I have been trying to setup Apache as a ReverseProxy to an internal Gitlab server with no success.
We are running multiple virtual servers, each server having a different application. We have an existing server with Apache 2.4 installed on CentOS 6.6 and working, and I just recently stood up a new server with GitLab 8.12 on CentOS 7. I have made the following change in /etc/gitlab/gitlab.rb
external_url 'http://mypublic.domain.com:80'
I have added the following rules in iptables
-A INPUT -p tcp -m state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state NEW -m tcp --dport 80 -j ACCEPT
I have verified that we can ssh in using http://mypublic.domain.com:22
I have tried every setup I could find online to set the VirtualHost in httpd.conf, but nothing is working correctly. Below are a couple of the more recent, simple examples I have found. Does anyone have any ideas?
<VirtualHost 192.168.1.000:80>
ServerName mypublic.domain.com
RewriteEngine On
ProxyPass / http://192.168.1.999/
ProxyPassReverse / http://192.168.1.999/
</VirtualHost>
####
<VirtualHost 192.168.1.000:80>
ServerName mypublic.domain.com
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
<Location />
Require all granted
ProxyPass http://192.168.1.999:80
ProxyPassReverse http://192.168.1.999:80
</Location>
</VirtualHost>
####
Apache Server: 192.168.1.000
GitLab Server: 192.168.1.999
Any help would be much appreciated, thanks!
Related
I found a trick to tunnel http over ssh to my local computer.
https://www.maketecheasier.com/reverse-ssh-tunnel-allow-external-connections/
I use a web server running Apache on my local computer, but want to access it from outside without using port forwarding but using a VPS. The reason is I use a mobile device (i.e. laptop, but can also be a cellphone) as a web server.
Assumed the local device has port 8080 as http port and the VPS uses another port (e.g. standard 80). This command on my local computer (macOS, Linux or even Android device using Termux) works:
ssh -R 80:127.0.0.1:8080 root#VPS
When I access the VPS by http://VPS I access the web interface of my local computer. Fine. That works.
But I want to access it via https by
ssh -R 443:127.0.0.1:8443 root#VPS
and install a Letsencrypt certificate. Can I do that on the VPS or should I do that on the local device and enable ssl.conf and use 8443 as secure port ?
Then I want to access my device via the VPS over https://VPS.
Is that possible ?
I found the answer.
I found this approach:
Apache ssl.conf:
<VirtualHost *:443>
SSLEngine on
DocumentRoot /var/www/html/test/
ServerName my.example.com
LogLevel Debug
Include whitelist.conf
ErrorLog ${APACHE_LOG_DIR}/ssl-error.log
CustomLog ${APACHE_LOG_DIR}/ssl-access.log combined
SSLCertificateFile /root/.acme.sh/my.example.com/fullchain.cer
SSLCertificateKeyFile /root/.acme.sh/my.example.com/my.example.com.key
# SSLCertificateChainFile /root/.acme.sh/my.example.com/fullchain.cer
SSLProxyEngine On
ProxyRequests Off
# NON SSL access to be redirected to https://my.example.com:443
ProxyPass / http://my.anotherdomain.com:81/
ProxyPassReverse / http://my.anotherdomain.com:81/
# RewriteCond %{HTTPS} off
# RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]
</VirtualHost>
This redirects my device non-SSL port 8080 to the VPS (my.example.com:81)
ssh -p 22 -R 81:192.168.0.7:8080 root#myVPS -N
Or on the device itself I can run in Termux:
ssh -p 22 -R 81:127.0.0.1:8080 root#myVPS -N
That makes my device SSL accessible using the certificates of my.example.com via VPS host.
I am trying to run a PHP chat on sockets.
Server configuration: Ubuntu-18.04-amd64, Apache/2.4.29, SSL certificate from Let's Encrypt.
I use rachet. Here, here and here it is described how to connect sockets through SSL connections. But I didn’t succeed.
I installed the necessary modules in Apache:
sudo a2enmod proxy
sudo a2enmod proxy_wstunnel
sudo a2enmod proxy_http
Wrote in /etc/apache2/apache2.conf
<VirtualHost *: 443>
<Location "/chat/">
ProxyPreserveHost On
ProxyPass /ws ws://xxxxxx.xx:999
ProxyPassReverse /ws ws://xxxxxx.xx:999
</Location>
</VirtualHost>
Opened 999 port
sudo iptables -I INPUT -p tcp --dport 999 -j ACCEPT
Restarted Apache
sudo systemctl restart apache2
Launched a chat server
php /var/www/html/chat/bin/chat-server.php
Wrote in the socket call script
websocket = new WebSocket ('wss://xxxxxx.xx/chat');
I tried to connect from a browser at
https://xxxxxx.xx/chat/
And got an error
WebSocket connection to 'wss://xxxxxx.xx/chat' failed: Error during
WebSocket handshake: Unexpected response code: 301
I read various tips, but still could not understand what I was doing wrong. Any attempt to change the situation creates errors 301, 300, 500 or 200.
Please tell me what I was wrong?
I am fairly new to Docker and I have some trouble to understand how to make my "contained" apps accessible from the internet.
[my current configuration] two web sites (in /var/www/html) + standard Apache + some tweeking I would like to be applied to everything new I deploy (headers CSP based rewriting, SSL certificate renewal with Certbot, etc etc). I am fairly happy with my current conf.
[my two apps] Both are standalone applications (only requiring a db).
-official wordpress image. (-> new domain name)
-a django based app packed with a gunicorn server based on this tutorial (-> subdomain of an existing domain )
[the issue] If I bind both apps on, say, ports 8080 and 8000, browsers wont be able to reach it, for DNS servers do not handle ports (from what I understood, correct me if I am wrong). If I bind then on standard ports, I'll have a conflict with my existing Apache.
How would you deal with it? Can I redirect to containers' internal ip with a mod_proxy of some kind? Is there a cleaner-easier-safer way to do it?
<VirtualHost *:443>
ServerName sub.mydomain.io
Redirect "/" "http://172.17.0.2/"
ErrorLog /var/log/apache2/error.zarebski.io.com.log
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mydomain.io/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.io/privkey.pem
</VirtualHost>
In case of multiple applications running on different ports and different local IP addresses the recommended method is using Reverse Proxy
Basically you configure your apache to forward requests to those services, i.e.:
<VirtualHost *:443>
ServerName sub.mydomain.io
ProxyPass "/wordpress" "http://172.17.0.2:8080/"
ProxyPass "/django" "http://172.17.0.2:8000/"
ErrorLog /var/log/apache2/error.mydomain.io.com.log
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mydomain.io/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.io/privkey.pem
</VirtualHost>
If you have multpile external domain you can use Name Based Virtual hosts
Well, it took me a while to figure things out, for there was two main corner cases. I'll stick to one case: the wordpress image
<VirtualHost *:443>
ServerName new_domain.eu
ProxyPass / http://localhost:8081/
<Location />
AddOutputFilterByType SUBSTITUTE text/html
SetOutputFilter proxy-html
ProxyPassReverse /
Substitute "s|http://localhost:8081/|https://new_domain.eu/|i"
RequestHeader unset Accept-Encoding
</Location>
SSLCertificateFile /etc/letsencrypt/live/new_domain.eu/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/new_domain.eu/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
[First of all], I could not access container from their local ip (i.e 172.7.0.3:80, not sure why), so I used the localhost port defined while setting the container up:
docker run -e WORDPRESS_DB_PASSWORD=thePassWord --name wordpress --link wordpressdb:mysql -p 8081:80 -v "$PWD/html":/var/www/html -d wordpress
[secondly] the tricky part was, then, to handle properly relative urls (e.g. some/path/to/css), for these were not accessible. Apparently, this is a well known issue. This part was the longest: things changed a lot around Apache 2.4 and the syntax is not well documented. Basically,
Substitute "s|http://localhost:8081/|https://new_domain.eu/|i"
replace all urls in html so that relative resources (css, js, png, etc etc) could be properly accessed.
[possible improvements] I am not quite happy with port 8081 being visible from the external world. It means that the app could be accessed from this very port, bypassing the rules I setted up in apache.conf. I fixed the issue by adding an iptables rule
iptables -A INPUT -p tcp -s localhost --dport 8081 -j ACCEPT
iptables -A INPUT -p tcp --dport 8081 -j DROP
Not quite elegant so if anyone has a suggestion, let me know.
\//_
I have the following entry in "/etc/apache2/sites-enabled" on my Ubuntu 15.10
<VirtualHost *:80>
ServerName "jupyter.xxxxxxxxxxxx.com"
ProxyPass / http://192.168.254.23:8888/
ProxyPassReverse / http://192.168.254.23:8888/
Header edit Origin "jupyter.xxxxxxxxxxxx.com" 192.168.254.23:8888
RequestHeader edit Origin "jupyter.xxxxxxxxxxxx.com" 192.168.254.23:8888
Header edit Referer "jupyter.xxxxxxxxxxxx.com" 192.168.254.23:8888
RequestHeader edit Referer "jupyter.xxxxxxxxxxxx.com" 192.168.254.23:8888
<Location ~ "/(user/[^/]*)/(api/kernels/[^/]+/channels|terminals/websocket)/?">
ProxyPass ws://192.168.254.23:8888/
ProxyPassReverse ws://192.168.254.23:8888/
</Location>
</VirtualHost>
After making the above entry I restarted apache: "sudo service apache2 restart"
When I attempt to run my script the Kernel is unable to connect.
Console Logs:
The same works when I specify the IP Address though:
Here's more info on my setup:
Apache is running on Server A (Ubuntu 15.4, IP: 192.168.254.201)
Jupyter installed on Server B (Centos 7, IP 192.168.254.23) as a
Docker Image
(https://www.dataquest.io/blog/data-science-quickstart-with-docker/)
And, I'm testing this from inside my home network, so no need to worry about proxy or ISP. I have the following entry in /etc/hosts
192.168.254.201 jupyter.xxxxxxxxxxxx.com
I am using centos 6. I want to remove the port from url
that is,I want to use http://www.website.com/ insted of http://www.website.com:8069/ so i tried to create the virtualhost.
I opened the file /etc/httpd/conf/httpd.conf
and added the line
Listen 80
NameVirtualHost *:80
<VirtualHost *:80>
DocumentRoot "/var/www/vhosts/website.com/httpdocs"
ServerName www.website.com
ServerAlias website.com
ProxyPass / http://www.website.com:8069/
ProxyPassReverse / http://www.website.com:8069/
</VirtualHost>
and restarted the server
/sbin/service httpd restart
but its not working
it is not giving any error and nor working
The only solution if you want to use http://www.website.com/ is to open port 80 on the server or server's router.
you should check via netstat if the apache process is listening to port 80 via
netstat -tulpn
next to check is local firewall. Check with
iptables -L
if the command lists entries iptables is active. You can turn it of with
/etc/init.d/iptables stop
or add an entry for port 80
/etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
if that doesn't help you should check the apache logs under
/var/log/httpd/