HOWTO setup Discourse with Let's Encrypt and Apache SSL


(Tarek Loubani) #1

The goal of this post is to help you set up Let’s Encrypt with Apache SSL. It assumes that you have already properly configured Discourse.

Configuration notes

Do not enable web.ssl.template.yml and web.letsencrypt.ssl.template.yml. You only need one of your servers to present a certificate, and that should be your Apache server.

Configure your apache virtualhost

Keep only one virtualhost per file. Configure as per usual. Really, this step doesn’t matter much.

Get your Let’s Encrypt certificate

Get your certificate with certbot from Let’s Encrypt:

certbot --apache -d forum.example.org

Modify the Apache files

You should have two files that are enabled: forum.example.org.conf and forum.example.org-le-ssl.conf. Make them the following:

forum.example.org.conf:

<VirtualHost x.x.x.x:80>
ServerName forum.example.org
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
RewriteCond %{SERVER_NAME} =forum.example.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

forum.example.org-le-ssl.conf:

<VirtualHost x.x.x.x:443>
ServerName forum.example.org
RewriteEngine On

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/forum.example.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/forum.example.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://127.0.0.1:4578/
ProxyPassReverse / http://127.0.0.1:4578/

</VirtualHost>

Done

This should work. Good luck!


ERR_INVALID_RESPONSE trying to get push_service_worker.js
Post not found.. Works on Desktop but not Mobile?
Installed OK. Working fine for one day. Suddenly stopped working
Post not found.. Works on Desktop but not Mobile?
(Sam Saffron) #2

Expect high levels of pain at scale if running Apache as a proxy:

Apache Httpd uses thread-per-connection model, and will run out of threads very fast with long polling. I’ve hit this problem in production with httpd working as reversed proxy, and it seems there is no way to make long polling work with httpd.

Consider using either nginx (for non-java servers) or jetty (as j2ee servlet container) they both use multiple requests per thread model, and are not affected by this problem.