Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Convenient way found for letsencrypt with reverse proxy (apache, mod_alias, mod_proxy) #2164

Closed
dionysius opened this issue Jan 13, 2016 · 5 comments

Comments

@dionysius
Copy link

commented Jan 13, 2016

I don't know what the latest standpoint is regarding ports for standalone, because there are so many issues googable regarding reverse proxies, I have absolutely no overview.

The idea was using the apache's Alias directive for e standardized challenge process for all variants of virtualhost configurations. With small tweaks it's also working with proxies.

root@server2:~# cat /etc/apache2/conf-enabled/letsencrypt.conf
<IfModule mod_proxy.c>
        ProxyPass /.well-known/acme-challenge !
</IfModule>
Alias /.well-known/acme-challenge /var/www/html/.well-known/acme-challenge

<Directory "/var/www/html/.well-known/acme-challenge">
    Options None
    AllowOverride None
    Require all granted
    AddDefaultCharset off
</Directory>

Alias allows us to use this path globally over all virtualhosts.
ProxyPass /.well-known/acme-challenge ! will negate any proxy handling on this path
Directory directive is required with minimal permissions to access this location

root@server2:~# cat /etc/apache2/sites-enabled/gitlab.denis.mylastname.me.conf
<VirtualHost *:80>
        ServerName gitlab.denis.mylastname.me
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        AllowEncodedSlashes NoDecode
        #RequestHeader set X-Forwarded-Proto "https"
        #RequestHeader set X-Forwarded-Ssl "on"
        ProxyPreserveHost On

        ProxyPass / http://localhost:8079/
        ProxyPassReverse / http://localhost:8079/
</VirtualHost>

As you can see, you can also choose another folder instead of /var/www/html - just use one you don't use anywhere else and adapt accordingly..

Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --webroot --renew-by-default --email info@mylastname.me --agree-tos --domains=gitlab.denis.mylastname.me -w /var/www/html --text

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/gitlab.denis.mylastname.me/fullchain.pem. Your
   cert will expire on 2016-04-12. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
[...]
@dionysius dionysius changed the title Convenient way found for letsencrypt with reverse proxy (apache, alias, mod_proxy) Convenient way found for letsencrypt with reverse proxy (apache, mod_alias, mod_proxy) Jan 14, 2016
@patcon

This comment has been minimized.

Copy link

commented Jan 19, 2016

@coderanger

This comment has been minimized.

Copy link

commented Jan 19, 2016

@patcon This has the same problem as any other proxy, an app unaware that it is being proxied and using REMOTE_ADDR or similar will get localhost.

@patcon

This comment has been minimized.

Copy link

commented Jan 19, 2016

👍 gotcha. sorry for the noise, noah

@dionysius for context: https://coderanger.net/better-lets-encrypt/

@dionysius

This comment has been minimized.

Copy link
Author

commented Jan 19, 2016

Hmm... understand.

But in general another point: Feel free to close this issue if its time for it

@SwartzCr

This comment has been minimized.

Copy link
Contributor

commented Mar 17, 2017

Okay as you recommend I'm gonna close it. Feel free to open another if you think there are things we still need to do

@SwartzCr SwartzCr closed this Mar 17, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.