Dear @Teraterayuki …
Here is an example set of working Apache2 virtual hosts for a reverse proxy to a unix domain socket in a Discourse container:
Port 80
<VirtualHost *:80>
ServerName mysite.mydomain.com
ServerAdmin webmaster@localhost
ProxyPreserveHost On
#ProxyPass / http://127.0.0.1:8888/
#ProxyPassReverse / http://127.0.0.1:8888/
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/community_errors.log
CustomLog ${APACHE_LOG_DIR}/community.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
ModPagespeed Off
RewriteEngine on
RewriteCond %{SERVER_NAME} =mysite.mydomain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Port 443
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName mysite.mydomain.com
ServerAdmin webmaster@localhost
#SSLProxyEngine on #enable this after Let's encrypt is setup on the reverse proxy
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (Bytespider|Yandex|Wget|seocompany|CCBot|Cincraw) [NC]
RewriteRule . - [R=403,L]
ProxyPreserveHost On
ProxyRequests Off
RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
RequestHeader set X-Real-IP expr=%{REMOTE_ADDR}
#ProxyPass / http://127.0.0.1:8888/
#ProxyPassReverse / http://127.0.0.1:8888/
ProxyPass / unix:/var/discourse/shared/socket-only/nginx.http.sock|http://localhost/
ProxyPassReverse / unix:/var/discourse/shared/socket-only/nginx.http.sock|http://localhost/
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/community_errors_ssl.log
#CustomLog ${APACHE_LOG_DIR}/community_ssl.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
ModPagespeed Off
SSLCertificateFile /etc/letsencrypt/live/mysite.mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mysite.mydomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
@Teraterayuki
Kindly note that in this configuration the proxy is with a unix socket
not a web socket
(ws)
Note also that in this configuration you do not need to manually add the Let’s Encrypt info. You can start with this:
Port 80 Before Running Certbot
<VirtualHost *:80>
ServerName mysite.mydomain.com
ServerAdmin webmaster@localhost
ProxyPreserveHost On
#ProxyPass / http://127.0.0.1:8888/
#ProxyPassReverse / http://127.0.0.1:8888/
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/community_errors.log
CustomLog ${APACHE_LOG_DIR}/community.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
ModPagespeed Off
</VirtualHost>
Port 443 Before Running Certbot
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName mysite.mydomain.com
ServerAdmin webmaster@localhost
#SSLProxyEngine on #enable this after Let's encrypt is setup on the reverse proxy
RewriteEngine On
ProxyPreserveHost On
ProxyRequests Off
RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
RequestHeader set X-Real-IP expr=%{REMOTE_ADDR}
#ProxyPass / http://127.0.0.1:8888/
#ProxyPassReverse / http://127.0.0.1:8888/
ProxyPass / unix:/var/discourse/shared/socket-only/nginx.http.sock|http://localhost/
ProxyPassReverse / unix:/var/discourse/shared/socket-only/nginx.http.sock|http://localhost/
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/community_errors_ssl.log
#CustomLog ${APACHE_LOG_DIR}/community_ssl.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
ModPagespeed Off
</VirtualHost>
</IfModule>
Then, if you run:
certbot -d mysite.mydomain.com
Friendly certbot
will take care of appending the required SSL code for you.
After our friend certbot
has added it’s conf code and all is working as expected, you can uncomment this line:
#SSLProxyEngine on #enable this after Let's encrypt is setup on the reverse proxy
and restart apache2 again.
Hope this helps @Teraterayuki
Take care.
Closing Notes:
- Kindly note that we do not use
haproxy
in our apache2 reverse proxy configurations. haproxy
adds an unnecessary layer of complexity with almost no tangible benefit (for us), so we run apache2 as a reverse proxy “the easy way”. YMMV if you want to use haproxy
; but honestly, we do not use haproxy
(on a number of apache2 reverse proxy setups in production) and never have any problems with apache2 as a reverse proxy.
- If you are not using
mod_pagespeed
, comment those lines out. However, if you are running mod_pagespeed
, turn off mod_pagespeed
per virtual host when reverse proxing to Discourse.
All the best… and hope this helps you in some small way.