Enable SSL (HTTPS) on Bitnami MEAN setup on AWS - ssl

I use a Bitnami MEAN installation (https://bitnami.com/stack/mean) v 3.2.11 on EC2. I didn't do any extra modifications of the apache2 setup except for the rerouting the port where my app runs to port 80, like this
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
Now my app is available fine on :80 port via http:// but I can't make it run via https://. But access via https is what I wanted to achieve. I could not figure the right step by step guide on how to create or enable SSL. All Bitnami docs sound like it's assumed to be working already.
As far as I understood from - https://docs.bitnami.com/aws/components/apache/#https-port the basic certificate is already included into the setup so you can make use of that one without creating your own. The only thing you need is to enable it - That may be wrong assumption, let me know.
Also here on bitnami support it says
Apache waits for HTTPS requests on port 443. Change that by editing
the /opt/bitnami/apache2/conf/bitnami/bitnami.conf file and modifying
the value specified in the Port directive. For example:
Listen 8443
Does that mean that I need to reroute my :5000 port to :8443 ??
I've also found this question - Installing SSL on AWS EC2 Bitnami Mean Stack that didn't recieve a proper answer for more than a year.

Does that mean that I need to reroute my :5000 port to :8443 ??
No, you don't need to redirect that. Your problem is that you're proxy-passing every request from port 80 to 5000 (where your app runs) but when using HTTPS your requests use the port 443. Those request are not being proxy-passed to port 5000 and, therefore, your app doesn't receive them.
What Apache configuration file did you modify including those lines? You need to be sure that both the VirtualHosts for port 80 and the one for port 443 include the ProxyPass redirections. For example, if you edited the file /opt/bitnami/apache2/conf/bitnami/bitnami.conf, ensure you add it in the Virtualhosts <VirtualHost _default_:80> and <VirtualHost _default_:443>
As far as I understood from - https://docs.bitnami.com/aws/components/apache/#https-port the basic certificate is already included into the setup so you can make use of that one without creating your own.
Yes, the Bitnami Stack includes a dummy certificate. However, it's recommended to create your own one since the browsers won't recognize it as a valid one since it's self-signed. You can find more information in the link below:
https://docs.bitnami.com/aws/components/apache/#how-to-create-an-ssl-certificate

Related

If two Apache HTTP servers are installed in RedHat, how to make them not disturbing each other

I have already installed an Apache HTTP server in my RedHat system, now I need to install a Bitnami application package which contains another Apache. So I am wondering how to make them not disturbing each other?
I guess I need to configure different ports for the two HTTP server. But what if one has 8080 and another has 9090, will we visit http://[ServerName]:8080/something.html and http://[ServerName]:9090/something.html? I think this way is quite inconvenient. Am I wrong or any better idea?
My advice would be to do something like this.
Have one Apache instance listen in port 80 and the other one in port 8080 for example. The Apache instance that listens in port 80 can act as a proxy to the other Apache (port 8080) using the ProxyPass and ProxyPassReverse directives.
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html
You would need to define prefixes or virtual hosts and inside them add ProxyPass directives.
I don't know to what kind of user those applications are targeted to but the usual end-user is not used to enter ports when browsing the web.
If you like to use the ports, go for it, but I would recommend using Name-based Virtual Host
so you could use different domains or subdomains to each application.
In addition to the example provided by the docs (in where they just point to different folders) in this digitalocean page they document how to make redirects to different urls.
I completely agree with EndermanAPM that usual end-user is not used to enter ports when browsing the web. Therefore, I would only allow port 80 to be accessed by the end-users.
Additional to the current solutions I see another one:
avoid messing up the settings of the Apache servers in order to not end-up with some malfunctions of your websites
leave the Apache servers listen on their designated ports (8080 respectively 9090)
install a dedicated proxy in front of the Apache servers. The proxy would listen on port 80 and would define redirect rules that would parse the request and would redirect it to the proper Apache server. (see the attached picture)
I recommend you HA Proxy. It is a very fast and reliable http and tcp proxy. I've been using it in production for years, in front of application servers, web servers and even database servers. Once you get used with its syntax, it is pretty easy to use.
I am aware that introducing a new component into the equation might add another source of potential issues. But I think that the architecture is cleaner. Besides, the two Apache servers will not be disturbing each other as you requested. You can shut down any one of the two and the other one would properly work further.

How to enable HTTPS for Zabbix

How to configure make Zabbix accessible using HTTPS? - Ubuntu Apache!
Currently Zabbix is accessible on Intranet via http://192.160.1.1/zabbix where I would like to setup to access it like https://192.160.1.1/zabbix
Thanks
I managed to arrange SSL on my Zabbix site by having a named vhost (mytest.site.com) with any docroot (/var/www/mytest.site.com/public_html). Zabbix hooks into any /zabbix url, so it doesn't really matter which one. It is important that you have a valid DNS resolving to your vhost. Then use Letsencrypt to create a SSL certificate for that vhost and have it forward traffic to port 80 to port 443 (see https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04 for installation details).

Hosting Multiple Sites On Same Apache Instance (ReviewBoard, MediaWiki)

We're trying to set up two sites on same Apache instance, although on different ports.
We have a ReviewBoard set up on an Apache in an AWS instance. It runs on 443, and is working fine.
Now, we're trying to set up MediaWiki on same server. I'm assuming safest and fastest way is to set it to listen on a different port. So, we've set up Apache to listen on 8443, and enabled MediaWiki like so
<IfModule mod_ssl.c>
<VirtualHost _default_:8443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/<domain_name>
This is working fine for accessing homepage of wiki.
following are the issues we're facing -
This setup requires adding port to the URL. Since https by default uses 443, we need to add :8443 at end of url to access Wiki Page. Ideally, we'd like to do away with the port.
MediaWiki Login doesn't work. After login, user is redirected to port 80. If this port is blocked, which is what we want, whole flow is dead in water.
We'd like to use same AWS instance, although we're open to setting up another instance of Apache (not sure if it is possible / best practice).
Any ideas?
For issue number 2, make sure that you've updated your $wgServer variable to include the not-standard port number like so $wgServer = "https://127.0.0.1:8443";
Thanks TyA.
Solved this.
Multiple domain with the same ip and port in apache
TyA's solution.
Separate AWS or Apache instance not required.

GeoServer under https

i am using apache web server on localhost:80 and Geoserver served from tomcat on localhost:8080
I recently installed SSL certificate on apache and it works fine except for that i get the message that says i have insecure content which i thought they were GeoServer layers. So now I'm trying to enable SSL for GeoServer and have Openlayers content like htis https://example.org:8080/geoserver but still not sure what's the best approach to do that.
My suggestion:
Add a (reverse) proxy in Apache and configure your web application that is connects only to the Apache proxying the GeoServer.
ProxyPass "/geoserver" "http://localhost:8080/geoserver"
ProxyPassReverse "/geoserver" "http://localhost:8080/geoserver"
This way you only need to allow HTTPS in the firewall and nobody from outside will have the chance to reach GeoServers web interface unless you enable port 8080 on the firewall. Also see https://gis.stackexchange.com/q/4323/109339 for further details.
Please note that you should set the https://docs.geoserver.org/stable/en/user/configuration/globalsettings.html#proxy-base-url of GeoServer with the public reachable URL via your Apache, e.g. https://your-apache.com/geoserver - otherwise the absolute URLs generated from GeoServer in e.g. GetCapabilities start with http://localhost:8080/geoserver (which is not reachable anymore).
If you had not already Apache in use, I would recommend nginx.

how to put nodejs and apache in the same port 80

I have to put nodejs in port 80, but apache is already using it. How can I put both (nodejs and apache) on the same port 80? I need it because in my university all the ports are blocked except for PORT 80. (This is a realtime application with nodejs and socket.io (websockets) and in the other side a php application).
Thanks a lot
I do this via node.js proxy..
Install http-proxy with npm or official page
Example:
var http = require('http'),
httpProxy = require('http-proxy'),
proxyServer = httpProxy.createServer ({
hostnameOnly: true,
router: {
'domain.com': '127.0.0.1:81',
'domain.co.uk': '127.0.0.1:82',
'127.0.0.1': '127.0.0.1:83'
}
});
proxyServer.listen(80);
This creates a node process listening to port 80, and forwarding requests for domains which go to :81,82,83 etc. I recommend running this with forever and adding an entry to init.d so your proxy is up in case system shuts down.
You can also use Apache 2's mod_proxy and mod_proxy_http, which might be more reliable or perform better depending on your system.
Here's an example:
Firstly run below command to proxy to allow
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_balancer
sudo a2enmod proxy_balancer
sudo a2enmod lbmethod_byrequests
# Use Apache for requests to http://example.com/
# but use Node.js for requests to http://example.com/node/
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/example/
<Location /node>
ProxyPass http://127.0.0.1:8124/
ProxyPassReverse http://127.0.0.1:8124/
</Location>
</VirtualHost>
And of course you can modify the directives to your needs, such as using a different port for your virtual host (e.g., 443), different port for Node.js, or set up the proxy under a different block, such as for a subdomain (e.g., node.example.com).
I've personally done this the other way round from #liammclennan. Some suggest that proxying through Apache defeats some of the performance and scalability advantages of Node (don't have experience myself as my server doesn't get that much traffic, but from #liammclennan's link: "Every request that comes in through Apache will cause an Apache thread to wait/block until the response is returned from your Node.js process.", which obviously doesn't mesh well with Node's architecture.)
I used node-http-proxy to set up a Node proxy server roughly as described in the first link (my Node proxy runs on port 80; Apache and my other Node services don't). Seems to be working well so far, though I have had occasional stability problems that I've 'solved' through checking the proxy's still running with a cron job (edit: it seems a lot more stable these days). The proxy's pretty lightweight, taking up about 30MB memory.
You can't. You have to run node.js on another port and then proxy requests through apache. You can do this using mod_proxy
http://davybrion.com/blog/2012/01/hosting-a-node-js-site-through-apache/
I usually use haproxy as the front-end in situations like that and have that proxy to the appropriate backend server. (Though making your node.js process a proxy server is a valid approach too depending on your needs).
for httpd.conf
activiate the module , proxy_module and proxy_http
if you are using virtual host
<virtualhost ...>
ServerName api.domain.com
........
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</virtualhost>
assume you are running nodejs server at 8080 , you don't need to take care ssl in nodejs , all should be done in apache
then try https://api.domain.com/
I found a cool gist Run apache and nodejs on port 80. did not try it yet but will do of course
Step 1
Get a VPS that offers 2 or more IP addresses.
Step 2
From the WHM cPanel, find the menu item Service Configuration,
select Apache Configuration and then click on Reserved IPs Editor.
Step 3
Tick the IP address you DON'T WANT Apache to listen to, and write
it down so you can use it in the next step. Click Save.
Step 4
Install Node.js, and create a server like this:
var http = require('http');
var server = http.createServer(function(req, res) {
res.writeHead(200);
res.end('Hello, world!');
});
server.listen(80, '111.111.111.111');
Replacing 111.111.111.111 with the IP address you previously
reserved from the WHM cPanel.
Step 5
Stop wasting your time and never listen to those telling you to use
mod_rewrite to proxy Node.js again.
Update:
We can solve a problem in many different ways and IMHO, we should at least know each possible way 😉. We can do it without buying a new IP of course putting a proxy in front of both Apache and NodeJS server each running other ports except 80.