Apache configuration

Question

Apache configuration

ctreton opened this issue 5 years ago · 6 comments

Hi,
First of all I'm not used to Nginx, I have a debian server with apache2 server who reverse proxy to taiga docker container with Nginx.
SSL is enable.
It works for front but webservice and back doesn't.
I have a 406 code for websocket and 502 for the back.
Here is the console error reporting :

Error

GET https://taiga.mydomain.com/api/v1/stats/discover 502 (Bad Gateway)
GET https://taiga.mydomain.com/api/v1/projects?discover_mode=true&order_by=-total_fans_last_week 502 (Bad Gateway)
GET https://taiga.mydomain.com/api/v1/projects?discover_mode=true&order_by=-total_activity_last_week 502 (Bad Gateway)
GET https://taiga.mydomain.com/api/v1/projects?discover_mode=true&is_featured=true 502 (Bad Gateway)
WebSocket connection to 'wss://taiga.mydomain.com/events/' failed: Error during WebSocket handshake: Unexpected response code: 426

Here is my Apache configuration :

mydomain.conf

<VirtualHost *:80>
    ServerName taiga.mydomain.com
    ServerAdmin dev@mydomain.com

    Redirect / https://taiga.mydomain.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName taiga.mydomain.com
    ServerAdmin dev@mydomain.com

    Header Set X-Robots-Tag "noindex, nofollow, noarchive, nosnippet"

    SetOutputFilter SUBSTITUTE,DEFLATE

    SSLProxyEngine On
    ProxyPreserveHost On
    ProxyPass         / https://localhost:3002/
    ProxyPassReverse  / https://localhost:3002/

    AddOutputFilterByType SUBSTITUTE text/html
    Substitute "s|https://localhost:3002/|https://taiga.mydomain.com/|i"

    ErrorLog ${APACHE_LOG_DIR}/taiga_error.log
    CustomLog ${APACHE_LOG_DIR}/taiga_access.log combined

    SSLCertificateFile /etc/letsencrypt/live/taiga.mydomain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/taiga.mydomain.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    <Proxy *>
        Order deny,allow
        Allow from all
        Allow from localhost
    </Proxy>
</VirtualHost>

Here is my Nginx configuration :

nginx.conf

server {
	server_name taiga.mydomain.com;
	listen 80;
	location / {
		return 302 https://$server_name$request_uri;
	}
}

server {
	server_name taiga.mydomain.com;
	listen 443 ssl;
	ssl_certificate /taiga-cert/fullchain.pem;
	ssl_certificate_key /taiga-cert/privkey.pem;

	location ^~ /events {
		proxy_pass http://events:8888/;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_connect_timeout 7d;
		proxy_send_timeout 7d;
		proxy_read_timeout 7d;
	}

	location ^~ /api {
		include proxy_params;
		proxy_pass http://back;
	}

	location ^~ /admin {
		include proxy_params;
		proxy_pass http://back;
	}

	location ^~ /static {
		include proxy_params;
		proxy_pass http://back;
	}

	location ^~ /media {
		include proxy_params;
		proxy_pass http://back;
	}

	location / {
		include proxy_params;
		proxy_pass http://front;
	}
}

And here is the docker compose configuration :

docker-compose.yml

version: '3'

services:
  back:
    image: dockertaiga/back
    container_name: taiga-back
    restart: unless-stopped
    depends_on:
      - db
      - events
    networks:
      - default
    volumes:
      - ./data/media:/taiga-media
      - ./conf/back:/taiga-conf
    env_file:
      - variables.env

  front:
    image: dockertaiga/front
    container_name: taiga-front
    restart: unless-stopped
    networks:
      - default
    volumes:
      - ./conf/front:/taiga-conf
    env_file:
      - variables.env

  db:
    image: postgres:11-alpine
    container_name: taiga-db
    restart: unless-stopped
    networks:
      - default
    env_file:
      - variables.env
    volumes:
      - ./data/db:/var/lib/postgresql/data

  rabbit:
    image: dockertaiga/rabbit
    container_name: taiga-rabbit
    restart: unless-stopped
    networks:
      - default
    env_file:
      - variables.env

  events:
    image: dockertaiga/events
    container_name: taiga-events
    restart: unless-stopped
    depends_on:
      - rabbit
    networks:
      - default
    env_file:
      - variables.env

  proxy:
    image: dockertaiga/proxy
    container_name: taiga-proxy
    restart: unless-stopped
    depends_on:
      - back
      - front
      - events
    networks:
      - default
    ports:
      - 3002:443
      - 3003:80
    volumes:
      - /etc/letsencrypt/live/taiga.mydomain.com/:/taiga-cert
      - /etc/letsencrypt/archive/:/archive
      - ./conf/proxy:/taiga-conf
    env_file:
      - variables.env

networks:
  default:

Any ideas ?

Answer 1 · 2019-11-28T17:12:22.000Z

Ok, I just found for the websocket.
There was some missing lines on apache configuration.

    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule ^/events/(.*)    wss://localhost:3002/events/$1 [P,L]

Thanks to https://stackoverflow.com/a/43592531

I'm still in trouble with the 502 on back calls with sadly no logs...

Answer 2 · 2019-12-05T09:39:09.000Z

@michaelr-iq you seems to get over this but i don't understand how :)
Could you please help me ?

Answer 3 · 2019-12-26T16:37:49.000Z

@ctreton
Hi! Sorry, I haven't used Apache in ages, but it seems you are terminating SSL on Apache's side and then also proxying to taiga-proxy's https port, could that be the cause?
Also, if you'd like to use Apache, you can ditch the nginx proxy container altogether, theres not much sense in double reverse proxying, I suppose.

Answer 4 · 2020-04-15T03:14:58.000Z

@ctreton sorry for the very late reply!

Here's my conf.d file for the apache routing:

<VirtualHost *:80>

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

ServerName project.YOURDOMAIN.com
ServerAlias www.project.YOURDOMAIN.com

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

</VirtualHost>


<VirtualHost *:443>

ServerName project.YOURDOMAIN.com
ServerAlias www.project.YOURDOMAIN.com

Header add X-Forwarded-Proto "https"
RequestHeader add X-Forwarded-Proto "https"

# Logging
LogLevel warn
ErrorLog project.YOURDOMAIN.com-error_log
CustomLog project.YOURDOMAIN.com-access_log combined

# Reverse proxy configuration
<Location />
ProxyPass http://localhost:10380/
ProxyPassReverse http://localhost:10380/
</Location>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/YOURDOMAIN.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/YOURDOMAIN.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/YOURDOMAIN.com/chain.pem

</VirtualHost>

Make sure that your SELINUX is disabled just in case.
With that in mind, I'd recommend you look into apache alternatives such as traefik.

Me and my co-worker have made docker based start up environment for projects.
It includes a project managment tool, docker repo, nuget/npm package repo, ci/cd, and a git repo.
The taiga docker compose uses trafeik labels for externall exposing it, so you can look into that for inspiration.
Here's the link for it:
https://github.com/shrideio/shoebox

Also, @w1ck3dg0ph3r, good job on this. I'm sure it's helpful for many people that can't afford to pay for project managment tools!

Answer 5 · 2020-04-23T14:19:14.000Z

I need to use this conf but I want to makre sure that I can proxy Taiga under a subpath. Is it possible to proxy it to something like https://MYDOMAIN/taiga?

Answer 6 · 2020-04-28T08:54:33.000Z

Sorry for the delay too, but we choose another tool to manage our projects since I didn't succeed to make it working.