SSL on Apache Server

(Navjot Singh) #1

I am running Discourse Docker installation on an Apache based server. I tried following the SSL guide here but it was meant for a nginx server. What changes do I need to make it to get it working on Apache server?

I am using letsencrypted SSL certificate.

(Wes Osborn) #2

Let’s Encrypt is not fully supported yet. See this thread for more information:

(Navjot Singh) #3

Ok. I get it. But still general instructions for enabling SSL on Apache? Couldn’t find anything here.

(Wes Osborn) #4

Can you clarify what you mean by Apache based server? If you’re using the Docker based install (as you stated), then the web server would be nginx.

Is Apache a frontend server for you? Are you using some sort of Apache load balancer? Do you have Discourse installed alongside another website on the same server?

(Navjot Singh) #5

I am just running a simple installation of Apache like one does for any regular site. Nothing special about the installation. Am running Discourse’s Docker install on that.

That guide mentioned how to configure SSL for Discourse if one has nginx, but I wanted to know the specifics if one is using Apache instead.

(@SenpaiMass) #6

So you mean to say you have a web host with Cpanel (Apache) and you want to run discourse on it?
If Yes, I am afraid it’s not possible.
And Discourse meta only supports Docker installs which have Nginx.

(Navjot Singh) #7

I have a VPS on Vultr running Apache and Discourse both.

(Wes Osborn) #8

If you’re running the docker install, then your Discourse install is using nginx as its web server. You might have Apache running alongside Discourse/nginx, but your docker install is a total package needed to run Discourse: Webserver, Database, Caching, etc. It’s all bundled into the Discourse install.

If you have no other sites running on that same VPS, then you just need to uninstall Apache and following the SSL/TLS install instruction guide that you linked to earlier.

If you do have other sites on the same VPS that Apache is hosting, then you’ll still need to follow the SSL instructions you linked to for adding SSL on Discourse, but you may also need to explore other tweaks in order to get your other sites to work properly. This article appears to have some good information:

(Michael Marner) #9

I have Discourse running using the Standard Container, using Apache to proxy connections to Discourse. This allows you to have Discourse running along side other Apache Virtualhosts. You can do SSL in this way, using Server Name Indication.

Discourse Configuration.

Adjust the ports that are exposed by Docker (/var/discourse/containers/app.yml):

## which TCP/IP ports should this container expose?
  - "8080:80"   # fwd host port 8080   to container port 80 (http)
  - "2222:22" # fwd host port 2222 to container port 22 (ssh)

So Discourse will accept connections on port 8080 instead of 80.

Apache VirtualHost

Create a new VirtualHost configuration file for your Discourse install. Here’s what mine looks like:

# Redirect http connections to https...
<VirtualHost *:80>
    Redirect 301 /

# Proxy to discourse for https connections
<VirtualHost *:443>

    # SSL Configuration
    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3

    # Certificate files to use
    SSLCertificateFile /etc/apache2/ssl/
    SSLCertificateKeyFile /etc/apache2/ssl/
    SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt

    # Proxy to Discourse
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
    ProxyPreserveHost On

In this setup, Apache is responsible for SSL. Discourse just sees regular incoming connections. The potential problem with this kind of setup is that Server Name Indication needs to be supported on the client, or SSL won’t work. The advantage is you can just use the same Apache you are using to host other websites, without another layer of nginx/whatever.

(Giovanni Degiorgi) #10

SNI is implemented on major browsers and shouldn’t impact much the normal usage of the site:

Thanks for the configuration sample.

(Michael Marner) #11

Yep, that’s the conclusion I came to as well. Now I’m just waiting for someone running IE on Windows XP to complain (we have some reasonably non-tech savvy people in our organisation!) :facepalm: