HTTPD is configure as following:
#redirectder edit Location "(^http[s]?://)([^/]+)" "" port 80 to secure
<VirtualHost *:80>
ServerName mitestui02.sn.test.net
#ServerAlias server server2.domain.com server2
ServerAdmin support.p240#test.com
ErrorLog /var/log/test/iiq/appserver/apache-error.log
CustomLog /var/log/test/iiq/appserver/apache-access.log common
Redirect /identityiq/ https://mitestui02.sn.test.net/identityiq/
Redirect / https://mitestui02.sn.test.net/identityiq/
</VirtualHost>
#redirect to port 8080 on localhost
<VirtualHost *:443>
ServerName mitestui02.sn.test.net
# ServerAlias mitestui02 mitestui02.sn.test.net
ServerAdmin support.p240#test.com
SSLProxyEngine On
SSLEngine On
#allow only tls
SSLProtocol -all +TLSv1.2
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...
SSLCertificateFile /etc/opt/test/iiq/appserver/secure/ssl/web-iiq.crt
SSLCertificateKeyFile /etc/opt/test/iiq/appserver/secure/ssl/apache-iiq.key
Redirect /identityiq/ https://mitestui02.sn.test.net/
Redirect / https://mitestui02.sn.test.net/identityiq/
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /identityiq/ http://localhost:8080/identityiq/
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]
<If "%{THE_REQUEST} =~ m#.jsf/?[?\s]#">
Header add X-UI-Source "mitestui02"
Header add X-UA-Compatible "IE=edge"
Header add Referrer-Policy "strict-origin-when-cross-origin"
Header add Feature-Policy "microphone 'none'; geolocation 'none'; usb 'none'; payment 'none'; document-domain 'none'; camera 'none'; display-capture 'none'; ambient-light-sensor 'none'"
Header add Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
Header add Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header add Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'"
Header add X-Content-Type-Options "nosniff"
Header always edit Set-Cookie (.*) "$1; Secure; SameSite=Strict"
Header onsuccess edit Set-Cookie (.*) "$1; Secure; SameSite=Strict"
</If>
</VirtualHost>
When I connect to the front-end URL, https://mitest.sn.test.net/ I get redirected with a response code 302 and Location header pointing to https://mitestui02.sn.test.net/identityiq/ instead of https://mitest.sn.test.net/identityiq/ .
This doesn't happen when connecting to https://mitest.sn.test.net/identity/ directly.
I have tried with different ProxyPass and ProxyPassReverse directives and also rewriting the Location header, nothing seems to help.
Thanks
So the issue seemed to be related to the Redirect directives.
We removed them and added the following for 443:
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} ^http$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301,NE]
# Redirect / to /identiyiq
RedirectMatch ^/$ /identityiq
We removed them and added the following for 80:
Redirect permanent / https://mitestui02.sn.test.net/
Now it is working as expected.
Related
I have installed SSL Certificates on my website and on the example.com everything works fine, meaning that typing example.com redirects correctly to https://example.com. However, I have installed a certificate for a subdomain as well such that the link becomes: subdomain.example.com.
My goal is to have subdomain.example.com redirect to https://subdomain.example.com . This might sound weird but this semi-works meaning that when I first surf to subdomain.example.com it uses the http protocol but when I refresh that same page it switches to https protocol.
This is my VirtualHost conf file (port 80):
<VirtualHost *:80>
ServerName subdomain.example.com
ServerSignature Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
<Location />
Require all granted
ProxyPassReverse http://127.0.0.1:8181
ProxyPassReverse http://example.com/
</Location>
RewriteEngine on
#Forward all requests to gitlab-workhorse except existing files like error documents
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]
# needed for downloading attachments
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
RewriteCond %{SERVER_NAME} =subdomain.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
#RewriteCond %{SERVER_PORT} !443
#RewriteRule ^(/(.*))?$ https://%{HTTP_HOST}/ [R=301,L]
</VirtualHost>
I have removed to non related lines from this sample above. Here is the 443 conf file:
< IfModule mod_ssl.c>
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
<VirtualHost *:443>
ServerName subdomain.example.com
ServerSignature Off
< IfModule mod_ssl.c>
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
<VirtualHost *:443>
ServerName subdomain.example.com
ServerSignature Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
<Location />
Require all granted
#Allow forwarding to gitlab-workhorse
ProxyPassReverse http://127.0.0.1:8181
ProxyPassReverse http://domain/
</Location>
RewriteEngine on
#Forward all requests to gitlab-workhorse except existing files like error documents
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]
# needed for downloading attachments
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/subexample.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
Header always set Strict-Transport-Security "max-age=31536000"
SSLUseStapling on
Header always set Content-Security-Policy upgrade-insecure-requests
</VirtualHost>
</IfModule>
Worth noting is that I am using certbot.
Hopefully someone can help me.
You say "My goal is to have subdomain.example.com redirect to https://subdomain.example.com".
Then why have all that proxy configuration in your :80 VirtualHost? Simply force the redirection to :443, and let :443 handle the proxy (and other).
So your VirtualHost would become:
<VirtualHost *:80>
ServerName subdomain.example.com
CustomLog logs/subdomain_80_access.log combined
ErrorLog logs/subdomain_80_error.log
RewriteEngine On
RedirectMatch ^/(.*)$ https://subdomain.example.com/$1
</VirtualHost>
I use the official Gitlab Apache 2.4 template for my gitlab installation. When accessing git.example.com the first time, I get a timeout. After visiting https://git.example.com the redirect works even when accessing git.example.com whats going wrong there?
here is the template:
<VirtualHost *:80>
ServerName git.example.com
ServerSignature Off
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2
SSLHonorCipherOrder on
SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
SSLCompression Off
SSLCertificateFile /etc/httpd/ssl.crt/YOUR_SERVER_FQDN.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/YOUR_SERVER_FQDN.key
SSLCACertificateFile /etc/httpd/ssl.crt/your-ca.crt
ServerName YOUR_SERVER_FQDN
ServerSignature Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
<Location />
Require all granted
ProxyPassReverse http://127.0.0.1:8181
ProxyPassReverse http://git.example.com/
</Location>
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_URI} ^/uploads/.*
RewriteRule .* http://127.0.0.1:8181%{REQUEST_URI} [P,QSA,NE]
RequestHeader set X_FORWARDED_PROTO 'https'
RequestHeader set X-Forwarded-Ssl on
DocumentRoot /opt/gitlab/embedded/service/gitlab-rails/public
</VirtualHost>
I am using docker which has an apache container and a lamp container. Lamp container contains the application code and Apache container has virtual host config info which is as follows.
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ProxyPreserveHost on
ProxyPass / http://172.18.0.25/
ProxyPassReverse / http://172.18.0.25/
SSLProxyEngine on
SSLEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/ssl/certs/STAR_example_com.crt
SSLCertificateKeyFile /etc/ssl/certs/example_wildcard_private.key
SSLCertificateChainFile /etc/ssl/certs/STAR_example_com.ca-bundle
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
</VirtualHost>
Issue: When i am making a request to https://example.com then in response the apache container is returning response from http://example.com instead of https://example.com.
How to achieve this?
Lamp is receiving an http request from Apache, so you have to tell Lamp that the initial request, from the client, was through https.
Try adding this in the https virtual host definition:
RequestHeader set X-Forwarded-Proto "https"
With this header, Lamp should understand that the client did the request through https, so it will answer from https as well.
So, your virtual host definition should look like:
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ProxyPreserveHost on
ProxyPass / http://172.18.0.25/
ProxyPassReverse / http://172.18.0.25/
SSLProxyEngine on
SSLEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/ssl/certs/STAR_example_com.crt
SSLCertificateKeyFile /etc/ssl/certs/example_wildcard_private.key
SSLCertificateChainFile /etc/ssl/certs/STAR_example_com.ca-bundle
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>
On the client side, I am trying to establish the wss connection:
var ws = new WebSocket("wss://wsserver.com/test")
and it returns an error:
WebSocket connection to 'wss://wsserver.com/test' failed: Error during WebSocket handshake: Unexpected response code: 400
The full headers are:
Request Headers
GET wss://wsserver.com/test HTTP/1.1
Host: wsserver.com
Connection: Upgrade
Pragma: no-cache
Cache-Control: no-cache
Upgrade: websocket
Origin: https://website.net
Sec-WebSocket-Version: 13
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Sec-WebSocket-Key: Tj9AJ5TKglNf5LoHsQTpvQ==
Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Response Headers
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:https://website.net
Connection:close
Content-Length:18
Content-Type:text/plain; charset=utf-8
Date:Fri, 21 Apr 2017 21:03:45 GMT
Server:Apache/2.4.18 (Ubuntu)
Vary:Origin
X-Content-Type-Options:nosniff
The server side is running on go at port 8888 behind an Apache reverse proxy. This is the Apache configuration:
<VirtualHost *:443>
ServerName website.com
ProxyPreserveHost On
ProxyRequests Off
ProxyPass "/" "wss://localhost:8888/"
mod_proxy and mod_proxy_wstunnel are installed.
Is there something missing here? It seems like the request goes through but no connection is established.
I ended up solving this problem by using this configuration for the virtual host, which filters requests using the HTTP headers:
<VirtualHost *:443>
ServerName website.com
RewriteEngine On
# When Upgrade:websocket header is present, redirect to ws
# Using NC flag (case-insensitive) as some browsers will pass Websocket
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule ^/ws/(.*) wss://localhost:8888/ws/$1 [P,L]
# All other requests go to http
ProxyPass "/" "http://localhost:8888/"
I'm leaving this as a reference in case it helps others
In order to place a secure reverse proxy server in front of an insecure websocket server, you could do this:
<VirtualHost *:443>
SSLEngine on
SSLProxyEngine on
SSLProtocol -all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite HIGH:aNULL:eNULL:EXPORT:DES:RC4:!MD5:!PSK:!SRP:!CAMELLIA
SSLCertificateFile /path/to/cert
SSLCertificateKeyFile /path/to/key
SSLCertificateChainFile /path/to/chain
ServerName website.com
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:8888/$1 [P,L]
</VirtualHost>
This will take a request inbound for wss://website.com:443, and reverse proxy it to ws://localhost:8888.
If the websocket server is also secure, you can simply change
ws://localhost:8888 to
wss://website.com:8888
This is my setup of virtualhost that worked for me, I have .netcore app on docker with SignalR as a websocket service.
On 5000 my .netcore app is running, and on /chatHub my signalR listens.
Will be helpful for future comers with same problem.
<IfModule mod_ssl.c>
<VirtualHost *:443>
RewriteEngine On
ProxyPreserveHost On
ProxyRequests Off
# allow for upgrading to websockets
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:5000/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://localhost:5000/$1 [P,L]
ProxyPass "/" "http://localhost:5000/"
ProxyPassReverse "/" "http://localhost:5000/"
ProxyPass "/chatHub" "ws://localhost:5000/chatHub"
ProxyPassReverse "/chatHub" "ws://localhost:5000/chatHub"
ServerName site.com
SSLCertificateFile /etc/letsencrypt/live/site.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/site.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Source: http://shyammakwana.me/server/websockets-with-apache-reverse-proxy-with-ssl.html
# pimgeek's Comment:
I think instead of
RewriteRule ^/nodered/comms wss://localhost:1880/nodered/comms [P,L]
you could have utilized $1 as follow:
RewriteRule ^/nodered/comms$ wss://localhost:1880/$1 [P,L]
Also, this should work aswell:
RewriteRule ^/nodered/comms$ wss://localhost:1880$1 [P,L]
Notice the not needed / after the port, since $1 includes already a / at the beginning
In my case, I needed to activate "SSLProxyEngine on" to make the whole thing works...
I ended up with this 2 lines solution on Debian / Apache 2.4 (used port is 4321)
SSLProxyEngine on
ProxyPass /wss wss://127.0.0.1:4321/
this is what I currently have for apache and works, but how can I add that http is redirected to https for plex?
<VirtualHost *:80>
ServerName plex.mydomain.com
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:32400/
ProxyPassReverse / http://localhost:32400/
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/web
RewriteCond %{HTTP:X-Plex-Device} ^$
RewriteRule ^/$ /web/$1 [R,L]
</VirtualHost>
this is how it works for other subdomains, but this doesn't work for plex:
<VirtualHost *:80>
ServerName somesub.mydomain.com
RewriteEngine on
RewriteCond %{HTTP_HOST} ^somesub.mydomain.com
RewriteRule (.*) https://%{SERVER_NAME} [R,L]
</VirtualHost>
<VirtualHost *:443>
ServerName somesub.mydomain.com
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:5555/
ProxyPassReverse / http://localhost:5555/
</VirtualHost>
This is what i'm using now and works (Ubuntu 17.04, Apache2.4)
<VirtualHost *:80>
ServerName my.sub.domain.com
Redirect permanent / https://my.sub.domain.com/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName my.sub.domain.com
ServerAlias ""
Options -Includes -ExecCGI
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]
LimitRequestBody 512000
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/my.sub.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my.sub.domain.com/privkey.pem
SSLProtocol +TLSv1.2
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
FileETag None
TraceEnable off
#Header edit Set-Cookie ^(.*)$ ;HttpOnly;Secure
Header set X-XSS-Protection "1; mode=block"
Timeout 60
<Location /:/websockets/notifications>
ProxyPass wss://localhost:32400/:/websockets/notifications
ProxyPassReverse wss://localhost:32400/:/websockets/notifications
</Location>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
SSLProxyEngine On
RequestHeader set Front-End-Https "On"
ProxyPass / http://localhost:32400/
ProxyPassReverse / http://localhost:32400/
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/web
RewriteCond %{HTTP:X-Plex-Device} ^$
RewriteCond %{REQUEST_METHOD} !^(OPTIONS)$
RewriteRule ^/$ /web/$1 [R,L]
</VirtualHost>
</IfModule>
You'll need to change localhost (probably not) and my.sub.domain.com to your own values and generate the ssl certificates before restarting the apache service (I used LetsEncrypt)
This vhost configuration is something I've adapted from numerous posts (some from here, some from the plex forum). It may not be complete or optimized, but it does work
For more details/alternatives, visit https://forums.plex.tv/
Alex's answer is good, but all you need in order to redirect traffic from 80 to 443 are these lines of code added into your plex.conf file:
<VirtualHost *:80>
ServerName plex.mydomain.com
DocumentRoot /var/www/html
ServerAdmin admin#plex.mydomain.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =plex.mydomain.com
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
For reference, here is my plex apache2 conf file:
EDIT: Update as of 4/17/2019.
You will need to be using Apache2 >= 2.4.11 to use this and several mods (proxy, ssl, proxy_wstunnel, http, dir, env, headers, proxy_balancer, proxy_http, rewrite I think is all of them):
<IfModule mod_ssl.c>
DEFINE plex_url 192.168.1.22
DEFINE plex_port 32400
DEFINE serv_name plex.domain.com
ServerTokens Prod
SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)"
SSLSessionCacheTimeout 300
ModPagespeed Off
<VirtualHost *:80>
ServerName ${serv_name}
DocumentRoot /var/www/html
ServerAdmin aw#hell.no
RewriteEngine On
RewriteCond %{SERVER_NAME} =${serv_name}
RewriteCond %{HTTPS} Off
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
ErrorLog ${APACHE_LOG_DIR}/${serv_name}.error.log
CustomLog ${APACHE_LOG_DIR}/${serv_name}.access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName ${serv_name}
DocumentRoot /var/www/html
ServerAdmin aw#hell.no
ErrorLog ${APACHE_LOG_DIR}/${serv_name}.error.log
CustomLog ${APACHE_LOG_DIR}/${serv_name}.access.log combined
### Let's Encrypt Section ###
SSLCertificateFile /etc/letsencrypt/live/${serv_name}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/${serv_name}/privkey.pem
#Include /etc/letsencrypt/options-ssl-apache.conf
Options -Includes -ExecCGI
### Deny http1.0 requests ###
RewriteEngine On
RewriteCond %{SERVER_PROTOCOL} ^HTTP/1\.0$
#RewriteCond %{REQUEST_URI} !^/404/$
RewriteRule ^ - [F]
### Harden Security ###
ProxyRequests Off
ProxyPreserveHost On
ProxyTimeout 600
ProxyReceiveBufferSize 4096
SSLProxyEngine On
RequestHeader set Front-End-Https "On"
ServerSignature Off
SSLCompression Off
SSLUseStapling On
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors Off
SSLSessionTickets Off
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
Header always set Strict-Transport-Security "max-age=15552000; preload"
Header always set X-Content-Type-Options nosniff
Header always set X-Robots-Tag none
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "same-origin"
Header always set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none';"
Header always set Content-Security-Policy "default-src 'self' https:; font-src 'self' data: ${plex_url} ${serv_name}; media-src 'self' blob: ${plex_url} ${serv_name}; script-src 'self' 'unsafe-inline' ${plex_url} ${serv_name} plex.tv www.gstatic.com; style-src 'self' ${plex_url} ${serv_name}; img-src 'self' data: blob: ${plex_url} ${serv_name} plex.tv *.plex.tv; worker-src *; frame-src 'none'; connect-src 'self' wss: https: ${plex_url} ${serv_name} plex.tv *.plex.direct *.plex.tv;"
SSLCipherSuite ECDHE+RSA+AES256+GCM+SHA512:DHE+RSA+AES256+GCM+SHA512:ECDHE+RSA+AES256+GCM+SHA384:DHE+RSA+AES256+GCM+SHA384:ECDHE+RSA+AES256+SHA384:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
### Plex Specific Section ###
ProxyPass / http://${plex_url}:${plex_port}/
ProxyPassReverse / http://${plex_url}:${plex_port}/
ProxyPass /:/ ws://${plex_url}:${plex_port}/:/
ProxyPassReverse /:/ ws://${plex_url}:${plex_port}/:/
ProxyPass /:/ wss://${plex_url}:${plex_port}/:/
ProxyPassReverse /:/ wss://${plex_url}:${plex_port}/:/
LimitRequestBody 512000
FileETag None
TraceEnable off
#Header edit Set-Cookie ^(.*)$ ;HttpOnly;Secure
Timeout 60
<Location /:/websockets/notifications>
ProxyPass wss://${plex_url}:${plex_port}/:/websockets/notifications
ProxyPassReverse wss://${plex_url}:${plex_port}/:/websockets/notifications
</Location>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/web
RewriteCond %{HTTP:X-Plex-Device} ^$
RewriteCond %{REQUEST_METHOD} !^(OPTIONS)$
RewriteCond %{QUERY_STRING} (^|&)X-Plex-Device=(&|$) [OR]
RewriteCond %{QUERY_STRING} !(^|&)X-Plex-Device=
RewriteRule ^/$ /web/$1 [R,L]
</VirtualHost>
</IfModule>