Running GRR UI behind Apache

Running apache as a reverse proxy in front of the GRR admin UI is a good way to provide SSL protection for the UI traffic and also integrate with corporate single sign on (if available), for authentication.

To set this up:

  • Buy an SSL certificate, or generate a self-signed one if you’re only testing.
  • Place the public key into “/etc/ssl/certs/“ and ensure it’s world readable
chmod 644 /etc/ssl/certs/grr_ssl_certificate_filename.crt
  • Place the private key into “/etc/ssl/private” and ensure it is NOT world readable
chmod 400 /etc/ssl/private/grr_ssl_certificate_filename.key
  • Install apache2 and required modules
apt-get install apache2
a2enmod proxy
a2enmod ssl
a2enmod proxy_http
  • Disable any default apache files currently enabled (probably 000-default.conf, but check for others that may interfere with GRR)
a2dissite 000-default
  • Redirect port 80 HTTP to 443 HTTPS
  • Create the file “/etc/apache2/sites-available/redirect.conf” and copy the text below into it.
    <VirtualHost *:80>
        Redirect "/" "https://<your grr adminUI url here>"
    </VirtualHost>
  • Create the file “/etc/apache2/sites-available/grr_reverse_proxy.conf” and copy the text below into it.
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/ssl/certs/grr_ssl_certificate_filename.crt
SSLCertificateKeyFile /etc/ssl/private/grr_ssl_certificate_filename.key
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
</VirtualHost>
  • Enable the new apache files
a2ensite redirect.conf
a2ensite grr_reverse_proxy.conf
  • Restart apache
service apache2 restart

NOTE: This reverse proxy will only proxy the AdminUI. It will have no impact on the agent communications on port 8080. It is advised to restrict access to the AdminUI at the network level.