Setting up Apache Proxy Server for Enonic XP

KujiM · November 19, 2019, 10:16pm

Enonic version: Latest
OS: Ubuntu

Hey folks, I might need some help setting up my site.

I have a live app running on my server which can be access by pasting the public IP address.

However when I tried to setup a ProxyPassReverse it doesn’t work.

What Am I doing wrong here? Why can’t I access https://www.abc.com but I can access http://142.93.118.89/#/dashboard?

Thanks in advance.

cat abc.com-le-ssl.conf

LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module /usr/lib/apache2/modules/mod_proxy_wstunnel.so

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName abc.com
    ServerAlias www.abc.com
    DocumentRoot /var/www/html/

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    ProxyRequests Off
    ProxyPreserveHost On
    
    ProxyPass / http://127.0.0.1:8080/    
    ProxyPassReverse / http://127.0.0.1:8080/

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/abc.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/abc.com/privkey.pem
</VirtualHost>

</IfModule>

---

cat abc.com.conf

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName abc.com
    ServerAlias www.abc.com
    DocumentRoot /var/www/html/

    ProxyPreserveHost On

    ProxyPass / http://127.0.0.1:8080/
    ProxyPassReverse / http://127.0.0.1:8080/
    
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =abc.com [OR]
    RewriteCond %{SERVER_NAME} =www.abc.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

dap · November 20, 2019, 9:34am

Hi!

I think you’re missing websockets for admin.
Add these lines after RewriteEngine on

  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteCond %{REQUEST_URI} /admin [NC]
  RewriteRule /admin/(.*) ws://exp:8080/admin/$1 [P,L]

Question… is xp runnning on the samme host?

KujiM · November 20, 2019, 5:43pm

Hi dap.

I tried adding those lines but no luck.

<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName abc.com
ServerAlias www.abc.com
DocumentRoot /var/www/html/

ProxyPreserveHost On

ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =abc.com [OR]
RewriteCond %{SERVER_NAME} =www.abc.com
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteCond %{REQUEST_URI} /admin [NC]
RewriteRule /admin/(.*) ws://exp:8080/admin/$1 [P,L]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

The xp is running on the same host. Can be accessed in here https://142.93.118.89/#/dashboard

Were you able to set up your Enonic XP with https?

Thanks!

KujiM · November 21, 2019, 10:58am

So after I little be of investigation I ended up with this config, but it still doesn’t work.

I am running XP as a service.

cat com.enonic.xp.web.vhost.cfg

enabled = true

mapping.api.host = localhost
mapping.api.source = /api
mapping.api.target = /api

mapping.a.host = 142.93.118.89
mapping.a.source = /admin
mapping.a.target = /admin
mapping.a.userStore = system

mapping.b.host = 142.93.118.89
mapping.b.source = /
mapping.b.target = /portal/master/abc

sudo cat /etc/apache2/sites-available/abc.com.br-le-ssl.conf
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

<IfModule mod_ssl.c>
<VirtualHost *:443>

  ServerName abc.com.br
  ServerAlias www.abc.com.br
  DocumentRoot /var/www/html/

  RequestHeader set X-Forwarded-Proto "https"

  Header always set Strict-Transport-Security "max-age=15768000"

  ProxyRequests Off
  ProxyPreserveHost On

  ProxyPass /admin/event ws://142.93.118.89:8080/admin/event
  ProxyPassReverse /admin/event ws://142.93.118.89:8080/admin/event

  ProxyPass / http://142.93.118.89:8080/ timeout=5
  ProxyPassReverse / http://142.93.118.89:8080/ timeout=5

  RewriteEngine on

  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteCond %{REQUEST_URI} /admin [NC]
  RewriteRule /admin/(.*) ws://142.93.118.89:8080/admin/$1 [P,L]

  RewriteCond %{HTTP_HOST} !^abc\.com\.br$
  RewriteCond %{HTTP_HOST} !^$
  RewriteRule ^/(.*) https://abc.com.br/$1 [L,R]

  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile /etc/letsencrypt/live/abc.com.br/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/abc.com.br/privkey.pem
</VirtualHost>

</IfModule>

sudo cat /etc/apache2/sites-available/abc.com.br.conf
<VirtualHost *:80>
  ServerName abc.com.br
  ServerAlias www.abc.com.br
#  CustomLog /var/log/apache2/vhosts/enonic-xp-enonic.com.log combined
#  DocumentRoot /var/www/html/

  RewriteEngine on
  RewriteRule ^/(.*) https://abc.com.br/$1 [L,R=301,NE]
</VirtualHost>

Do you know what is wrong?

Thanks!

rmy · November 21, 2019, 11:19am

Hi, here is a config that works in out setup:

<VirtualHost *:80>
  ServerName MY.PUBLIC.URL
  DocumentRoot /var/www/html/

  RewriteEngine on
  RewriteRule ^/(.*) https://MY.PUBLIC.URL/$1 [L,R=301,NE=301]
</VirtualHost>

<VirtualHost *:443>
  ServerName MY.PUBLIC.URL
  DocumentRoot /var/www/html/

  RequestHeader set X-Forwarded-Proto "https"
  Header always set Strict-Transport-Security "max-age=15768000"

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/certs/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/certs/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/certs/chain.pem

  ProxyRequests Off
  ProxyPreserveHost On
  SSLProxyEngine on

  ProxyPass / http://exp:8080/
  ProxyPassReverse / http://exp:8080/

  RewriteEngine on

  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteCond %{REQUEST_URI} /admin [NC]
  RewriteRule /admin/(.*) ws://exp:8080/admin/$1 [P,L]

  RewriteCond %{HTTP_HOST} !^MY\.PUBLIC\.URL$
  RewriteCond %{HTTP_HOST} !^$
  RewriteRule ^/(.*) https://MY.PUBLIC/$1 [L,R]

</VirtualHost>

SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

Vi are running our own letsencrypt-image:

FROM enoniccloud/apache2-letsencrypt:latest

COPY var-www-html /var/www/html
ADD mpm_event.conf /etc/apache2/mods-enabled/mpm_event.conf

RUN a2enmod proxy_wstunnel \
  && a2enmod proxy_http \
  && a2enmod rewrite \
  && a2enmod headers

COPY sites /etc/apache2/sites-enabled

with a separate volume for letsencrypt.

rmy · November 21, 2019, 11:26am

When you say it doesnt work, what is happening? Does it hit the correct vhost on apache?

KujiM · November 21, 2019, 5:54pm

Hi @rmy

I am gettting this error when I try to access the site.

No web page was found for the web address:
HTTP ERROR 404

After reading your comments I ended up with this config, but still no luck.

Is my Enonic vhost file correct?

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

<VirtualHost *:443>
  ServerName abc.com.br
  ServerAlias www.abc.com.br
  DocumentRoot /var/www/html/

  RequestHeader set X-Forwarded-Proto "https"
  Header always set Strict-Transport-Security "max-age=15768000"

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/abc.com.br/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/abc.com.br/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/abc.com.br/chain.pem

  ProxyRequests Off
  ProxyPreserveHost On
  SSLProxyEngine on

  ProxyPass / http://142.93.118.89:8080/ timeout=5
  ProxyPassReverse / http://142.93.118.89:8080/ timeout=5

  RewriteEngine on

  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteCond %{REQUEST_URI} /admin [NC]
  RewriteRule /admin/(.*) ws://142.93.118.89:8080/admin/$1 [P,L]

  RewriteCond %{HTTP_HOST} !^abc\.com\.br$
  RewriteCond %{HTTP_HOST} !^$
  RewriteRule ^/(.*) https://abc.com.br/$1 [L,R]
</VirtualHost>

SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)



------------------------------

Enonic Vhost file


enabled = true

mapping.api.host = localhost
mapping.api.source = /api
mapping.api.target = /api

mapping.a.host = 142.93.118.89
mapping.a.source = /admin
mapping.a.target = /admin
mapping.a.userStore = system

mapping.b.host = 142.93.118.89
mapping.b.source = /
mapping.b.target = /portal/master/abc

Server is running as seen here.

root@ubuntu-suppliers:/home/xp/enonic/xp/config# sudo service xp status
● xp.service - SYSV: Enonic XP server daemon
   Loaded: loaded (/etc/init.d/xp; generated)
   Active: active (exited) since Tue 2019-10-29 19:34:08 UTC; 3 weeks 1 days ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 0 (limit: 2362)
   CGroup: /system.slice/xp.service

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

Thanks!

rf0 · November 21, 2019, 10:34pm

try to set ProxyPreserveHost Off
(OR use host names in vhost file)

When enabled, ProxyPreserveHost option will pass the Host: line from the incoming request to the proxied host, instead of the hostname specified in the ProxyPass line.

tsi · November 22, 2019, 9:06am

IMHO you should start with a minimalistic apache config with proxy, get that working, and then add rewrites, ssl and whatnot. That would help you figure out where things are failing.

Also, if you are using XP7, you can safely drop this line from the vhost config:

mapping.api.host = localhost
mapping.api.source = /api
mapping.api.target = /api

The API part of XP has now been moved to separate ports 2609 and 4848

KujiM · November 22, 2019, 12:17pm

@tsi @rf0 @rmy @dpa

Guys… guys… guys…

You guys are awesome.

I managed to get it working thanks to you. So… Apache virtual host file was fine all along, the issue was with this line mapping.b.host = 142.93.118.89. Changing it to mapping.b.host = abc.com.br solved the problem.

That was it.