Reverse Proxy with Apache

rraines

I followed the instructions here, https://xen-orchestra.com/docs/configuration.html#reverse-proxy, to setup a reverse proxy. The config works if my path is "/" but does not work for any other path like "/xoa" or /xoa/".

Has anyone had any luck with this? I am not an Apache wizard so it could be a directive I am missing.

<VirtualHost *:80>

ServerName home.lab

ProxyRequests Off
ProxyPreserveHost On
RewriteEngine On

RewriteCond %{HTTP:upgrade} websocket [NC]
RewriteRule /xoa/(.*) ws://192.168.1.6:80/$1 [L,P]

ProxyPass /xoa/ http://192.168.1.6:80/
ProxyPassReverse /xoa/ http://192.168.1.6:80/

</VirtualHost>

The error I get is:

192.168.1.100 - - [08/Feb/2021:16:15:10 -0600] "GET /xoa/ HTTP/1.1" 302 58 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.87 Safari/537.36"
192.168.1.100 - - [08/Feb/2021:16:15:10 -0600] "GET /signin HTTP/1.1" 404 196 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.87 Safari/537.36"

That 404 error should be "GET xoa/signin" and not an error, I am not sure why the ProxyPassReverse does not add the path.

olivierlambert

Maybe @julien-f would know

rraines

@olivierlambert

This site has a solution:
https://www.askapache.com/hosting/reverse-proxy-apache/

My config now looks like this:

<VirtualHost *:80>

ServerName home.lab

#ProxyRequests Off
ProxyPreserveHost On
RewriteEngine On

RewriteCond %{HTTP:upgrade} websocket [NC]
RewriteRule /xoa/(.*) ws://192.168.1.6:80/$1 [L,P]

ProxyPass /xoa/ http://192.168.1.6:80/
<location /xoa/>
    ProxyPassReverse /
</location>

</VirtualHost>

rraines

This did not work completely, not sure where to go from here. This is what I have now, updates do not work and consoles are missing in the GUI

<VirtualHost *:80>

ServerName home.lab
RemoteIPHeader X-Forwarded-For
ProxyRequests Off
ProxyPreserveHost On
RewriteEngine On

RewriteCond %{HTTP:upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule /(.*) ws://192.168.1.6:80/$1 [L,P]
#RewriteRule .* ws://192.168.1.6:80%{REQUEST_URI} [P]


ProxyPass /xoa/ http://192.168.1.6:80/
<Location /xoa/ >
    ProxyPassReverse /
</Location>



</VirtualHost>

julien-f

@rraines AFAU, ProxyPassReverse must be the same path as ProxyPass to make Apache2 rewrite redirections from /foo to /xoa/foo

Your initial config appears to be correct, please check Apache's logs.

julien-f

Why do you have ProxyRequests Off????

rraines

@julien-f

This is what is in the Docs and it works aas long as the path is "/"

RewriteEngine On
RewriteCond %{HTTP:upgrade} websocket [NC]
RewriteRule /(.*) ws://192.168.1.6:80/$1 [L,P]

ProxyPass / http://192.168.1.6:80/
ProxyPassReverse / http://192.168.1.6:80/

A different path like "/xoa/" does not work,

RewriteEngine On
RewriteCond %{HTTP:upgrade} websocket [NC]
RewriteRule /xoa/(.*) ws://192.168.1.6:80/$1 [L,P]

ProxyPass /xoa/ http://192.168.1.6:80/
ProxyPassReverse /xoa/ http://192.168.1.6:80/

In the logs I get what is below. The 404 error shows that the xoa is stripped out.

192.168.1.100 - - [08/Feb/2021:16:15:10 -0600] "GET /xoa/ HTTP/1.1" 302 58 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.87 Safari/537.36"
192.168.1.100 - - [08/Feb/2021:16:15:10 -0600] "GET /signin HTTP/1.1" 404 196 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.87 Safari/537.36"

When I look at the dev console I notice that the websockets use the path "/api/". If that is true, should the path in the RewriteRule be api or xoa? Or would a ProxyPass /api/ ws://192.168.1.6:80/api/ be sufficient? I will be able to try later when I can get to the lab.

rraines

@julien-f said in Reverse Proxy with Apache:

ProxyRequests Off

Because the Apache 2.4 documentation, https://httpd.apache.org/docs/2.4/mod/mod_proxy.html, for that directive states "In a typical reverse proxy or gateway configuration, this option should be set to Off."

rraines

@julien-f

This works for specific paths, the api strings can be left there for the "/" path as well. The extra RewriteRule will allow home.lab/xoa or home.lab/xoa/.

<VirtualHost *:80>

ServerName home.lab
ProxyRequests Off

RewriteEngine On
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule api/(.*) ws://192.168.1.6:80/api/$1 [L,P]

RewriteRule ^/xoa$ xoa/ [L,R=301]
ProxyPass /xoa/  http://192.168.1.6:80/
ProxyPassReverse /xoa/  http://192.168.1.6:80/


</VirtualHost>

julien-f

@rraines Ok, my bad, it's off by default so it's consistent with our documentation

julien-f

@rraines said in Reverse Proxy with Apache:

RewriteRule api/(.*) ws://192.168.1.6:80/api/$1 [L,P]

Why isn't there a leading slash to api/ like is shown on the documentation?

rraines

@julien-f

@julien-f said in Reverse Proxy with Apache:

@rraines said in Reverse Proxy with Apache:

RewriteRule api/(.*) ws://192.168.1.6:80/api/$1 [L,P]

Why isn't there a leading slash to api/ like is shown on the documentation?

The reason I tried that was because in the dev console I saw the the request was to "api/", I was surprised it worked, but my thought was that if "api/" was being sent then "/api/" would never match. I understand the basics but I am more of an assembly language/system library guy.

romain_q

@rraines Hello, for anyone reaching this page, I had some issues regarding the XOA behind an Apache Reverse Proxy.
Here is the config that works for me, with HTTPS exposed VirtualHost and HTTPS used to connect to the appliance.
Versions:
OS: Debian GNU/Linux 11 (bullseye)
apache2: 2.4.52-1~deb11u2

<VirtualHost *:443>
        ServerName MYSERVERNAME
        ServerAdmin MYSERVERADMIN

        #CustomLog /var/log/apache2/ihm-xoa-access.log combined

        SSLCertificateFile /etc/ssl/lets-encrypt/MYDOMAINNAME/cert.pem
        SSLCACertificateFile /etc/ssl/lets-encrypt/MYDOMAINNAME/chain.pem
        SSLCertificateKeyFile /etc/ssl/lets-encrypt/MYDOMAINNAME/privkey.pem
        SSLProtocol -ALL +TLSv1.2
        SSLEngine On
        SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!RC4:!3DES

# Required with SSL setup (Also required if the virtualhost is exposed in HTTPS and the backend connection is performed in HTTP)
        SSLProxyEngine On
        SSLProxyCheckPeerCN off

# Handle the websocket part with proxy_wstunnel apache module
        RewriteEngine on
        RewriteCond %{HTTP:Upgrade} websocket [NC]
        RewriteCond %{HTTP:Connection} upgrade [NC]
        RewriteRule ^/?(.*) "wss://MYSERVERNAME/$1" [P,L]

        ProxyPass /balancer-manager !
        <Location /balancer-manager>
                SetHandler balancer-manager
                Require ip MYIPLIST
        </Location>

        <Proxy balancer://xoa-cluster/*>
                BalancerMember https://XO_APPLIANCE_IP:443 route=XO_APPLIANCE_NAME
                Options -Indexes +FollowSymLinks +MultiViews
                Require ip MYIPLIST2
        </Proxy>
# no need for specificic ProxyPass
        ProxyPass               /  balancer://xoa-cluster/
        ProxyPassReverse        /  balancer://xoa-cluster/
</VirtualHost>

I hope this will help someone.

olivierlambert

Have you checked https://xen-orchestra.com/docs/configuration.html#reverse-proxy?

romain_q

Hello @olivierlambert
I did not came accross this page with my research but yes this is correct too.

Sorry If my most was not clear but the config I pasted IS working

(By the way, huge fan here )

olivierlambert

Good If there's anything wrong in the doc, you can correct it!