Apache Reverse Proxy

[Mq89]

As I invested quite some time to figure this out, I wanted to share the Apache configuration I use for the reverse proxy. The offical docs provide the Nginx config, but I am kind of stuck with apache on that particular machine.

• Sharry is running in a docker container basically as provided by this repository.
• Obviously, I changed the actual domain to example.com.
• Apache mods for reverse proxy need to be enabled.
• As stated in the official docs, Sharry is currently not capable of running in a subdirectory. Hence, a subdomain is the only way to go.

<VirtualHost *:443>
        ServerName sharry.example.com

        ProxyPreserveHost   On
        ProxyPass           /   http://127.0.0.1:9090/
        ProxyPassReverse    /   http://127.0.0.1:9090/
        RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}

        RewriteEngine On
        RewriteCond %{HTTP:Connection} Upgrade [NC]
        RewriteCond %{HTTP:Upgrade} =websocket [NC]
        RewriteRule /(.*) ws://127.0.0.1:9090/$1 [P,L]
        
        Include /etc/letsencrypt/options-ssl-apache.conf

        Timeout 28800
        KeepAlive On

        SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>

[eikek]

Thank you @Mq89 - so is this config a working example? It could be added to the docs similar to the nginx one, right? If you like, you could add it there, branch off of current-docs.

[Mq89]

Yes, it is a working example. I can provide an update for the docs, but it will take me a couple of days.

[eikek]

Thank you! And there is no rush at all! (if I find some time before, I can also add it, let's see 😄)

[luther84]

I know this issue is getting older but I am currently setting up an instance of sharry using an apache reverse proxy similar to this and I am confused about the some of the directives in this example.

• ProxyPreserveHost On

  • the documentation says

  this option will pass the Host: line from the incoming request to the proxied host, instead of the hostname specified in the ProxyPass line

  • is this a security issue? does sharry use Host: in any meaningful way? apache docs straight up say it should normally be turned off, I am confused about why it's on here except maybe for logging purposes?

• RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}

  • as I understand things, in practice, this directive informs sharry whether the original request to the proxy was http or https
  • does sharry use this at all? I'm not bothering to try running ssl between sharry and apache, is there another reason to do this?

•   RewriteEngine On
    RewriteCond %{HTTP:Connection} Upgrade [NC]
    RewriteCond %{HTTP:Upgrade} =websocket [NC]
    RewriteRule /(.*) ws://127.0.0.1:9090/$1 [P,L]
  

  • I don't think sharry needs websockets, or really any of this rewriting, ProxyPass and ProxyPassReverse seem to be sufficient

I've still got a lot to learn about apache. I may be way off base here but I would really appreciate hearing from others. Here's a fuller example of the apache config I am building for sharry in case it helps anyone.

<VirtualHost *:443>
    ServerName sharry.company.com
    ServerAlias sharry

    SSLEngine on
    SSLCertificateFile /etc/ssl/STAR_company_com.crt
    SSLCertificateKeyFile /etc/ssl/STAR_company_com.key
    SSLProtocol -all +TLSv1.2 +TLSv1.3

    ProxyPass / http://localhost:9090/
    ProxyPassReverse / http://localhost:9090/
    ProxyRequests off

    LogLevel warn
    CustomLog /var/log/sharry/secure_access.log combined
    ErrorLog /var/log/sharry/secure_error.log
</VirtualHost>

[Mq89]

Hi @luther84, thank you for your reply.

Part of the reason why it takes me so long to provide a PR to update the docs is that I want to validate which configuration options are really necessary to run sharry behind an apache reverse proxy. I did not find the time to do it yet.
When I opened the issue, I just posted the config I finally managed to make the proxy work. It is the result of the many options I tried. So there likely are unnecessary options in the config I used.

From your comment, I understand that the configuration you posted works as a reverse proxy. Correct?

I still want to confirm the necessary working configuration and provide updated documentation.
But if you want to do it yourself, feel free to do so.

[luther84]

Part of the reason why it takes me so long to provide a PR to update the docs is that I want to validate which configuration options are really necessary to run sharry behind an apache reverse proxy. I did not find the time to do it yet. When I opened the issue, I just posted the config I finally managed to make the proxy work. It is the result of the many options I tried. So there likely are unnecessary options in the config I used.

No worries, I really appreciate you posting in the first place. It gave me something to compare my research to and made me look up a bunch of directives in the apache docs. You helped my learning experience and hopefully our conversation can help other people find the right config for them. I still have lots to learn and always welcome helpful input.

From your comment, I understand that the configuration you posted works as a reverse proxy. Correct?

Yes, a version of this config with filepaths and domain names changed to suit your environment will proxy traffic back to a sharry instance running on localhost:9090. Possibly even securely.

I still want to confirm the necessary working configuration and provide updated documentation. But if you want to do it yourself, feel free to do so.

I don't have the time/energy to figure out a pull request for the docs but popping in here occasionally to talk about configs works for me.

My current struggle is deciding if my usage of apache's basic auth mechanism (backed by ldap in this case) with sharry's proxy auth method is secure. It looks like I can get the behavior I want with something like

    <Location /api/v2/open/auth/proxy>
        AuthType basic
        AuthName sharry
        AuthBasicProvider ldap
        AuthLDAPURL "ldaps://ldap.company.com/ou=users,dc=company,dc=com"
        AuthLDAPGroupAttribute memberUid
        AuthLDAPGroupAttributeIsDN off
        AuthLDAPMaxSubGroupDepth 0
        Require ldap-group cn=company,ou=groups,ou=users,dc=company,dc=com

        RequestHeader set X-Valid-User "expr=%{REMOTE_USER}"
        RequestHeader set X-User-Email "expr=%{REMOTE_USER}@company.com"
    </Location>

Changing to <Location /> is probably more secure but less intuitive for endusers. I am not certain /api/v2/open/auth/proxy is sufficient and I would really appreciate if someone else shared what they use.