How to proxy Cozy V3 with Apache ( + Dead link in readme.md)
Closed this issue · 6 comments
Hi @clochix
I know the doc is in its "early stage" but I think that explaining how to use Apache for reverse proxying cozy v3 is a must (nginx is good but a lot of people still use Apache :))
I tried a lot of things based on the nginx description but now, I'm stuck on a message coming from cozy and saying Domain name contains illegal characters (my domain name is https://cozy.levillain.fr.nf)
Here's my virtualhost config:
<VirtualHost *:443>
ServerName cozy.levillain.fr.nf
ServerAlias *.cozy.levillain.fr.nf
ErrorLog ${APACHE_LOG_DIR}/cozy_ssl_error.log
TransferLog ${APACHE_LOG_DIR}/cozy_ssl_access.log
CustomLog ${APACHE_LOG_DIR}/cozy_ssl_combined.log combined
LogLevel warn
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/levillain.fr.nf/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/levillain.fr.nf/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
# proxy pass for cozy
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost Off
#ProxyPass / http://localhost:8080/
ProxyPass / http://127.0.0.1:8080/
#ProxyPassReverse / http://localhost:8080/
ProxyPassReverse / http://127.0.0.1:8080/
#ProxyPass "^https://(.*)cozy\.levillain\.fr\.nf/(.*)$" "http://$1localhost:8080/$2"
#ProxyPassReverse "^https://(.*)cozy\.levillain\.fr\.nf/(.*)$" "http://$1localhost:8080/$2"
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
BTW, the link on the first sentence of the README.md file is dead:
Learn how to use Cozy, host your own server and develop applications. Should probably be https://cozy.github.io/cozy-docs-v3/en/install
Hello @leolivier,
I would like to keep the installation instructions as simple as possible, so I'm not a big fan of adding a lot of alternative into the main doc. Maybe linking to a sample Apache configuration file will do the job.
Regarding the Domain name contains illegal characters error message, I guess this is an issue in your URL rewriting rules. Could you turn on some debugging on Apache side to see how URL are rewritten?
Thanks, I just fixed the links in the README file.
Hi @leolivier ,
Actually even when you'll fix your illegal characters issue, you'll face a major problem related to your Let's Encrypt certificate: it's not wildcard, unlike your virtual host.
I'm preparing a PR for this docs in order to tackle this issue.
Thanks @clochix for your reply. A sample Apache configuration would just be fine and probably enough to solve most issues?
For LetsEncrypt, you're right @David-Guillot but they promised to get wildcard certificates in september or october, so not too long to wait now...
Regarding the rewriting rules, I have several rules in the file and I got one of them working once, I was able to log in but then it failed to redirect to the next page.
I tried other rules which triggered the "illegal character" issue, and now, even the initial rule triggers the message...
In debug mode with Apache, using the following conf:
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost Off
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
I get the following traces which seems ok:
[Fri Aug 18 09:25:02.241100 2017] [proxy:debug] [pid 32011] proxy_util.c(1771): AH00925: initializing worker http://127.0.0.1:8080/ shared
[Fri Aug 18 09:25:02.241392 2017] [proxy:debug] [pid 32011] proxy_util.c(1813): AH00927: initializing worker http://127.0.0.1:8080/ local
[Fri Aug 18 09:25:02.241556 2017] [proxy:debug] [pid 32011] proxy_util.c(1864): AH00931: initialized single connection worker in child 32011 for (127.0.0.1)
[Fri Aug 18 09:25:02.246796 2017] [proxy:debug] [pid 32012] proxy_util.c(1771): AH00925: initializing worker http://127.0.0.1:8080/ shared
[Fri Aug 18 09:25:02.247103 2017] [proxy:debug] [pid 32012] proxy_util.c(1813): AH00927: initializing worker http://127.0.0.1:8080/ local
[Fri Aug 18 09:25:02.247271 2017] [proxy:debug] [pid 32012] proxy_util.c(1864): AH00931: initialized single connection worker in child 32012 for (127.0.0.1)
[Fri Aug 18 09:25:02.257923 2017] [proxy:debug] [pid 32014] proxy_util.c(1771): AH00925: initializing worker http://127.0.0.1:8080/ shared
[Fri Aug 18 09:25:02.258296 2017] [proxy:debug] [pid 32014] proxy_util.c(1813): AH00927: initializing worker http://127.0.0.1:8080/ local
[Fri Aug 18 09:25:02.258536 2017] [proxy:debug] [pid 32014] proxy_util.c(1864): AH00931: initialized single connection worker in child 32014 for (127.0.0.1)
[Fri Aug 18 09:25:02.265173 2017] [proxy:debug] [pid 32013] proxy_util.c(1771): AH00925: initializing worker http://127.0.0.1:8080/ shared
[Fri Aug 18 09:25:02.265508 2017] [proxy:debug] [pid 32013] proxy_util.c(1813): AH00927: initializing worker http://127.0.0.1:8080/ local
[Fri Aug 18 09:25:02.265720 2017] [proxy:debug] [pid 32013] proxy_util.c(1864): AH00931: initialized single connection worker in child 32013 for (127.0.0.1)
[Fri Aug 18 09:25:02.292828 2017] [proxy:debug] [pid 32015] proxy_util.c(1771): AH00925: initializing worker http://127.0.0.1:8080/ shared
[Fri Aug 18 09:25:02.293135 2017] [proxy:debug] [pid 32015] proxy_util.c(1813): AH00927: initializing worker http://127.0.0.1:8080/ local
[Fri Aug 18 09:25:02.293394 2017] [proxy:debug] [pid 32015] proxy_util.c(1864): AH00931: initialized single connection worker in child 32015 for (127.0.0.1)
[Fri Aug 18 09:25:07.055425 2017] [ssl:debug] [pid 32011] ssl_engine_kernel.c(243): [client 192.168.0.254:40532] AH02034: Initial (No.1) HTTPS request received for child 0 (server cozy.levillain.fr.nf:443)
[Fri Aug 18 09:25:07.055822 2017] [authz_core:debug] [pid 32011] mod_authz_core.c(835): [client 192.168.0.254:40532] AH01628: authorization result: granted (no directives)
[Fri Aug 18 09:25:07.056165 2017] [proxy:debug] [pid 32011] mod_proxy.c(1155): [client 192.168.0.254:40532] AH01143: Running scheme http handler (attempt 0)
[Fri Aug 18 09:25:07.056289 2017] [proxy:debug] [pid 32011] proxy_util.c(2131): AH00942: HTTP: has acquired connection for (127.0.0.1)
[Fri Aug 18 09:25:07.056336 2017] [proxy:debug] [pid 32011] proxy_util.c(2184): [client 192.168.0.254:40532] AH00944: connecting http://127.0.0.1:8080/ to 127.0.0.1:8080
[Fri Aug 18 09:25:07.056633 2017] [proxy:debug] [pid 32011] proxy_util.c(2385): [client 192.168.0.254:40532] AH00947: connected / to 127.0.0.1:8080
[Fri Aug 18 09:25:07.057300 2017] [proxy:debug] [pid 32011] proxy_util.c(2873): AH00962: HTTP: connection complete to 127.0.0.1:8080 (127.0.0.1)
[Fri Aug 18 09:25:07.067293 2017] [proxy:debug] [pid 32011] proxy_util.c(2146): AH00943: http: has released connection for (127.0.0.1)
[Fri Aug 18 09:25:07.068354 2017] [ssl:debug] [pid 32011] ssl_engine_io.c(1004): [client 192.168.0.254:40532] AH02001: Connection closed to child 0 with standard shutdown (server cozy.levillain.fr.nf:443)
[Fri Aug 18 09:25:12.279533 2017] [proxy:debug] [pid 32025] proxy_util.c(1771): AH00925: initializing worker http://127.0.0.1:8080/ shared
[Fri Aug 18 09:25:12.279836 2017] [proxy:debug] [pid 32025] proxy_util.c(1813): AH00927: initializing worker http://127.0.0.1:8080/ local
[Fri Aug 18 09:25:12.279969 2017] [proxy:debug] [pid 32025] proxy_util.c(1864): AH00931: initialized single connection worker in child 32025 for (127.0.0.1)
[Fri Aug 18 09:25:14.287366 2017] [proxy:debug] [pid 32027] proxy_util.c(1771): AH00925: initializing worker http://127.0.0.1:8080/ shared
[Fri Aug 18 09:25:14.287853 2017] [proxy:debug] [pid 32027] proxy_util.c(1813): AH00927: initializing worker http://127.0.0.1:8080/ local
[Fri Aug 18 09:25:14.288020 2017] [proxy:debug] [pid 32027] proxy_util.c(1864): AH00931: initialized single connection worker in child 32027 for (127.0.0.1)
[Fri Aug 18 09:25:15.295881 2017] [proxy:debug] [pid 32028] proxy_util.c(1771): AH00925: initializing worker http://127.0.0.1:8080/ shared
[Fri Aug 18 09:25:15.296272 2017] [proxy:debug] [pid 32028] proxy_util.c(1813): AH00927: initializing worker http://127.0.0.1:8080/ local
[Fri Aug 18 09:25:15.296496 2017] [proxy:debug] [pid 32028] proxy_util.c(1864): AH00931: initialized single connection worker in child 32028 for (127.0.0.1)
[Fri Aug 18 09:25:15.304384 2017] [proxy:debug] [pid 32029] proxy_util.c(1771): AH00925: initializing worker http://127.0.0.1:8080/ shared
[Fri Aug 18 09:25:15.304753 2017] [proxy:debug] [pid 32029] proxy_util.c(1813): AH00927: initializing worker http://127.0.0.1:8080/ local
[Fri Aug 18 09:25:15.304949 2017] [proxy:debug] [pid 32029] proxy_util.c(1864): AH00931: initialized single connection worker in child 32029 for (127.0.0.1)
[Fri Aug 18 09:26:22.380299 2017] [proxy:debug] [pid 32114] proxy_util.c(1771): AH00925: initializing worker http://127.0.0.1:8080/ shared
[Fri Aug 18 09:26:22.380611 2017] [proxy:debug] [pid 32114] proxy_util.c(1813): AH00927: initializing worker http://127.0.0.1:8080/ local
[Fri Aug 18 09:26:22.380756 2017] [proxy:debug] [pid 32114] proxy_util.c(1864): AH00931: initialized single connection worker in child 32114 for (127.0.0.1)
[Fri Aug 18 09:26:46.414205 2017] [proxy:debug] [pid 32127] proxy_util.c(1771): AH00925: initializing worker http://127.0.0.1:8080/ shared
[Fri Aug 18 09:26:46.414598 2017] [proxy:debug] [pid 32127] proxy_util.c(1813): AH00927: initializing worker http://127.0.0.1:8080/ local
[Fri Aug 18 09:26:46.414782 2017] [proxy:debug] [pid 32127] proxy_util.c(1864): AH00931: initialized single connection worker in child 32127 for (127.0.0.1)
[Fri Aug 18 09:29:22.580859 2017] [proxy:debug] [pid 32183] proxy_util.c(1771): AH00925: initializing worker http://127.0.0.1:8080/ shared
[Fri Aug 18 09:29:22.581185 2017] [proxy:debug] [pid 32183] proxy_util.c(1813): AH00927: initializing worker http://127.0.0.1:8080/ local
[Fri Aug 18 09:29:22.581349 2017] [proxy:debug] [pid 32183] proxy_util.c(1864): AH00931: initialized single connection worker in child 32183 for (127.0.0.1)
Actually, LetsEncrypt promised wildcard certificates for January 2018 so still 6 months to wait :/
Yes @leolivier, this is why i worked on #10 😉
Great, @David-Guillot !
I followed the manual and it works like charm (I had to remove totally my old config file that probably contained a bug somewhere and re create it from scratch following your advices)
I just changed the way I created the certificates on LetsEncrypt to add them to my already existing one...