Skip to content

Reverse Proxies and Load Balancers

Jump to bottom Edit New page
Mike Solin edited this page Apr 22, 2023 · 5 revisions

A great option for running MunkiReport securely is to use a reverse proxy (sometimes also called a load balancer). This is especially useful if you're running MunkiReport in Docker - you can run the reverse proxy in Docker, too. Many reverse proxies will even handle obtaining and renewing a free TLS certificate from Let's Encrypt, allowing you to secure multiple services using the same certificate.

Here are a few options that are suggested by the community:

Reverse Proxy Configs

To help you get started, here are some reverse proxy configs specifically for MunkiReport:

SWAG

munkireport.subdomain.conf

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name munkireport.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app munkireport;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }


}

Apache

More complete information using macOS native apache including templates, setup/backup/restore scripts is available from the Reverse Proxy Tutorial at:

https://www.precursor.ca/rais/#Tutorials

<VirtualHost *:80>
	ServerName munkireport.example.com
	ServerAdmin admin@example.com
	DocumentRoot "/Library/WebServer/munkireport.example.com
	DirectoryIndex index.html index.php default.html
	ErrorLog "/private/var/log/apache2/munkireport.example.com-error_log"
 	CustomLog "/private/var/log/apache2/munkireport.example.com-access_log" common
	<IfModule mod_headers.c>
    	Header set Connection keep-alive
	</IfModule>
	<Directory "/Library/WebServer/munkireport.example.com">
		Options All -Indexes -ExecCGI -Includes +MultiViews
		AllowOverride None
		Require all granted
		<IfModule mod_dav.c>
			DAV Off
		</IfModule>
	</Directory>
	LogLevel warn
</VirtualHost>


<VirtualHost *:443>
	ServerName munkireport.example.com:443
	ServerAdmin admin@example.com
	DocumentRoot "/Library/WebServer/munkireport.example.com
	DirectoryIndex index.html index.php default.html
	ErrorLog "/private/var/log/apache2/munkireport.example.com-error_log"
 	CustomLog "/private/var/log/apache2/munkireport.example.com-access_log" common
	<IfModule mod_ssl.c>
		SSLEngine On
		SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
		SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
		SSLProtocol -all +TLSv1.2
		SSLProxyProtocol -all +TLSv1.2
		SSLCertificateFile "/private/etc/apache2/certificates/munkireport_example_com.crt"
		SSLCertificateKeyFile "/private/etc/apache2/certificates/munkireport_example_com.key"
		SSLCertificateChainFile "/private/etc/apache2/certificates/intermediate_cert_bundle.crt"
	</IfModule>
	<IfModule mod_headers.c>
    	Header set Connection keep-alive
	</IfModule>
	<Directory "/Library/WebServer/munkireport.example.com">
		Options All -Indexes -ExecCGI -Includes +MultiViews
		AllowOverride None
		Require all granted
		<IfModule mod_dav.c>
			DAV Off
		</IfModule>
	</Directory>
	LogLevel warn
</VirtualHost>

Caddy

Dan Kuehling posted a GitHub repo that includes a docker compose file that sets up MunkiReport, MySQL, and Caddy.

An Opensource project

Introduction

Setup

Server Configuration

Client Configuration

Upgrade

Modules

Securing MunkiReport

Customization

Misc

Developers

Clone this wiki locally