I'm trying to expose web app via subdomain with SSL or via route.
Subdomain Method:
The webapp I'm running is on port: http://localhost:4567/
With the following configuration, the web browser tells me the app is "not secure" (non-https).
The app is generally working fine, but is non-https.
What am I doing wrong?
Are there alternative configurations?
<IfModule mod_ssl.c>
Listen 443
NameVirtualHost *:443
</IfModule>
<VirtualHost *:80>
ServerName blast.example.com
Redirect permanent / https://blast.example.com/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin me#gmail.com
ServerName blast.example.com
# ProxyPreserveHost On
ProxyRequests off
# setup the proxy
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
# ProxyPass / http://localhost:4567/
# ProxyPassReverse / http://localhost:4567/
<Location />
ProxyPass http://localhost:4567/
ProxyPassReverse http://localhost:4567/
</Location>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
SSLCertificateFile ...
SSLCertificateKeyFile ...
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
I had been following the prescription given at How to configure multiple subdomain with SSL in Apache?
Path/Route Method
I had also tried exposing the app as a route path (ie https://example.com/blast)
<Location /blast/ >
ProxyPass http://localhost:4567/
ProxyPassReverse http://localhost:4567/
</Location>
but the reverse proxy didn't see to work in that, if I started with:
https://example.com/blast
And clicked whatever on the start page.
The app would generate a internal URL without the /blast part, resulting in 404:
https://example.com/blah-blah-generated-url
(should be https://example.com/blast/blah-blah-generated-url)
In general, the subdomain path seems to work better except for the non-https problem.
Setting up a path/route:
Making the application accessible with https://example.com/blast. If the application generates new routes, ProxyPassReverse is needed; otherwise; only ProxyPass is needed.
<VirtualHost *:443>
...
ProxyPass "/blast/" "http://localhost:4567/"
ProxyPassReverse "/blast/" "/"
...
Found in Example 1, here: ProxyPassReverse doesn't rewrite Location (http header)
Good evening,
I am trying to set up my apache2 reverse proxy
(following https://github.com/ether/etherpad-lite/wiki/How-to-put-Etherpad-Lite-behind-a-reverse-Proxy)
for etherpad lite
(following https://www.howtoforge.com/tutorial/ubuntu-etherpad-editor-server-installation/, except for the nginx part).
I use http->ssl redirection. Since I use letsencrypt I can only access domain.com and not etherpad.domain.com (at least firefox won't let me and I want to avoid changing that certificate each time I add a new site). So I would like to access my etherpad just as I do access my other sites: domain.com/etherpad. However I always get a 404 trying to get to the site. Looking at a working example, in my nextcloud.conf file I have a line saying:
Alias /nextcloud /local/path/to/nextcloud
However the etherpad reverse proxy virtual host file looks entirely different, the key difference is etherpad not having a local folder but only a mysql database. (Please correct me if this is wrong)
So I tried changing the ssl example from the second link to the following, but it does not work. Please understand that I changed domain name and some internal paths, but "apache2ctl configtest" succeeds and the service is running without error.
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName randomisedDomain.com/etherpad
# SSL configuration
SSLEngine on
# If you hold wildcard certificates for your domain the next two lines are not necessary.
SSLCertificateFile "/working/path/to/fullchain.pem"
SSLCertificateKeyFile "/working/path/to/privkey.pem"
ProxyVia On
ProxyRequests Off
ProxyPreserveHost on
<Location />
AuthType Basic
AuthName "Welcome to the randomisedDomain.com Etherpad"
AuthUserFile /working/path/to/etherpad.passwd
#AuthGroupFile /path/to/svn.group
Require user etherpad
ProxyPass http://localhost:9001/ retry=0 timeout=30
ProxyPassReverse http://localhost:9001/
</Location>
<Location /socket.io>
# This is needed to handle the websocket transport through the proxy, since
# etherpad does not use a specific sub-folder, such as /ws/ to handle this kind of traffic.
# Taken from https://github.com/ether/etherpad-lite/issues/2318#issuecomment-63548542
# Thanks to beaugunderson for the semantics
RewriteEngine On
RewriteCond %{QUERY_STRING} transport=websocket [NC]
RewriteRule /(.*) ws://localhost:9001/socket.io/$1 [P,L]
ProxyPass http://localhost:9001/socket.io retry=0 timeout=30
ProxyPassReverse http://localhost:9001/socket.io
</Location>
<Proxy *>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Proxy>
</VirtualHost>
Any help for rerouting the localhost domain to randomisedDomain.com/etherpad is greatly appreciated !
Best regards
MAPster
I recently installed Munin on my machines. I got everything to work and the data is actually being drawn on the graphs! :)
But, for some reason, when I click on each individual graph, it brings me to the dynazoom page but it's all plain text with no images :(
Here is my apache.conf:
# Enable this for template generation
Alias /munin /var/cache/munin/www
# Enable this for cgi-based templates
#Alias /munin-cgi/static /var/cache/munin/www/static
#ScriptAlias /munin-cgi /usr/lib/munin/cgi/munin-cgi-html
#<Location /munin-cgi>
# Order allow,deny
# Allow from localhost 127.0.0.0/8 ::1
# AuthUserFile /etc/munin/munin-htpasswd
# AuthName "Munin"
# AuthType Basic
# require valid-user
#</Location>
<Directory /var/cache/munin/www>
Order allow,deny
# Allow from localhost 127.0.0.0/8 ::1
Allow from all
Options None
AllowOverride None
# This file can be used as a .htaccess file, or a part of your apache
# config file.
#
# For the .htaccess file option to work the munin www directory
# (/var/cache/munin/www) must have "AllowOverride all" or something
# close to that set.
#
AuthUserFile /etc/munin/munin-htpasswd
AuthName "Munin"
AuthType Basic
require valid-user
# This next part requires mod_expires to be enabled.
#
# Set the default expiration time for files to 5 minutes 10 seconds from
# their creation (modification) time. There are probably new files by
# that time.
#
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault M310
</IfModule>
</Directory>
# Enables fastcgi for munin-cgi-html if present
#<Location /munin-cgi>
# <IfModule mod_fastcgi.c>
# SetHandler fastcgi-script
# </IfModule>
#</Location>
#<Location /munin-cgi/static>
# SetHandler None
#</Location>
# Enables fastcgi for munin-cgi-graph if present
ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
<Location /munin-cgi/munin-cgi-graph>
Order allow,deny
Allow from localhost 127.0.0.0/8 ::1
# AuthUserFile /etc/munin/munin-htpasswd
# AuthName "Munin"
# AuthType Basic
# require valid-user
<IfModule mod_fcgid.c>
SetHandler fcgid-script
</IfModule>
<IfModule !mod_fcgid.c>
SetHandler cgi-script
</IfModule>
</Location>
ScriptAlias /munin-cgi/munin-cgi-html /usr/lib/munin/cgi/munin-cgi-html
<Location /munin-cgi/munin-cgi-html>
Order allow,deny
Allow from localhost 127.0.0.0/8 ::1
# AuthUserFile /etc/munin/munin-htpasswd
# AuthName "Munin"
# AuthType Basic
# require valid-user
<IfModule mod_fcgid.c>
SetHandler fcgid-script
</IfModule>
<IfModule !mod_fcgid.c>
SetHandler cgi-script
</IfModule>
</Location>
Any reason why this could not be working? If I haven't given enough information, please let me know. Thank you
Enabling the apache2 cgi (or cgid) makes the dynazoom work.
sudo a2enmod cgi; sudo service apache2 restart
I had the same issue on Ubuntu 14.04.
By checking /var/log/apache2/error.log I found the script complaining about missing modules:
Can't locate CGI/Fast.pm in #INC (you may need to install the CGI::Fast module) (#INC contains: /etc/perl /usr/local/lib/perl/5.18.2 /usr/local/share/perl/5.18.2 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.18 /usr/share/perl/5.18 /usr/local/lib/site_perl) at /usr/lib/munin/cgi/munin-cgi-graph line 36.
I did install the CGI::Fast module to solve the issue:
sudo apt-get install libcgi-fast-perl
There is no need for any rewrite rule as indicated in another answer. Packages in Ubuntu 14.04 have the path names configured correctly.
In addition to ermannob's answer; my apache2 error.log reported
AH01797: client denied by server configuration: /usr/lib/munin/cgi/munin-cgi-graph
which stopped me from messing around with file permissions within the OS and caused me to look at the apache config. All that was required was to change
<Location /munin-cgi/munin-cgi-graph>
Order allow,deny
Allow from localhost 127.0.0.0/8 ::1
...
in /etc/apache2/conf-enabled/munin.conf, to
<Location /munin-cgi/munin-cgi-graph>
Require all granted
Options FollowSymLinks SymLinksIfOwnerMatch
I did not need to install any fastcgi packages and followed the tutorial here. They suggest that configuration be added to the apache.conf file directly, however, relaxing the permissions in the conf-enabled/munin.conf file (for /munin, /munin-cgi/munin-cgi-graph and /munin-cgi/munin-cgi-html) was sufficient. I omitted the changes to apache.conf.
When running Ubuntu 14.04 I fixed this on my own servers by updating the apache config in /etc/apache2/conf-available/munin.conf from 2.2 style to 2.4
Example:
<Directory /var/cache/munin/www>
Order allow,deny
Allow from localhost 127.0.0.0/8 ::1
....
</Directory>
needs to be changed to
<Directory /var/cache/munin/www>
# Order allow,deny
# Allow from localhost 127.0.0.0/8 ::1
Require all granted
....
</Directory>
or you could do
Require host localhost
or
Require ip 127.0.0.0/8 ::8
see apache documentation about the changes here. By the time I realized this, I had already gone through and installed FastCGI and the perl module listed in this thread. This change would need to be done to all the location/directory areas you see in munin.conf.
I had the same problem on Debian 8. I've edited the file /etc/munin/apache24.conf like that:
Alias /munin /var/cache/munin/www
<Directory /var/cache/munin/www>
Require all granted
Options FollowSymLinks SymLinksIfOwnerMatch
</Directory>
ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
<Location /munin-cgi/munin-cgi-graph>
Require all granted
Options FollowSymLinks SymLinksIfOwnerMatch
<IfModule mod_fcgid.c>
SetHandler fcgid-script
</IfModule>
<IfModule !mod_fcgid.c>
SetHandler cgi-script
</IfModule>
</Location>
Then I installed the libapache2-mod-fcgid as mentioned earlier.
After a munin-node restart, it's working correctly.
You should change the configuration part about the munin-cgi-graph, setting the same permissions as the main section. Here's your configuration:
# Enables fastcgi for munin-cgi-graph if present
ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
<Location /munin-cgi/munin-cgi-graph>
Order allow,deny
Allow from localhost 127.0.0.0/8 ::1
# AuthUserFile /etc/munin/munin-htpasswd
# AuthName "Munin"
# AuthType Basic
# require valid-user
<IfModule mod_fcgid.c>
SetHandler fcgid-script
</IfModule>
<IfModule !mod_fcgid.c>
SetHandler cgi-script
</IfModule>
</Location>
change it to this:
# Enables fastcgi for munin-cgi-graph if present
ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
<Location /munin-cgi/munin-cgi-graph>
Order allow,deny
# Allow from localhost 127.0.0.0/8 ::1
Allow from all
AuthUserFile /etc/munin/munin-htpasswd
AuthName "Munin"
AuthType Basic
require valid-user
<IfModule mod_fcgid.c>
SetHandler fcgid-script
</IfModule>
<IfModule !mod_fcgid.c>
SetHandler cgi-script
</IfModule>
</Location>
Additionally I had to install the libcgi-fast-perl package, doing this:
sudo apt-get install libcgi-fast-perl
Checking /var/log/apache2/error.log helped me a lot.
I had experienced the same behavior in Ubuntu 14.04 LTS. The reason was the image URL in the dynazoom page was incorrectly using /cgi-bin/munin-cgi-graph/ instead of /munin-cgi/munin-cgi/graph/ so instead of hunting down in the code to fix this bug I worked around it with a quick rewrite rule:
RewriteRule ^/cgi-bin/munin-cgi-graph/(.*) /$1
Hope this helps
In my case following https://bugs.launchpad.net/ubuntu/+source/munin/+bug/1258026 and http://munin-monitoring.org/wiki/MuninConfigurationMasterCGI worked.
The only problematic part was where to put Apache virtual host configuration, it turned out that placing it at /etc/apache2/sites-enabled/001-munin.conf worked.
I have cluster setup of Apache server . Behind this I have 2 Jboss instances which is load balanced by apache.
The configuration look somewhat like the below
<VirtualHost *:1111>
ServerAdmin admin#example.com
ServerName www.example.com
DocumentRoot "/apps"
ErrorLog "logs/https.www.example.com.-error_log"
TransferLog "logs/https.www.example.com-access_log"
LogLevel warn
<Directory "/apps">
Options -Indexes +FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
SSLProxyEngine On
SSLProxyVerify On
SSLProxyMachineCertificateFile "/apps/apache/conf/ssl/int/proxy.pem"
SSLProxyCACertificateFile "/apps/apache/conf/ssl/int/cert.pem"
RewriteEngine On
Header set Cache-Control "max-age=60, public"
<Proxy balancer://2node-aa>
BalancerMember https://app01:8089 route=node1
BalancerMember https://app02:8089 route=node2
ProxyPreserveHost On
ProxyPass /aa balancer://2node/aa stickysession=JSESSIONID|jsessionid
ProxyPass /static balancer://2node/static stickysession=JSESSIONID|jsessionid
ProxyPassReverse /aa balancer://2node/aa
ProxyPassReverse /static balancer://2node/static
ProxyPass /1/aa https://app01:8089/aa
ProxyPass /2/aa https://app02:8089/aa
ProxyPassReverse /1/aa https://app01:8089/aa
ProxyPassReverse /2/aa https://app02:8089/aa
ProxyPass /bb balancer://2node/rest stickysession=JSESSIONID|jsessionid
ProxyPassReverse /bb balancer://2node/bb
</VirtualHost>
In the url access certain part of the url i want it to be routed from second node i.e node2 of jboss.
e.g. if i am accessing http://www.example.com/aa/login/login.jsp i need this request to be process by node2 app02 only.
Rest of the request should load balance as normal access.
How do i set the apache to do it ?
I have tried lot of rewrite,<Location> and ProxyPassMatch none has worked so far.
Please Help. Thanks in advance.
I used the below statement in the configuration file which resolved the issue.
<Proxy balancer://2node-aa>
BalancerMember https://app02:8080 route=node2
</Proxy>
RewriteRule ^/aa/login/(.*)$ balancer://2node-aa%{REQUEST_URI} [P,QSA,L]
This link help me.
apache httpd mod_proxy load balancing with multiple virtual hosts url redirection
-Thanks
I need to put Trac on a URL path other than /. If I take the configuration from http://trac.edgewall.org/wiki/TracOnUbuntu and modify the Location blocks, I get the error message "No handler matched request to /trac". How can I avoid this?
<VirtualHost *:80>
ServerName trac.local
<Location /trac> # instead of Location /
SetHandler mod_python
PythonInterpreter main_interpreter
PythonHandler trac.web.modpython_frontend
PythonOption TracEnv /var/local/trac
PythonOption TracEnvParentDir /var/local/trac
PythonOption TracUriRoot /
PythonOption TracEnv /var/local/trac
# PythonOption TracEnvIndexTemplate /var/local/trac/templates/index-template.html
PythonOption TracLocale en_US.UTF8
PythonOption PYTHON_EGG_CACHE /tmp
Order allow,deny
Allow from all
</Location>
<Location /trac/login> # instead of /login
AuthType Basic
AuthName "myproject"
AuthUserFile /var/local/trac/.htpasswd
Require valid-user
</Location>
</VirtualHost>
How about adjusting 'PythonOption TracUriRoot /' too?
Furthermore please acknowledge, that mod_python is depreciated (end-of-life), and you should rather choose WSGI for new installations instead.