apache2 localhost proxy to https domain

Hey guys,

Im trying to setup a secure website via apache2 (first time using it) to my repetier server but with no luck,

this is the config file i use to connect to my repetier server 

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@mydomain.com
ServerName mydomain.com   
DocumentRoot /usr/local/Repetier-Server/modules/front/www
                
        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   A self-signed (snakeoil) certificate can be created by installing
#   the ssl-cert package. See
#   /usr/share/doc/apache2/README.Debian.gz for more info.
#   If both key and certificate are stored in the same file, only the
#   SSLCertificateFile directive is needed.
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#   Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

#   Certificate Revocation Lists (CRL):
#   Set the CA revocation path where to find CA CRLs for client
#   authentication or alternatively one huge file containing all
#   of them (file must be PEM encoded)
#   Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation.  This means that
# the standard Auth/DBMAuth methods can be used for access control.  The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
#   o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
#   o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received.  This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.

<Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    ProxyRequests Off
    ProxyPreserveHost On

ProxyPassReverse / http://localhost:3344/

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/chain.pem
</VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

now i can connect to the repetier server but some modules cannot be loaded and give a mix contend warning. i tried to use mod wstunnel for apache2 but i get the same kind of errors,

any idea's and suggestions are welcome 


Mixed Content: The page at 'https://mydomain.com/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://mydomain.com/socket/?lang=en'. This request has been blocked; this endpoint must be available over WSS.C @ app-min.js?lang=en:2
angular-min.js:2Error: Failed to construct 'WebSocket': An insecure WebSocket connection may not be initiated from a page loaded over HTTPS.
    at Error (native)
    at Object.i [as invoke] (https://mydomain.com/js/angular-min.js:1:17283)
    at Object.i [as invoke] (https://mydomain.com/js/angular-min.js:1:17283)
    at Object.i [as invoke] (https://mydomain.com/js/angular-min.js:1:17250)
    at c.instance (https://mydomain.com/js/angular-min.js:2:5187)(anonymous function) @ angular-min.js:2
app-min.js?lang=en:2Mixed Content: The page at 'https://mydomain.com/#/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://mydomain.com/socket/?lang=en'. This request has been blocked; this endpoint must be available over WSS.

Comments

  • Seing the error message there is nothing you can do at the moment. I will try to connect through ssl myself and see if I can make a switch for the protocol. Should then work with 0.75.
  • thanks will be waiting for the update then :D
  • one other question can u change the QR http adress, i found in the config files how it generates it but on changing it nothing happend (after restarting de repetier server).


  • You mean making it also https then? Hope I remember:-)
  • yes, if that is possible 
  • There are 2 hardcoded websocket protocol identifiers with the rest of the url dynamic.

    They are in js/basics-min.js and js/app-min.js ( 1 each), search for ws://   and replace with wss:// or make it conditional if you still want to connect through http (in your local lan without the virtualhost for example)

    I have the same setup running here.
  • thanks shall try it :D
  • Just looked over your apache config and you also need to reverseproxy the websocket:

    enable mod_proxy_wstunnel
    and add

    ProxyPass /socket/    ws://localhost:3344/socket/
    ProxyPassReverse /socket/    ws://localhost:3344/socket/

    before your existing proxy directives (at leasst I have read it has to be before probably because the others are more generic)

    and the conditional JS looks like this here:

    h=new WebSocket((window.location.protocol == "https:" ? "wss:" : "ws:")+"//"+window.location.host    and so on

  • thanks 
  • In theory I have changed it. Just found out that my MAMPS system uses apache 2.2 whcih has no mod_proxy_wstunnel, so I can not test it:-( 

    Will set up jessy for pi and then check there if it works. Especially with letsencrypt.org giving free crtificates this could become nice.
  • edited October 2016
    In case it helps someone there is a missing piece of the puzzle, running 0.75.1, the updated ws:// wss:// handling works well in this application but apache configuration needs the following in the (ssl) virtualhost:

    <VirtualHost *:443>
    ServerName _____
    SSLEngine on
    SSLCertificateKeyFile /etc/letsencrypt/live/_____/privkey.pem
    SSLCertificateFile /etc/letsencrypt/live/_____/cert.pem
    SSLCertificateChainFile /etc/letsencrypt/live/_____/chain.pem


    ProxyRequests Off
    ProxyPreserveHost On

    ProxyPass / http://pi3d.local:3344/ flushpackets=on
    ProxyPassReverse / http://pi3d.local:3344/

    RewriteEngine on
    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
    RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
    RewriteRule .* ws://%{HTTP_HOST}/%{REQUEST_URI} [P]

    </VirtualHost>

    Obviously your ServerName and SSL cert parts will be different.

    Without the rewrite, the websocket never connects through the SSL proxy, rather just returns a 400 error and while the interface loads, it is blank except for the header.

  • Since we are already here, alternatively use nginx according to this docs:


  • The non-secure websocket is most likely a problem on WINDOWS as well? Could not find useful information how to setup ssl on a windows-based Repetier-Server installation. Any pointers?
  • nginx also works on windows. But of course you can not get a valid certificate for any local web address. That is a limitation of certificates.
  • Hey,

    i personally do not like nginx that much because most time i am using apache. So i wanted to switch over to apache. After playing around more than 2 hours i got a working configuration for Apache 2.4 with SSL. The problem was the websocket connection (ws for http, wss for https). as the other guys i just got displayed a blank page at the beginning. Then i started to use the firefox webinspector and checked the console output. There i found some messages regarding to this websocket problem.

    Here you got my configuration. May still contain different glitches.

    <VirtualHost *:443>
            ServerName YOURHOST.de
            ServerAdmin webmaster@YOURHOST.de
            LimitRequestBody 102400

            SSLEngine on
            SSLVerifyClient none
            SSLCertificateFile /etc/ssl/certs/YOURHOST.de.crt
            SSLCertificateChainFile /home/pi/YOURHOST.de.ca.crt
            SSLCertificateKeyFile /etc/ssl/private/YOURHOST.de.key

            DocumentRoot /usr/local/Repetier-Server/www/

            ProxyRequests Off
            ProxyPreserveHost On

            <Proxy *>
                    Order deny,allow
                    Allow from all
            </Proxy>

            RewriteEngine on
            RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
            RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
            RewriteRule .* ws://localhost:3344/%{REQUEST_URI} [P]

            ProxyPass / http://127.0.0.1:3344/ flushpackets=on
            ProxyPassReverse / http://127.0.0.1:3344/

            ProxyPass /socket/ ws:///127.0.0.1:3344/socket/ timeout=86400
            ProxyPassReverse /socket/ ws://127.0.0.1:3344/socket/

            <directory /mod/front/>
                    Order deny,allow
                    deny from all
            </directory>

            <directory /modules/front2/>
                    Order deny,allow
                    deny from all
            </directory>

            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>

    Regards, Mario
  • i cleaned up the directives which are not required. Now it's quite shorter:

    <VirtualHost *:443>
            ServerName YOURHOST.de
            ServerAdmin webmaster@YOURHOST.de
            LimitRequestBody 102400

            SSLEngine on
            SSLVerifyClient none
            SSLCertificateFile /etc/ssl/certs/YOURHOST.de.crt
            SSLCertificateChainFile /home/pi/YOURHOST.de.ca.crt
            SSLCertificateKeyFile /etc/ssl/private/YOURHOST.de.key

            ProxyRequests Off
            ProxyPreserveHost On

            RewriteEngine on
            RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
            RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
            RewriteRule .* ws://localhost:3344/%{REQUEST_URI} [P]

            ProxyPass / http://127.0.0.1:3344/ flushpackets=on
            ProxyPassReverse / http://127.0.0.1:3344/

            ProxyPass /socket/ ws:///127.0.0.1:3344/socket/ timeout=86400
            ProxyPassReverse /socket/ ws://127.0.0.1:3344/socket/

            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>

  • and by the way this is what you need to install / enable to make it work:

    apt-get install apache2
    a2enmod ssl proxy proxy_http proxy_wstunnel headers cache rewrite

    ps: installed it on Raspberry Pi 3b arm

Sign In or Register to comment.