I want to install using a reverse proxy for Apache

Dear @Teraterayuki

Here is an example set of working Apache2 virtual hosts for a reverse proxy to a unix domain socket in a Discourse container:

Port 80

<VirtualHost *:80>
        ServerName mysite.mydomain.com
        ServerAdmin webmaster@localhost
        ProxyPreserveHost On

        #ProxyPass / http://127.0.0.1:8888/
        #ProxyPassReverse / http://127.0.0.1:8888/

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/community_errors.log
        CustomLog ${APACHE_LOG_DIR}/community.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
        ModPagespeed Off
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =mysite.mydomain.com
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Port 443

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName mysite.mydomain.com
        ServerAdmin webmaster@localhost
        #SSLProxyEngine on   #enable this after Let's encrypt is setup on the reverse proxy
  	    RewriteEngine On
        
        RewriteCond %{HTTP_USER_AGENT}  (Bytespider|Yandex|Wget|seocompany|CCBot|Cincraw) [NC]
        RewriteRule . - [R=403,L]

  	    ProxyPreserveHost On
  	    ProxyRequests Off
  	    RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
 	    RequestHeader set X-Real-IP expr=%{REMOTE_ADDR}

        #ProxyPass / http://127.0.0.1:8888/
        #ProxyPassReverse / http://127.0.0.1:8888/
        ProxyPass / unix:/var/discourse/shared/socket-only/nginx.http.sock|http://localhost/
        ProxyPassReverse  / unix:/var/discourse/shared/socket-only/nginx.http.sock|http://localhost/

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/community_errors_ssl.log
        #CustomLog ${APACHE_LOG_DIR}/community_ssl.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
        ModPagespeed Off
        SSLCertificateFile /etc/letsencrypt/live/mysite.mydomain.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/mysite.mydomain.com/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

@Teraterayuki

Kindly note that in this configuration the proxy is with a unix socket not a web socket (ws)

Note also that in this configuration you do not need to manually add the Let’s Encrypt info. You can start with this:

Port 80 Before Running Certbot

<VirtualHost *:80>
        ServerName mysite.mydomain.com
        ServerAdmin webmaster@localhost
        ProxyPreserveHost On

        #ProxyPass / http://127.0.0.1:8888/
        #ProxyPassReverse / http://127.0.0.1:8888/

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/community_errors.log
        CustomLog ${APACHE_LOG_DIR}/community.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
        ModPagespeed Off
     
</VirtualHost>

Port 443 Before Running Certbot

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName mysite.mydomain.com
        ServerAdmin webmaster@localhost
        #SSLProxyEngine on   #enable this after Let's encrypt is setup on the reverse proxy
  	    RewriteEngine On
        


  	    ProxyPreserveHost On
  	    ProxyRequests Off
  	    RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
 	    RequestHeader set X-Real-IP expr=%{REMOTE_ADDR}

        #ProxyPass / http://127.0.0.1:8888/
        #ProxyPassReverse / http://127.0.0.1:8888/
        ProxyPass / unix:/var/discourse/shared/socket-only/nginx.http.sock|http://localhost/
        ProxyPassReverse  / unix:/var/discourse/shared/socket-only/nginx.http.sock|http://localhost/

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/community_errors_ssl.log
        #CustomLog ${APACHE_LOG_DIR}/community_ssl.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
        ModPagespeed Off

</VirtualHost>
</IfModule>

Then, if you run:

certbot -d mysite.mydomain.com

Friendly certbot will take care of appending the required SSL code for you.

After our friend certbot has added it’s conf code and all is working as expected, you can uncomment this line:

#SSLProxyEngine on   #enable this after Let's encrypt is setup on the reverse proxy

and restart apache2 again.

Hope this helps @Teraterayuki

Take care.


Closing Notes:

  1. Kindly note that we do not use haproxy in our apache2 reverse proxy configurations. haproxy adds an unnecessary layer of complexity with almost no tangible benefit (for us), so we run apache2 as a reverse proxy “the easy way”. YMMV if you want to use haproxy; but honestly, we do not use haproxy (on a number of apache2 reverse proxy setups in production) and never have any problems with apache2 as a reverse proxy.
  1. If you are not using mod_pagespeed, comment those lines out. However, if you are running mod_pagespeed, turn off mod_pagespeed per virtual host when reverse proxing to Discourse.

All the best… and hope this helps you in some small way.

6 Likes