Setting up Apache Proxy Server for Enonic XP

KujiM · 2019-11-19 22:16:03 UTC

Enonic version: Latest
OS: Ubuntu

Hey folks, I might need some help setting up my site.

I have a live app running on my server which can be access by pasting the public IP address.

However when I tried to setup a ProxyPassReverse it doesn’t work.

What Am I doing wrong here? Why can’t I access https://www.abc.com but I can access http://142.93.118.89/#/dashboard?

Thanks in advance.

cat abc.com-le-ssl.conf

LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module /usr/lib/apache2/modules/mod_proxy_wstunnel.so

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName abc.com
    ServerAlias www.abc.com
    DocumentRoot /var/www/html/

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    ProxyRequests Off
    ProxyPreserveHost On
    
    ProxyPass / http://127.0.0.1:8080/    
    ProxyPassReverse / http://127.0.0.1:8080/

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/abc.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/abc.com/privkey.pem
</VirtualHost>

</IfModule>

---

cat abc.com.conf

<VirtualHost *:80>
    ServerAdmin [email protected]
    ServerName abc.com
    ServerAlias www.abc.com
    DocumentRoot /var/www/html/

    ProxyPreserveHost On

    ProxyPass / http://127.0.0.1:8080/
    ProxyPassReverse / http://127.0.0.1:8080/
    
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =abc.com [OR]
    RewriteCond %{SERVER_NAME} =www.abc.com
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

dap · 2019-11-20 09:34:41 UTC

Hi!

I think you’re missing websockets for admin.
Add these lines after RewriteEngine on

  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteCond %{REQUEST_URI} /admin [NC]
  RewriteRule /admin/(.*) ws://exp:8080/admin/$1 [P,L]

Question… is xp runnning on the samme host?

KujiM · 2019-11-20 17:43:25 UTC

Hi dap.

I tried adding those lines but no luck.

<VirtualHost *:80>
ServerAdmin [email protected]
ServerName abc.com
ServerAlias www.abc.com
DocumentRoot /var/www/html/

ProxyPreserveHost On

ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =abc.com [OR]
RewriteCond %{SERVER_NAME} =www.abc.com
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteCond %{REQUEST_URI} /admin [NC]
RewriteRule /admin/(.*) ws://exp:8080/admin/$1 [P,L]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

The xp is running on the same host. Can be accessed in here https://142.93.118.89/#/dashboard

Were you able to set up your Enonic XP with https?

Thanks!

KujiM · 2019-11-21 10:58:06 UTC

So after I little be of investigation I ended up with this config, but it still doesn’t work.

I am running XP as a service.

cat com.enonic.xp.web.vhost.cfg

enabled = true

mapping.api.host = localhost
mapping.api.source = /api
mapping.api.target = /api

mapping.a.host = 142.93.118.89
mapping.a.source = /admin
mapping.a.target = /admin
mapping.a.userStore = system

mapping.b.host = 142.93.118.89
mapping.b.source = /
mapping.b.target = /portal/master/abc

sudo cat /etc/apache2/sites-available/abc.com.br-le-ssl.conf
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

<IfModule mod_ssl.c>
<VirtualHost *:443>

  ServerName abc.com.br
  ServerAlias www.abc.com.br
  DocumentRoot /var/www/html/

  RequestHeader set X-Forwarded-Proto "https"

  Header always set Strict-Transport-Security "max-age=15768000"

  ProxyRequests Off
  ProxyPreserveHost On

  ProxyPass /admin/event ws://142.93.118.89:8080/admin/event
  ProxyPassReverse /admin/event ws://142.93.118.89:8080/admin/event

  ProxyPass / http://142.93.118.89:8080/ timeout=5
  ProxyPassReverse / http://142.93.118.89:8080/ timeout=5

  RewriteEngine on

  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteCond %{REQUEST_URI} /admin [NC]
  RewriteRule /admin/(.*) ws://142.93.118.89:8080/admin/$1 [P,L]

  RewriteCond %{HTTP_HOST} !^abc\.com\.br$
  RewriteCond %{HTTP_HOST} !^$
  RewriteRule ^/(.*) https://abc.com.br/$1 [L,R]

  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile /etc/letsencrypt/live/abc.com.br/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/abc.com.br/privkey.pem
</VirtualHost>

</IfModule>

sudo cat /etc/apache2/sites-available/abc.com.br.conf
<VirtualHost *:80>
  ServerName abc.com.br
  ServerAlias www.abc.com.br
#  CustomLog /var/log/apache2/vhosts/enonic-xp-enonic.com.log combined
#  DocumentRoot /var/www/html/

  RewriteEngine on
  RewriteRule ^/(.*) https://abc.com.br/$1 [L,R=301,NE]
</VirtualHost>

Do you know what is wrong?

Thanks!

rmy · 2019-11-21 11:19:32 UTC

Hi, here is a config that works in out setup:

<VirtualHost *:80>
  ServerName MY.PUBLIC.URL
  DocumentRoot /var/www/html/

  RewriteEngine on
  RewriteRule ^/(.*) https://MY.PUBLIC.URL/$1 [L,R=301,NE=301]
</VirtualHost>

<VirtualHost *:443>
  ServerName MY.PUBLIC.URL
  DocumentRoot /var/www/html/

  RequestHeader set X-Forwarded-Proto "https"
  Header always set Strict-Transport-Security "max-age=15768000"

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/certs/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/certs/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/certs/chain.pem

  ProxyRequests Off
  ProxyPreserveHost On
  SSLProxyEngine on

  ProxyPass / http://exp:8080/
  ProxyPassReverse / http://exp:8080/

  RewriteEngine on

  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteCond %{REQUEST_URI} /admin [NC]
  RewriteRule /admin/(.*) ws://exp:8080/admin/$1 [P,L]

  RewriteCond %{HTTP_HOST} !^MY\.PUBLIC\.URL$
  RewriteCond %{HTTP_HOST} !^$
  RewriteRule ^/(.*) https://MY.PUBLIC/$1 [L,R]

</VirtualHost>

SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

Vi are running our own letsencrypt-image:

FROM enoniccloud/apache2-letsencrypt:latest

COPY var-www-html /var/www/html
ADD mpm_event.conf /etc/apache2/mods-enabled/mpm_event.conf

RUN a2enmod proxy_wstunnel \
  && a2enmod proxy_http \
  && a2enmod rewrite \
  && a2enmod headers

COPY sites /etc/apache2/sites-enabled

with a separate volume for letsencrypt.

rmy · 2019-11-21 11:26:50 UTC

When you say it doesnt work, what is happening? Does it hit the correct vhost on apache?

KujiM · 2019-11-21 17:54:19 UTC

Hi @rmy

I am gettting this error when I try to access the site.

No web page was found for the web address:
HTTP ERROR 404

After reading your comments I ended up with this config, but still no luck.

Is my Enonic vhost file correct?

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

<VirtualHost *:443>
  ServerName abc.com.br
  ServerAlias www.abc.com.br
  DocumentRoot /var/www/html/

  RequestHeader set X-Forwarded-Proto "https"
  Header always set Strict-Transport-Security "max-age=15768000"

  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/abc.com.br/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/abc.com.br/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/abc.com.br/chain.pem

  ProxyRequests Off
  ProxyPreserveHost On
  SSLProxyEngine on

  ProxyPass / http://142.93.118.89:8080/ timeout=5
  ProxyPassReverse / http://142.93.118.89:8080/ timeout=5

  RewriteEngine on

  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteCond %{REQUEST_URI} /admin [NC]
  RewriteRule /admin/(.*) ws://142.93.118.89:8080/admin/$1 [P,L]

  RewriteCond %{HTTP_HOST} !^abc\.com\.br$
  RewriteCond %{HTTP_HOST} !^$
  RewriteRule ^/(.*) https://abc.com.br/$1 [L,R]
</VirtualHost>

SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on

SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)



------------------------------

Enonic Vhost file


enabled = true

mapping.api.host = localhost
mapping.api.source = /api
mapping.api.target = /api

mapping.a.host = 142.93.118.89
mapping.a.source = /admin
mapping.a.target = /admin
mapping.a.userStore = system

mapping.b.host = 142.93.118.89
mapping.b.source = /
mapping.b.target = /portal/master/abc

Server is running as seen here.

[email protected]:/home/xp/enonic/xp/config# sudo service xp status
● xp.service - SYSV: Enonic XP server daemon
   Loaded: loaded (/etc/init.d/xp; generated)
   Active: active (exited) since Tue 2019-10-29 19:34:08 UTC; 3 weeks 1 days ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 0 (limit: 2362)
   CGroup: /system.slice/xp.service

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

Thanks!

rf0 · 2019-11-21 22:34:43 UTC

try to set ProxyPreserveHost Off
(OR use host names in vhost file)

When enabled, ProxyPreserveHost option will pass the Host: line from the incoming request to the proxied host, instead of the hostname specified in the ProxyPass line.

tsi · 2019-11-22 09:06:45 UTC

IMHO you should start with a minimalistic apache config with proxy, get that working, and then add rewrites, ssl and whatnot. That would help you figure out where things are failing.

Also, if you are using XP7, you can safely drop this line from the vhost config:

mapping.api.host = localhost
mapping.api.source = /api
mapping.api.target = /api

The API part of XP has now been moved to separate ports 2609 and 4848

KujiM · 2019-11-22 12:17:31 UTC

@tsi @rf0 @rmy @dpa

Guys… guys… guys…

You guys are awesome.

I managed to get it working thanks to you. So… Apache virtual host file was fine all along, the issue was with this line mapping.b.host = 142.93.118.89. Changing it to mapping.b.host = abc.com.br solved the problem.

That was it.