We Keep Coding

TeamCity server WebSocket connection error in Docker image behind Apache proxy

I am running TeamCity server behind Apache proxy. My Apache configuration of virtual host teamcity.example.com.
HTTP:
<VirtualHost *:80>
ServerName teamcity.example.com
ServerAlias www.teamcity.example.com
Redirect / https://teamcity.example.com/
</VirtualHost>
HTTPS:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPreserveHost On
ProxyRequests Off
ServerName www.teamcity.example.com
ServerAlias teamcity.example.com
ProxyPass / http://localhost:8111/
ProxyPassReverse / http://localhost:8111/
# This doesn't work
ProxyPass /app/subscriptions ws://localhost:8111/app/subscriptions connectiontimeout=240 timeout=1200
ProxyPassReverse /app/subscriptions ws://localhost:8111/app/subscriptions
# This doesn't work
ProxyPass / http://localhost:8111/ connectiontimeout=5 timeout=300
ProxyPassReverse / http://localhost:8111/
SSLCertificateFile /etc/letsencrypt/live/teamcity.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/teamcity.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Apache modules are enabled:
sudo apachectl -M | grep proxy
proxy_module (shared)
proxy_http_module (shared)
proxy_wstunnel_module (shared)
And my docker-compose.yaml
version: "3.5"
services:
server:
image: jetbrains/teamcity-server:latest
container_name: teamcity_server
networks:
- teamcity_network
ports:
- "8111:8111"
extra_hosts:
- "host.docker.internal:host-gateway"
volumes:
- datadir:/data/teamcity_server/datadir
- logs:/opt/teamcity/logs
environment:
- TEAMCITY_HTTPS_PROXY_ENABLED=true
agent:
image: jetbrains/teamcity-agent:2022.10.1-linux-sudo
container_name: teamcity_agent
volumes:
- agent_conf:/data/teamcity_agent/conf
environment:
- SERVER_URL=https://teamcity.example.com
networks:
teamcity_network:
volumes:
datadir:
logs:
agent_conf:
TeamCity user interface reports WebSocket connection error:
WebSocket connection issues Some users cannot use optimized web UI
updates via WebSocket protocol. The following addresses were used by
the affected sessions: https://teamcity.example.com Most probably
there is not appropriately configured proxy server between the client
browsers and the TeamCity server.
And DeveloperTool console in Chrome:
WebSocket connection to
'wss://teamcity.example.com/app/subscriptions?browserLocationHost=https%3A%2F%2Fteamcity.example.com'
failed: openSocket # 6942286895631677648.js?v=1671191552738:648 open
# 6942286895631677648.js?v=1671191552738:742 start #
6942286895631677648.js?v=1671191552738:907 (anonymous) # projects?mode=builds:391
Q: What is wrong with Docker image or Apache configuration?

The solution is to place ProxyPass and ProxyPassReverse directives in proper order. This configuration works as expected.
<IfModule mod_ssl.c>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyRequests Off
ServerName www.teamcity.example.com
ServerAlias teamcity.example.com
ProxyPass /app/subscriptions ws://localhost:8111/app/subscriptions connectiontimeout=240 timeout=1200
ProxyPassReverse /app/subscriptions ws://localhost:8111/app/subscriptions
ProxyPass / http://localhost:8111/ connectiontimeout=5 timeout=300
ProxyPassReverse / http://localhost:8111/
SSLCertificateFile /etc/letsencrypt/live/teamcity.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/teamcity.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Use Apache To Run SSL On Port 8980 Specifically

I have a web service which I access by typing the following URL exactly as is (character for character):
http://10.115.252.127:8980/opennms/login.jsp
The website files are served from /opt/opennms/jetty-webapps/opennms/
My objective is to use Apache (httpd.conf) to force any traffic to this URL to use SSL and no longer HTTP.
I have successfully installed the SSL certificates with no issues.
I have configured a VirtualHost directive to redirect port 80 to 443
Only sites under /var/www/html/* are being successfully redirected.
Example: http://10.115.252.127/numbers successfully redirects to https://10.115.252.127/numbers
http://10.115.252.127/charts successfully redirects to https://10.115.252.127/charts
But, when I type in the URL http://10.115.252.127:8980/opennms/login.jsp it is always served as HTTP...how do I make it served as HTTPS like the others? I have checked the forums and all the posts assume you will always be redirecting port 80 and dont say anything about how to use SSL in the scenario I explained. I have the same issue with another service running on port 3000 http://10.115.252.127:3000/login
===extract from my httpd.conf===
<VirtualHost *:80>
ServerName 10.115.252.127
Redirect permanent / https://10.115.252.127/
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/cert_mtocb2500lbscorp.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mtocb2500-lbscorp.key
ServerName 10.115.252.127
#Documentroot /var/www/html
</VirtualHost>

Based on your confirmation of my understanding, here is what you can do:
############################################################################
Listen 80
# All connections on port 80 are redirected to port 443
<VirtualHost *:80>
ServerName www.example.com
CustomLog "logs/80_access.log" combined
ErrorLog "logs/80_error.log"
Redirect permanent / https://www.example.com
# No documentRoot, no content
</VirtualHost>
############################################################################
Listen 443
# All URI are answered from the documentRoot directory
# EXCEPT /openms, which is proxied to :8980
<VirtualHost *:443>
ServerName www.example.com
# temporary, remove when tests done
LogLevel debug
CustomLog "logs/443_access.log" combined
Errorlog "logs/443_error.log"
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/cert_mtocb2500lbscorp.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mtocb2500-lbscorp.key
# For your redirection to 8980
ProxyPass /opennms "https://www.example.com:8980/"
ProxyPassReverse /opennms "https://www.example.com:8980/"
documentRoot "/yourdir/apache/htdocs"
DirectoryIndex index.html
</VirtualHost>
Prerequisites
you must load proxy modules
you must load rewrite module
port 8980 is linked to some other software. Apache does not handle 8980.

default backend - 404 Apache with ssl

I am pretty much new to apache. I am trying to use the apache official container to redirect the incoming traffic to below 2 pods
Pod-1. To my own custom container(CC) (this is a http service).
Pod-22. To cutomised rabbitmq container.
I am exposing both 80 and 443 of apache. I am able to access my application which is running on Pod-1. But if I try to access using 80 (which is redirected to https[443]) i get default backend error. I have enabled the "mod_socache_shmcb.so", "mod_ssl.so" moduels and included my config file. Below is my config file.
<VirtualHost *>
ServerName apachessl
Redirect / https://apachessl/
</VirtualHost>
<VirtualHost *:443>
ServerName apachessl
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLEngine on
SSLProtocol -ALL +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /usr/local/apache2/conf/certificate.crt
SSLCertificateKeyFile /usr/local/apache2/conf/privateKey.key
ProxyPreserveHost On
KeepAlive On
MaxKeepAliveRequests 0
ProxyTimeout 600
SSLProxyEngine on
ProxyPass /ws wss://rmqssl-app-loc:15674/ws
ProxyPassReverse /ws wss://apachessl/ws
ProxyPass / http://my-apllication:6543/
ProxyPassReverse / https://apachessl/
ErrorLog "logs/my_application_log"
LogLevel error

Please change -
ProxyPassReverse / https://apachessl/
To
ProxyPassReverse / http://my-apllication:6543/
and try again.

If you are using it from kubernetes and receiving default backend 404 error ... it essentially means that the domain using which the request is landing to kubernetes ingress controller is not mapped to any of the ingress.
So what you need is to check when request on port 80 is redirected to 443, the url apachessl --> has one ingress mapped in ingress definition under specs .. something like -
spec:
rules:
- host: apachessl
http:
paths:
- backend:
serviceName: <<your-app-service-exposed-on-k8s>>
servicePort: 80
path: /
tls:
- hosts:
- apachessl
secretName: <<your-ssl-secret>>
Can you share your ingress definition, just to be clear what needs to be fixed.

How to expose an nginx docker container via Apache 2 with SSL?

I have a web app running on docker containers on my Digital Ocean droplet. The app has its own container and is served through an Nginx container on the address 0.0.0.0:8080.
Here is the nginx conf:
server {
listen 80;
index index.php index.html;
root /var/www/public;
location / {
try_files $uri /index.php?$args;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass app:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
and my nginx container dockerfile:
FROM nginx:1.10
ADD ./vhost.conf /etc/nginx/conf.d/default.conf
WORKDIR /var/www
Now, I have domain to which I generated an SSL certificate using certbot and I want to serve my app through this domain but I am failing miserably.
I am using(or trying) Apache2 as a reverse proxy for this but I cannot get it to work. I can now access the main page of the app but without any resources since the page is being served through https but the resources are being fetch from the container via http. I don't know how many things I tried already but I am going nowhere. Any help would be much appreciated.
Here are my virtual hosts configs, if that helps.
vhost-le-ssl.conf:
<IfModule mod_ssl.c>
#Listen 443
#NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine On
# Set the path to SSL certificate
# Usage: SSLCertificateFile /path/to/cert.pem
SSLCertificateFile /etc/letsencrypt/live/antonioquadrado.com/cert.pem
# Servers to proxy the connection, or;
# List of application servers:
# Usage:
# ProxyPass / http://[IP Addr.]:[port]/
# ProxyPassReverse / http://[IP Addr.]:[port]/
# Example:
ProxyPass / http://0.0.0.0:8080/
ProxyPassReverse / http://0.0.0.0:8080/
ServerName antonioquadrado.com
ServerAlias www.antonioquadrado.com
ServerAdmin webmaster#localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
# RewriteCond %{SERVER_NAME} =antonioquadrado.com [OR]
# RewriteCond %{SERVER_NAME} =www.antonioquadrado.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/antonioquadrado.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/antonioquadrado.com/privkey.pem
</VirtualHost>
</IfModule>
vhost.conf:
VirtualHost *:80>
ProxyPreserveHost On
# Servers to proxy the connection, or;
# List of application servers:
# Usage:
# ProxyPass / http://[IP Addr.]:[port]/
# ProxyPassReverse / http://[IP Addr.]:[port]/
# Example:
ProxyPass / https://0.0.0.0:8080/
ProxyPassReverse / https://0.0.0.0:8080/
ServerName antonioquadrado.com
ServerAlias www.antonioquadrado.com
ServerAdmin webmaster#localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =antonioquadrado.com [OR]
RewriteCond %{SERVER_NAME} =www.antonioquadrado.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
I have followed this digital ocean tutorial to get at this point.
Thanks in advance!
Edit: after being pointed by #SmileIt to the serverfault answer I have updated my virtualhosts configs to this:
<VirtualHost *:80>
ServerName antonioquadrado.com
ServerAlias www.antonioquadrado.com
Redirect permanent / https://www.antonioquadrado.com/
</VirtualHost>
ssl vhosts:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.antonioquadrado.com
DirectoryIndex index.php index.html
SetOutputFilter SUBSTITUTE,DEFLATE
ProxyPass / http://0.0.0.0:8080/
ProxyPassReverse / http://0.0.0.0:8080/
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|http://0.0.0.0:8080/|https://www.antonioquadrado.com/|i"
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateKeyFile /etc/letsencrypt/live/antonioquadrado.com/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/antonioquadrado.com/fullchain.pem
#SSLCertificateChainFile /path-to/chain.pem
<Proxy *>
Order deny,allow
Allow from all
Allow from localhost
</Proxy>
</VirtualHost>
</IfModule>
But I have the same errors about the resources being fetched over the internal ip via http.
Here's also my docker-compose file:
version: '2'
services:
web:
build:
context: ./
dockerfile: web.docker
volumes:
- ./:/var/www
ports:
- "8080:80"
links:
- app
app:
build:
context: ./
dockerfile: app.docker
volumes:
- ./:/var/www
links:
- database
environment:
- "DB_PORT=3306"
- "DB_HOST=database"
database:
image: mysql:5.6
environment:
- "MYSQL_ROOT_PASSWORD=*****"
- "MYSQL_DATABASE=*******"
ports:
- "33061:3306"

Apache output filters are out of order most likely.
Add the following to your VirtualHost config near the top and restart Apache.
SetOutputFilter SUBSTITUTE;DEFLATE
Essentially we have to tell Apache to order output filters. Do substitution first then deflate. If this does not work for you add the following to your VirturalHost config and send the output.
LogLevel trace3 rewrite:error filter:trace8
The output should tell us what filters are running before substitution filter.

Install SSL on Windows Apache

1. What I want to do:
I have a domain example.me, and a sub-domain text.example.me which is hosted on my Windows Server. It's running Apache with php 5.6
I want to install and SSL certificate using Let's Encrypt and this tool https://github.com/PKISharp/win-acme
2. The problem:
It doesn't seem to be working, I get the following error when trying to access https://test.example.me
This site can’t provide a secure connection
3. What I have done so far
I followed every step from:
https://commaster.net/content/how-setup-lets-encrypt-apache-windows
This is the content of my httpd-ssl.conf
<VirtualHost *:443>
ServerAdmin me#examole.com
ServerName text.example.me
DocumentRoot "D:/xampp/htdocs"
RewriteEngine On
# Redirect to the correct domain name
RewriteCond %{HTTP_HOST} !^test.example.me$ [NC]
RewriteRule ^/?(.*)$ https://test.example.me/$1 [NE,L,R=301]
Alias /.well-known D:/xampp/htdocs/.well-known
SSLEngine on
SSLCertificateFile "conf/ssl.crt/text.example.me-crt.pem"
SSLCertificateKeyFile "conf/ssl.key/test.example.me-key.pem"
SSLCertificateChainFile "conf/ssl.csr/ca-test.example.me-crt.pem"
</VirtualHost>
My 80,443 ports are avaiable, and not being used by Skype, so that's not
the issue.
This is the content of my httpd-vhosts.conf
<VirtualHost *:80>
ServerAdmin me#example.me
ServerName test.example.me
RewriteEngine On
# Redirect to the HTTPS site
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*)$ https://test.example.me/$1 [NE,L,R=301]
ErrorLog logs/slog.log
</VirtualHost>

I am using Let's Encrypt since some years - but without(!) RewriteEngine.
So here is a snipped from my http-vhosts.conf
<VirtualHost *:80>
DocumentRoot "C:/webserver/html/example_html"
ServerName www.example.com
Redirect permanent / https://www.example.com/
# For the case that you are using ModProxy to forward to a Tomcat, please also add:
# ProxyPass "/.well-known/" "!"
</VirtualHost>
A snipped from my httpd-ssl.conf:
<VirtualHost *:443>
DocumentRoot "C:/webserver/html/example_html"
ServerName www.example.com
Protocols h2 http/1.1
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:DHE-RSA-CAMELLIA128-SHA:CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:SEED-SHA:DHE-RSA-SEED-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLCertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/www.example.com-crt.pem"
SSLCertificateKeyFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/www.example.com-key.pem"
SSLCACertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/ca-www.example.com-crt.pem"
<IfModule headers_module>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header always set x-frame-options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
#Header always set Content-Security-Policy "script-src 'self'"
</IfModule>
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
#For the case that you use ModProxy to forward to a Tomcat or so
#ProxyPass "/.well-known/" "!"
EnableSendfile off
EnableMMAP off
</VirtualHost>
Also please keep in mind that when you want to use multiple hostnames, then you need a wildcard certificate - otherwise it's simple with Let's Encrypt to have one certificate for each host/domian name - but you need one virtual host section for each host/domain name you are using.
Last but not least my personal opinion is thet ModRewrite should not be used when there is no need, because it is complicate and not really understood by most people.

How to add SSL certificate from Certbot in Windows Apache
Go to Certbot’s official website: Certbot Instructions | Certbot (eff.org)
Download the latest version of the Certbot installer for Windows at
https://dl.eff.org/certbot-beta-installer-win_amd64.exe.
Install it in your C drive.
Run > Command Prompt > Run as administrator
C:\Users\Administrator>certbot --help
C:\Users\Administrator>certbot certonly --webroot
Enter your email address > Y > Y
Enter your domain/subdomain name: abc.com / abc.xyz.com
Go to : C:\xampp\apache\conf\extra
Open: httpd-vhosts.conf
Edit:
<VirtualHost *:443>
DocumentRoot C:\xampp\htdocs\aeapp
ServerName callum.aeapp.uk
SSLEngine on
SSLCertificateFile "C:\Certbot\live\abc.com\fullchain.pem"
SSLCertificateKeyFile "C:\Certbot\live\abc.com\privkey.pem"
Add port 443 in firewall settings (if you have already added then skip this step)
Search > Type: Firewall and open Windows Defender Firewall with Advanced Security on Local Computer
Go to: Inbound rules > New Rule > Select “Port” > Specific Local Ports : Type “443” > Allow the connection > Tick all 3 options > Add name “ ex: abc ssl” > Finish.
Restart Xampp
Check your website/webapp; if it's locked, you've added an SSL certificate successfully.