I'm trying to setup BaGet in Docker with Docker Compose behind an Apache2 reverse proxy, where Apache2 is also running in Docker from Docker Compose.
I've done this successful with Jenkins and Sonar, but with BaGet (http://localhost:8000/baget) I get "Service Unavailable" even though it's available directly on its own port, e.g.: http://localhost:5555/.
My Docker Compose file looks like this:
version: "3"
services:
smtp:
container_name: smtp
image: namshi/smtp
jenkins:
container_name: jenkins
build: ./jenkins/
environment:
- JENKINS_OPTS="--prefix=/jenkins"
sonar:
container_name: sonar
image: sonarqube:latest
environment:
- SONAR_WEB_CONTEXT=/sonar
baget:
container_name: baget
image: loicsharma/baget:latest
ports:
- "5555:80"
environment:
- PathBase=/baget
apache:
container_name: apache
build: ./apache/
ports:
- "8000:80"
My Apache2 Docker File looks like this:
FROM debian:stretch
RUN apt-get update
RUN apt-get install -y apache2 && apt-get clean
RUN a2enmod proxy
RUN a2enmod proxy_http
RUN a2dissite 000-default.conf
COPY devenv.conf /etc/apache2/sites-available/devenv.conf
RUN a2ensite devenv
EXPOSE 80
CMD apachectl -D FOREGROUND
And my Apache2 config file like this:
<VirtualHost *:80>
ServerAdmin ...
ServerName ...
ServerAlias devenv
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPreserveHost on
ProxyPass /jenkins http://jenkins:8080/jenkins nocanon
ProxyPassReverse /jenkins http://jenkins:8080/jenkins nocanon
ProxyPass /sonar http://sonar:9000/sonar nocanon
ProxyPassReverse /sonar http://sonar:9000/sonar nocanon
ProxyPass /baget http://baget:5555/baget nocanon
ProxyPassReverse /baget http://baget:5555/baget nocanon
</VirtualHost>
I've tried various different compinations of ProxyPass URLs, I've tried using localhost instead of the internal Docker Compose serivces names, I've tried different ports and I've tried running BaGet without the PathBase environment variable and nothing works!
I'm hoping it's something obvious with my configuration and not something odd goign on with BaGet.
So, I was using the wrong port:
ProxyPass /baget http://baget:5555/baget nocanon
ProxyPassReverse /baget http://baget:5555/baget nocanon
should have been:
ProxyPass /baget http://baget/baget nocanon
ProxyPassReverse /baget http://baget/baget nocanon
Docker containers in Docker Compose speak to each other on the internally mapped port, not the external one. Which, now I know, makes perfect sense!
I have the following entry in "/etc/apache2/sites-enabled" on my Ubuntu 15.10
<VirtualHost *:80>
ServerName "jupyter.xxxxxxxxxxxx.com"
ProxyPass / http://192.168.254.23:8888/
ProxyPassReverse / http://192.168.254.23:8888/
Header edit Origin "jupyter.xxxxxxxxxxxx.com" 192.168.254.23:8888
RequestHeader edit Origin "jupyter.xxxxxxxxxxxx.com" 192.168.254.23:8888
Header edit Referer "jupyter.xxxxxxxxxxxx.com" 192.168.254.23:8888
RequestHeader edit Referer "jupyter.xxxxxxxxxxxx.com" 192.168.254.23:8888
<Location ~ "/(user/[^/]*)/(api/kernels/[^/]+/channels|terminals/websocket)/?">
ProxyPass ws://192.168.254.23:8888/
ProxyPassReverse ws://192.168.254.23:8888/
</Location>
</VirtualHost>
After making the above entry I restarted apache: "sudo service apache2 restart"
When I attempt to run my script the Kernel is unable to connect.
Console Logs:
The same works when I specify the IP Address though:
Here's more info on my setup:
Apache is running on Server A (Ubuntu 15.4, IP: 192.168.254.201)
Jupyter installed on Server B (Centos 7, IP 192.168.254.23) as a
Docker Image
(https://www.dataquest.io/blog/data-science-quickstart-with-docker/)
And, I'm testing this from inside my home network, so no need to worry about proxy or ISP. I have the following entry in /etc/hosts
192.168.254.201 jupyter.xxxxxxxxxxxx.com
I need to configure Jenkins behind Apache. For this purpose I installed Apache 2.2 using httpd-2.2.25-win32-x86-openssl-0.9.8y.msi.
Now I have configured jenkins with -
--httpPort=8084 --prefix=/jenkins (inside jenkins.xml)
The securityRealm for Jenkins is (I am using LDAP authentication):
<securityRealm class="hudson.security.LDAPSecurityRealm" plugin="ldap#1.11">
<server>ldap://ldap.myserver.com:1234</server>
<rootDN>DC=blah-blah,DC=blah</rootDN>
<inhibitInferRootDN>false</inhibitInferRootDN>
<userSearchBase></userSearchBase>
<userSearch>SAMAccountName={0}</userSearch>
<groupSearchFilter></groupSearchFilter>
<groupMembershipStrategy class="jenkins.security.plugins.ldap.FromGroupSearchLDAPGroupMembershipStrategy">
<filter></filter>
</groupMembershipStrategy>
<managerDN>email#mycompany.com</managerDN>
<managerPasswordSecret>XXXX</managerPasswordSecret>
<disableMailAddressResolver>false</disableMailAddressResolver>
<displayNameAttributeName>displayname</displayNameAttributeName>
<mailAddressAttributeName>mail</mailAddressAttributeName>
<userIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
<groupIdStrategy class="jenkins.model.IdStrategy$CaseInsensitive"/>
</securityRealm>
The name of the server where Apache and Jenkins are hosted is : http://abchost/.
Jenkins is hosted at : http://abchost:8084/jenkins.
Now I need to configure Apache server in such a way that, when I enter http://abchost/jenkins in browser it a Proxy should work in between and it should forward the request to http://abchost:8084/jenkins and again, get the result from jenkins and display the result at : http://abchost/jenkins.
For this I have configured Apache like this:
NameVirtualHost abchost:80
Listen 80
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes On
<VirtualHost *:80>
ServerName abchost.com
ServerAdmin admin#abchost.com
ProxyPass /downloads !
Alias /downloads "d:\myPath1"
<Directory "d:\myPath2">
# Don't allow editing the main repository site.
Options -Indexes
</Directory>
<Directory "d:\myPath3">
# Remove 'Parent Directory' link from the site.
# IndexIgnore ..
#
Options +Indexes
# List file names which will be opened automatically when the folder is opened.
DirectoryIndex index.html toc.html
IndexOptions FancyIndexing HTMLTable FoldersFirst SuppressDescription
</Directory>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# Jenkins via HTTP.
ProxyPass /jenkins/ http:/abchost:8084/jenkins/ nocanon
ProxyPassReverse /jenkins http://abchost:8084/jenkins/
</VirtualHost>
After this configuration, I am able to login in jenkins using http:/abchost:8084/jenkins/, but, not using http:/abchost/jenkins/.
Point to note is:
When I am logging in http:/abchost/jenkins/ using proper user id and pswd, it looks like the page refreshes and blank login page appears again.
When I am logging in http:/abchost/jenkins/ using wrong user id and pswd combination, it shows message that LDAP authentication failed.
Can anyone please enlighten me?
Thanks in advance!
I would like to run an IPython notebook web server behind an Apache (reverse) proxy so that instead of the URL
https://my.server:XXXX
(where XXXX is some port number) I could use
https://my.server/py0
I am aware that IPython uses websockets and I suspect this is the part that is missing from my setup, but I simply could not find a suitably detailed description on how to configure this. Unfortunately the IPython webserver setup docs don't have much to say regarding proxies apart from this:
When behind a proxy, especially if your system or browser is set to
autodetect the proxy, the notebook web application might fail to
connect to the server’s websockets[...]
So I decided to try it on my own and put the following in /etc/apache2/sites-enabled/default-ssl.conf :
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
ProxyPass /py0/ https://localhost:10000/
ProxyPassReverse /py0/ https://localhost:10000/
Accessing IPython "directly" over the URL https://my.server:10000 works perfectly as advertised.
The URL https://my.server/py0 (without a trailing slash) returns "404 Not found".
The same with a trailing slash https://my.server/py0/ does "work" in that it forwards to https://my.server/login?next=%2F, which is then "Not found" in its own right -- obviously because the /py0/ part got lost. Maybe I should tell IPython about it but how ??
Perhaps relevant version numbers: Ubuntu 14.04 LTS, Apache 2.4.7.
Perhaps relevant SO question: IPython behind nginx. However, since everything else in my setup is handled by Apache to my full satisfaction, I do not want to run Nginx in addition.
Is there any good soul out there who has successfully configured IPython notebook web servers behind Apache? If yes, then please step forward and share your knowledge :-) Many thanks!
I got this working using the following setup.
IPython
IPython Notebook is listening at http://localhost:8888/ipython. It was necessary to add the /ipython prefix, because IPython uses absolute paths, so it must be the same as the reverse proxied path.
The ipython_notebook_config.py
c = get_config()
c.NotebookApp.ip = 'localhost'
c.NotebookApp.open_browser = False
c.NotebookApp.port = 8888
c.NotebookApp.base_url = '/ipython'
Apache
I enabled
mod_proxy
mod_proxy_http
mod_proxy_wstunnel
In the apache config I added
<Location /ipython>
ProxyPass http://localhost:8888/ipython
ProxyPassReverse http://localhost:8888/ipython
ProxyPassReverseCookieDomain localhost my.server.com
RequestHeader set Origin "http://localhost:8888"
</Location>
<Location /ipython/api/kernels/>
ProxyPass ws://localhost:8888/ipython/api/kernels/
ProxyPassReverse ws://localhost:8888/ipython/api/kernels/
</Location>
to an SSL enabled virtual host definition.
The RequestHeader set Origin "http://localhost:8888" was necessary for the websockets, otherwise you get a 403 Forbidden.
Now IPython is reachable at https://my.server.com/ipython (no trailing /!).
WARNING: This is rather verbose, as I gather you have figured much of this, but for documentation purposes, I laid out enough detail here for someone else to follow.
I put this answer together after implementing this myself with the help from various links. The first from here Websocket origin check fails when used with Apache WS proxy #5525. I repeat much of it here with some changes. Other links are referenced below.
1. Set up iPython:
This is in the post, but rather than do it as the original post suggested, I just followed the general instructions for Running a notebook server. With this done you should be able to test the setup, which will require enabling the port you have this configured for. If this does not work, then any Apache set up will not work.
2. Configure Apache:
Make sure you have the following mods available and enabled.
./configure --enable-proxy --enable-ssl --enable-deflate --enable-proxy-http --enable-proxy-wstunnel --enable-info --enable-rewrite --enable-headers
Added --enable-headers here as they were not installed on mine. Also I used the Apache2 a2enmod command. So sudo a2enmod headers, sudo a2enmod proxy, etc.
If you're running a version of Apache prior to 2.4, you do not have the proxy_wstunnel mod. You can either a patch your version or upgrade. To patch your version, you can follow these instructions. Be sure to copy over both mod_proxy.so and mod_proxy_wstunnel.so. To get the configure script, you need to run ./buildconfig, which has its own dependencies. This is noted in a comment therein.
Within Apache, create a "sites-available/iPython.conf" file. Originally I said to either add to httpd.conf or ports.conf. Adding your own site file is much cleaner and will allow you to enable/disable the configuration when desired.
Listen [ANY PORT HERE] # post has port 8999 here...
...
<VirtualHost *:[ANY PORT HERE]>
SSLProxyEngine On # post did not have this...
ProxyPass / http://127.0.0.1:8888/
ProxyPassReverse / http://127.0.0.1:8888/
# spoof headers to make notepad accept the request as coming from the same origin
Header set Origin "http://127.0.0.1:8888/"
RequestHeader set Origin "http://127.0.0.1:8888/"
LogLevel debug
</VirtualHost>
NOTE 1: The post uses port 8999, but it can be any port you want. You want port 80 here, but you do not need to specify it, so, modifying the above would yield:
<VirtualHost *:80>
... # Everything is the same here...
</VirtualHost>
NOTE 2: Since you are using SSL, you need to add SSLProxyEngine On within the body of the VirtualHost definition. As noted above, the post did not have this specifically.
NOTE 3: Port 8888 is whatever port ipython is running on. Change this based on your configuration.
NOTE 4: If you want to host multiple applications, and this is one of them, rather than having / and :8888/, you will want /ipython and :8888/ipython or whatever you want this to be named. In order to support this, see Running with a different URL prefix.
Enable the new configuration:
sudo a2ensite iPython
If you need to disable:
sudo a2dissite iPython
Reload Apache:
sudo service apache2 reload
My Environment:
Ubuntu 14.04.1
Apache 2.4.7
ipython 2.3.0
EDIT: Updated to reflect the final changes I made to get this working. I also changed the instruction order to what I think makes more sense.
Based on Apache's config of #adam, I'm putting here a full SSL-aware <VirualHost> sections but without the /ipython prefix, and i'm giving also the SSL-options for anyone interested:
<VirtualHost *:80>
ServerAdmin myname#my.place.com
ServerName some.server.com
SSLEngine off
Redirect permanent / https://some.server.com
</VirtualHost>
## From http://stackoverflow.com/questions/23890386/how-to-run-ipython-behind-an-apache-proxy
#
<VirtualHost *:443>
ServerAdmin myname#my.place.com
ServerName some.server.com
SSLEngine on
SSLCertificateFile some_server_com.crt
SSLCertificateKeyFile some_server_com.key
<Location />
ProxyPass http://localhost:8888/
ProxyPassReverse http://localhost:8888/
ProxyPassReverseCookieDomain localhost some.server.com
RequestHeader set Origin "http://localhost:8888"
</Location>
<Location /api/kernels/>
ProxyPass ws://localhost:8888/api/kernels/
ProxyPassReverse ws://localhost:8888/api/kernels/
</Location>
Redirect permanent / https://some.server.com
</VirtualHost>
This works for jupyter and password hash:
<VirtualHost *:443>
ServerName default
ProxyPreserveHost On
ProxyRequests off
SSLProxyEngine on
SSLEngine on
SSLProtocol TLSv1
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLCertificateFile /home/ubuntu/.certs/mycert.pem
ProxyPass /notebook/terminals/websocket/ wss://localhost:9999/notebook/terminals/websocket/
ProxyPassReverse /notebook/terminals/websocket/ wss://localhost:9999/notebook/terminals/websocket/
ProxyPass /notebook/api/kernels/ wss://127.0.0.1:9999/notebook/api/kernels/
ProxyPassReverse /notebook/api/kernels/ wss://127.0.0.1:9999/notebook/api/kernels/
ProxyPass /notebook https://127.0.0.1:9999/notebook
ProxyPassReverse /notebook https://127.0.0.1:9999/notebook
</VirtualHost>
On newer versions of IPython/Jupyter that have a terminal you also need to add entries for terminals.
<Location /ipython/terminals/websocket/>
ProxyPass ws://localhost:8888/ipython/terminals/websocket/
ProxyPassReverse ws://localhost:8888/ipython/terminals/websocket/
</Location>
I'm using apache version 2.4.18 in a server running Ubuntu 16.04.1 LTS(xenial)
and finally I have my jupyter notebook running through ssl.
I had already configured the standard SSL on my server, so https:// was working. I had also followed this instructions: Running a notebook server to get my cert file and my password in the jupyter_notebook_config.py configuration file. What I was missing was:
c.NotebookApp.allow_origin = '*'
c.NotebookApp.base_url = '/SomeName'
The apache configuration file that worked for me using solutions from several places and part of the answers here was:
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
<Location "/SomeName">
ProxyPass https://localhost:XXXX/SomeName
ProxyPassReverse https://localhost:XXXX/SomeName
</Location>
<Location "/SomeName/api/kernels">
ProxyPass wss://localhost:XXXX/SomeName/api/kernels
ProxyPassReverse wss://localhost:XXXX/SomeName/api/kernels
</Location>
<Location "/SomeName/terminals/websocket">
ProxyPass wss://localhost:XXXX/SomeName/terminals/websocket
ProxyPassReverse wss://localhost:XXXX/SomeName/terminals/websocket
</Location>
where XXXX is the port you are using, e.g. 8888, and SomeName could be any name you want.
I hope this can help.
I would like to run a rails application (redmine, actually) in a subdirectory off my domain. SOmething like http://foobar.com/redmine. Redmine is running as a stand-alone passenger instance that I would like to proxy requests to.
passenger start -a 127.0.0.1 -p 8000 -e production
I can confirm that the app is running if I access it locally from the server.
lynx http://127.0.0.1:8000/
Now I can't figure out how to get Apache to serve the app properly. This is what I have, but it doesn't work quite right:
Alias /redmine /home/redmine/www/redmine-1.2/public
<Directory /home/redmine/www/redmine-1.2/public>
allow from all
ProxyPass http://127.0.0.1:8000
ProxyPassReverse http://127.0.0.1:8000
</Directory>
It serves static assets fine from the public folder but doesn't seem to proxy requests properly. Everything returns 403. Apache log:
client denied by server configuration: proxy:http://127.0.0.1:8000
Figured it out. Apache config:
<Location /redmine>
Order deny,allow
Allow from all
ProxyPass http://127.0.0.1:8000
ProxyPassReverse http://127.0.0.1:8000
</Location>
Then add this line to config/environment.rb:
config.action_controller.relative_url_root = "/redmine"