Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Help Wanted] Document Apache Proxy #1114

Closed
jasonblais opened this Issue Apr 22, 2017 · 21 comments

Comments

Projects
None yet
6 participants
@jasonblais
Copy link
Member

commented Apr 22, 2017

Would highly appreciate community's help testing and documenting Apache setup with Mattermost in https://github.com/mattermost/docs/tree/master/source/install

Requested many times:
https://gitlab.com/gitlab-org/gitlab-mattermost/issues/42
https://gitlab.com/gitlab-org/omnibus-gitlab/issues/746

Below is a start:


This assumes static resources are served directly from Apache. There is also a bit that catches HTTP and redirects to HTTPS, but this does all the heavy lifting.

<VirtualHost *:443>
    ServerName mattermost.alerque.com

    DocumentRoot /usr/share/webapps/mattermost/web

    SSLEngine on
    SSLCertificateFile    /etc/httpd/ssl.crt/alerque.com.crt
    SSLCertificateKeyFile /etc/httpd/ssl.key/alerque.com.key

    ProxyPreserveHost On

    RewriteEngine On

    RewriteCond %{REQUEST_URI}  ^/api/v1/websocket    [NC,OR]
    RewriteCond %{HTTP:UPGRADE} ^WebSocket$           [NC,OR]
    RewriteCond %{HTTP:CONNECTION} ^Upgrade$          [NC]
    RewriteRule .* ws://127.0.0.1:8065%{REQUEST_URI}  [P,QSA,L]

    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
    RewriteRule .* http://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]
    RequestHeader set X-Forwarded-Proto "https"

    <Location /api/v1/websocket>
        Require all granted
        ProxyPassReverse ws://127.0.0.1:8065/api/vi/websocket
        ProxyPassReverseCookieDomain 127.0.0.1 mattermost.alerque.com
    </Location>

    <Location />
        Require all granted
        ProxyPassReverse http://127.0.0.1:8065/
        ProxyPassReverseCookieDomain 127.0.0.1 mattermost.alerque.com
    </Location>

    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b" common_forwarded
    ErrorLog  /var/log/httpd/mattermost.alerque.com_error.log
    CustomLog /var/log/httpd/mattermost.alerque.com_forwarded.log common_forwarded
    CustomLog /var/log/httpd/mattermost.alerque.com_access.log combined env=!dontlog
    CustomLog /var/log/httpd/mattermost.alerque.com.log combined
</VirtualHost>
@MikeDaniel18

This comment has been minimized.

Copy link

commented Apr 29, 2017

Right, so I've been having a little play with this, and as of yet no luck. I based both virtual host files (*:80 and *:443) on this here and my version still fails to connect to the web socket host.

WebSocket connection to 'wss://chat.mysite.com/api/v3/users/websocket' failed: Error in connection establishment: net::ERR_NAME_NOT_RESOLVED

I'm investigating at the moment but will let you know if I find a solution.

@jasonblais

This comment has been minimized.

Copy link
Member Author

commented Apr 29, 2017

Thanks @MikeDaniel18!! 👍

@jasonblais

This comment has been minimized.

Copy link
Member Author

commented Apr 29, 2017

If you're interested, or have any technical questions, you're welcome to join our public Developers community channel. It's active by both community members and Mattermost core committers.

@MikeDaniel18

This comment has been minimized.

Copy link

commented Apr 29, 2017

@jasonblais Okay, I managed to get this working. There were two things that I found. The first, is that unless you've set up load balancing you should remove RequestHeader set X-Forwarded-Proto "https" and the second is that obviously the site_url has to match the ServerName. Everything will work fine with the site_url set incorrectly except sockets. These two issues were pretty much caused by me being stupid, but at least I can help somewhat when I say that the virtual host configuration given, is pretty close to being perfect.

@jasonblais

This comment has been minimized.

Copy link
Member Author

commented Apr 30, 2017

@MikeDaniel18 really appreciate your help looking into this! Can't thank you enough for your time and effort.

Would you be open to help contribute the documentation for it? If so, I'd be happy to connect you with our docs owner to point you where to help add it.

@MikeDaniel18

This comment has been minimized.

Copy link

commented Apr 30, 2017

@jasonblais Yea of course, happy to write up anything that could be useful to others.

@jasonblais

This comment has been minimized.

Copy link
Member Author

commented May 1, 2017

Fantastic! @JeffSchering would you be able to help point @MikeDaniel18 to the right places to update the documentation for Apache proxy?

@JeffSchering

This comment has been minimized.

Copy link
Contributor

commented May 2, 2017

Hi @MikeDaniel18

Thanks for doing this! A config for Apache is a valuable addition to the install docs.

These are the two config files that we have for NGINX. You should create parallel files for Apache.

The filenames should be config-proxy-apache.rst and config-ssl-http2-apache.rst. Follow the same style and format as the nginx config docs. This is the style guide that we follow: https://docs.mattermost.com/process/documentation-guidelines.html

If you have any questions, join the documentation channel on the Mattermost community server: https://pre-release.mattermost.com/core/channels/documentation

@jasonblais

This comment has been minimized.

Copy link
Member Author

commented May 19, 2017

Hey @MikeDaniel18, just circling back to see if you had any questions or if there's anything we can help with?

@MikeDaniel18

This comment has been minimized.

Copy link

commented May 19, 2017

@jasonblais Apologies for not getting around to this, work has been chaotic and it escaped my mind. Will do this over the weekend!

@jasonblais

This comment has been minimized.

Copy link
Member Author

commented May 19, 2017

That would be awesome! Really appreciate your help on this!

Please let us know if there's anything we can help in the meantime.

@MikeDaniel18

This comment has been minimized.

Copy link

commented May 20, 2017

@jasonblais I've made two files for Apache2 installation. Have a look and if it's roughly what you wanted I'll submit a pull request. https://github.com/MikeDaniel18/docs
I wouldn't really consider myself qualified enough to be writing docs for Apache but if it allows others to build upon it then I suppose I've done my part!

@jasonblais

This comment has been minimized.

Copy link
Member Author

commented May 20, 2017

@MikeDaniel18 this looks good, great work here.

You can submit a pull request for it and @JeffSchering will help with review next week: I think there might be a few formatting tweaks on our end, but he can provide feedback on it.

One change from my side would be to add an (Unofficial) in the section headings, similar to our Windows install guides: https://docs.mattermost.com/install/prod-windows-2012.html. Once it's used and tested by enough people, we can take the unofficial tag out.

Fantastic work, thanks for working on this!

@MikeDaniel18

This comment has been minimized.

Copy link

commented May 20, 2017

@jasonblais Done and done :)

@JeffSchering

This comment has been minimized.

@xipmix

This comment has been minimized.

Copy link

commented May 29, 2018

Just a comment, it is possible to configure with SSL terminated at the reverse proxy and connect via http/ws to a separate backend host running mattermost. The config modified from the original is

<IfModule mod_ssl.c>
<VirtualHost *:433>
  # If you're not using a subdomain you may need to set a ServerAlias to:
  # ServerAlias www.mydomain.com
  ServerName mysubdomain.mydomain.com
  ServerAdmin hostmaster@mydomain.com
  ProxyPreserveHost On

  # setup the proxy
  <Proxy *>
        Require all granted
  </Proxy>

  # Set web sockets
  RewriteEngine On

  RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC,OR]
  RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
  RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
  RewriteRule .* ws://backend.mydomain.com:8065%{REQUEST_URI} [P,QSA,L]

  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
  RewriteRule (.*) http://backend.mydomain.com:8065%{REQUEST_URI} [END,QSA,R=permanent]

  <LocationMatch "^/api/v(?<apiversion>[0-9]+)/(?<apiusers>users/)?websocket">
        Require all granted
        ProxyPass                    ws://backend.mydomain.com:8065/api/v%{env:MATCH_APIVERSION}/%{env:MATCH_APIUSERS}websocket
        ProxyPassReverse             ws://backend.mydomain.com:8065/api/v%{env:MATCH_APIVERSION}/%{env:MATCH_APIUSERS}websocket
        ProxyPassReverseCookieDomain backend.mydomain.com mysubdomain.mydomain.com
  </LocationMatch>

  <Location />
        Require all granted
        ProxyPass                    http://backend.mydomain.com:8065/
        ProxyPassReverse             http://backend.mydomain.com:8065/
        ProxyPassReverseCookieDomain backend.mydomain.com mysubdomain.mydomain.com
  </Location>

  # Generated by Certbot
  SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Readers should be aware there are two very similar documentation pages about all this - read both in full to decide which matches your use case before proceeding. I didn't and lost hours ...

See also https://askubuntu.com/questions/691000/apache2-reverseproxy-for-mattermost

@Nitrosito

This comment has been minimized.

Copy link

commented Sep 21, 2018

Hi
We Have:
Router -> GENERAL REVERSE PROXY -> MACHINE WITH DOCKER + MATTERMOST

and this is the config file for mattermost-ssl in the reverse proxy (APACHE)

<VirtualHost *:443>
        ServerName mattermost.DOMAIN.org
#        <Proxy *>
#                Order allow,deny
#                Allow from all
#        </Proxy>
   #     ProxyPass / https://mattermost.DOMAIN.org/
   #     ProxyPassReverse / https://mattermost.DOMAIN.org/
        
  # setup the proxy
 # <Proxy *>
 #       Require all granted
 # </Proxy>

  RequestHeader set X-Forwarded-Proto 'https'
  RequestHeader set X-Forwarded-Ssl 'on'

  ProxyPreserveHost On
  
  # Set web sockets
  RewriteEngine On
  RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC,OR]
  RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
  RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
  RewriteRule .* wss://mattermost.DOMAIN.org:8065%{REQUEST_URI} [P,QSA,L]

  RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
#  RewriteRule (.*) http://192.168.3.190:8065%{REQUEST_URI} [QSA,R=permanent]

  <LocationMatch "^/api/v(?<apiversion>[0-9]+)/(?<apiusers>users/)?websocket">
#        Require all granted
        ProxyPass                    wss://mattermost.DOMAIN.org:8065/api/v%{env:MATCH_APIVERSION}/%{env:MATCH_APIUSERS}websocket
        ProxyPassReverse             wss://mattermost.DOMAIN.org:8065/api/v%{env:MATCH_APIVERSION}/%{env:MATCH_APIUSERS}websocket
        ProxyPassReverseCookieDomain mattermost.DOMAIN.org mattermost.DOMAIN.org
  </LocationMatch>


  <Location />
#        Require all granted
        ProxyPass                    http://mattermost.DOMAIN.org:8065/
        ProxyPassReverse             http://mattermost.DOMAIN.org:8065/
        ProxyPassReverseCookieDomain mattermost.DOMAIN.org mattermost.DOMAIN.org
  </Location>


        #Certificados
        SSLEngine on
        SSLProxyEngine on
        #SSLCertificateFile /etc/apache2/server.crt
        #SSLCertificateKeyFile /etc/apache2/server.key

        SSLCertificateFile      /etc/apache2/STAR_org-2018.crt
        SSLCertificateChainFile /etc/apache2/COMODORSADomainValidationSecureServerCA.crt
        SSLCertificateKeyFile   /etc/apache2/2018.key
	TransferLog /var/log/apache2/mattermost-ssl-transfer_log
        ErrorLog /var/log/apache2/mattermost-ssl--error_log
</VirtualHost>

If we connect to Mattermost machine directly (without pass between proxy) works on.
But if we acces betweetn Proxy (Internet, or setting the ip en hosts file) notification push dont work. I think a problem with websocket but i dont know what.

¿Any ideas? Any have a Apache Reverse Proxy pointing to Gitlab+Mattermost_MACHINE?
Because mattermost machine have a proxy... 443 port call 8065....
In apache proxy we supresed 443 port, attack 8065...

But dont work...
If proxy point to 443 directly, dont work...

@jasonblais

This comment has been minimized.

Copy link
Member Author

commented Sep 21, 2018

Thank you @xipmix and @Nitrosito for the feedback!

@thawn, @MikeDaniel18 & @StingRayZA: You've previously helped with the Apache documentation, wondering if you have any ideas on the above posts?

@Nitrosito

This comment has been minimized.

Copy link

commented Oct 2, 2018

I upgrade to Apache 2.4 and its works

@Nitrosito

This comment has been minimized.

Copy link

commented Oct 2, 2018

My apache virtualhost config file:

`<VirtualHost *:443>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
SSLCompression Off
SSLCertificateFile /etc/apache2/xxx.crt
SSLCertificateKeyFile /etc/apache2/xxx.key
SSLCertificateChainFile /etc/apache2/COMODORSADomainValidationSecureServerCA.crt

ServerName xxxxxx.com

ProxyPreserveHost On
ProxyRequests Off

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/api/v3/users/websocket [NC,OR]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* ws://192.168.xxx.xxx:8065%{REQUEST_URI} [P,QSA,L]
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule .* http://192.168.xxx.xxx:8065%{REQUEST_URI} [P,QSA,L]
RequestHeader set X-Forwarded-Proto "https"

<Location /api/v3/users/websocket>
Require all granted
ProxyPassReverse ws://192.168.xxx.xxx:8065/api/v3/users/websocket
ProxyPassReverseCookieDomain 192.168.xxx.xxx xxxxxxxx.com

Require all granted ProxyPassReverse https://192.168.xxxxxx:8065/ ProxyPassReverseCookieDomain 192.168.xxx.xxx xxxxxx.com `
@StingRayZA

This comment has been minimized.

Copy link
Contributor

commented Oct 4, 2018

@Nitrosito great to hear you got up and running. I encourage you to check your api versions - the latest versions of mattermost use api v4 - I'm not sure which version of MM you're using, but v3 won't work with the latest versions.
So - just a heads up in case you upgrade MM down the line and you run into issues...
the path regex here works for me:
https://docs.mattermost.com/install/config-proxy-apache2.html
😁

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.