Raspbian)
- Apache2 installed (
sudo apt install apache2) - The Mutexer agent running and accessible on a local port (e.g.
http://127.0.0.1:8523)
Step 1: Enable Required Apache Modules
sudo a2enmod proxy proxy_http ssl rewrite headers proxy_wstunnelStep 2 (Optional): Generate a Self-Signed SSL Certificate
If you do not already have an SSL certificate, you can generate a self-signed certificate for internal use:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout /etc/ssl/private/mutexer.key \
-out /etc/ssl/certs/mutexer.crt \
-subj "/CN=mutexer.internal.local"Replace mutexer.internal.local with your internal hostname.
The parameters used are as follows:
| Parameter | Description |
|---|---|
-x509 | Generates a self-signed certificate rather than a certificate signing request (CSR). |
-nodes | Does not encrypt the private key with a passphrase. This allows Apache to start without prompting for a password. |
-days 3650 | Sets the certificate validity period to 3650 days (approximately 10 years). |
-newkey rsa:2048 | Generates a new 2048-bit RSA private key alongside the certificate. |
-keyout | Path where the generated private key will be written. |
-out | Path where the generated certificate will be written. |
-subj "/CN=..." | Sets the Common Name (CN) on the certificate to match the hostname. This should match the ServerName used in the Apache virtual host configuration. |
Note: Self-signed certificates will produce browser warnings unless the certificate is distributed and trusted on client machines.
Step 3: Create the HTTPS Virtual Host
Create a new configuration file:
sudo nano /etc/apache2/sites-available/mutexer-ssl.confAdd the following configuration:
<VirtualHost *:443>
ServerName mutexer.internal.local
SSLEngine on
SSLCertificateFile /etc/ssl/certs/mutexer.crt
SSLCertificateKeyFile /etc/ssl/private/mutexer.key
# Enforce TLS 1.3 only
SSLProtocol -all +TLSv1.3
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8523/
ProxyPassReverse / http://127.0.0.1:8523/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</VirtualHost>The SSLProtocol -all +TLSv1.3 directive disables all older SSL/TLS protocol versions (including TLS 1.0, 1.1, and 1.2) and only permits TLS 1.3 connections. TLS 1.3 provides stronger security, reduced handshake latency, and removes support for legacy cipher suites that are considered weak. If you need to support older clients that do not support TLS 1.3, you can allow TLS 1.2 as a fallback by using SSLProtocol -all +TLSv1.2 +TLSv1.3 instead.
Replace:
mutexer.internal.localwith your internal hostname8523with the port the Mutexer agent is running on127.0.0.1with the IP address of the machine running the Mutexer agent, if the proxy is hosted on a different machine- The certificate and key paths if using a different certificate
Step 4: Create the HTTP-to-HTTPS Redirect
Create a second configuration file:
sudo nano /etc/apache2/sites-available/mutexer.confAdd the following:
<VirtualHost *:80>
ServerName mutexer.internal.local
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>INFO
Mutexer agents prior to 1.0.18 exposed the Mutexer OS on the hard-coded port of port 80. Agents running this version or later expose the Mutexer OS by default on port 8523. If you are running version 1.0.17 or earlier, you must disable Apache from listening on port 80, typically within /etc/apache2/ports.conf.
Step 5: Enable the Sites and Restart Apache
sudo a2ensite mutexer.conf mutexer-ssl.conf
sudo a2dissite 000-default.conf default-ssl.conf
sudo apache2ctl configtest
sudo systemctl restart apache2Ensure configtest returns Syntax OK before restarting.