[BUG] Not able to run Webtop behind Apache Reverse-Proxy

[k3x]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I am running a server in my local network which has many services running in docker. I want to add Webtop:ubuntu-mate to these services. Here is my Docker-Compose File:

version: "2.1"
services:
  webtop:
    image: lscr.io/linuxserver/webtop:ubuntu-mate
    container_name: webtop
    #security_opt:
    #  - seccomp:unconfined #optional
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - SUBFOLDER=/ #optional
      - TITLE=Webtop #optional
      - CUSTOM_USER=xxx
      - PASSWORD=xxx
    volumes:
      - /data/webtop2/data:/config
      - /var/run/docker.sock:/var/run/docker.sock #optional
    ports:
      - 8007:3000
      - 8008:3001
    #devices:
    #  - /dev/dri:/dev/dri #optional
    shm_size: "4gb" #optional
    restart: unless-stopped

From my client in my local network i am Able to reach http://192.168.178.75:8007/ and https://192.168.178.75:8008/. Everything is working fine so far. Now i want to make this service available behind a reverse proxy. I used the documentation here: https://kasmweb.com/docs/latest/how_to/reverse_proxy.html#example-apache-config
This is my Apache config:

<VirtualHost *:443>
    ServerName xxx
    # SSL
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/xxx/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/xxx/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    # Websocket upgrade
    RewriteEngine on
    RewriteCond ${HTTP:Upgrade} websocket [NC]
    RewriteCond ${HTTP:Connection} upgrade [NC]
    RewriteRule .* "wss://127.0.0.1:8008/$1" [P,L]
    # Proxy
    SSLProxyEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    ProxyPreserveHost on
    ProxyPass / https://127.0.0.1:8008/
    ProxyPassReverse / https://127.0.0.1:8008/
    ProxyRequests off
</VirtualHost>

The Documentation also mentions i should "Update Zones" in "Kasm Workspaces UI". How can i do this? How can i reach the Administrator UI?

I have a DNS-Record to my router which is forwarded (using NAT) to the docker host. Let's assume the DNS-Record is example.com. When opening https://example.com i see this:

Expected Behavior

The Desktop should be visible.

Steps To Reproduce

see Current Behavior

Environment

- OS: Ubuntu Server 22.04 LTS 64bit
- How docker service was installed: see Current Behavior

CPU architecture

x86-64

Docker creation

see Current Behavior

Container logs

probably not relevant

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[j0nnymoe]

You need to configure Apache to be able to handle websockets which I would expect to be covered in kasm's docs. We can provide support using our swag reverse proxy(nginx) but not others.

[thelamer]

None of us use Apache, if you figure this out feel free to update us with the fix, but I will not be spinning up an apache env to troubleshoot.

[felix-sterzelmaier-concat]

Thank you for your Feedback.

1. The Documentation also mentions i should "Update Zones" in "Kasm Workspaces UI". How can i do this? How can i reach the Administrator UI?
2. Have you successfully used an nginx reverse proxy with Webtop without configuring "Update Zones" in "Kasm Workspaces UI"?

(see https://kasmweb.com/docs/latest/how_to/reverse_proxy.html#update-zones )

[felix-sterzelmaier-concat]

I got it working. Here some infos:

• https://kasmweb.com/docs/latest/how_to/reverse_proxy.html is NOT the right documentation. It's for KasmWeb instead of KasmVNC. The correct Documentation is here: https://kasmweb.com/kasmvnc/docs/1.0.0/index.html but it has no information about Apache Reverse Proxy :(
• The Apache Configuration which works for me is:

<VirtualHost *:443>
    # Server Name
    ServerName xxx

    # SSL
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/xxx/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/xxx/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

    # Proxy Settings
    SSLProxyEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    ProxyPreserveHost on
    ProxyRequests off

    # Websocket upgrade
    RewriteEngine on
    RewriteCond %{HTTP:Upgrade} "websocket" [NC]
    RewriteCond %{HTTP:Connection} "upgrade" [NC]
    RewriteRule ^/?(.*) "wss://127.0.0.1:8008/$1" [P,L]

    # Proxy
    ProxyPass "/" "https://127.0.0.1:8008/"
    ProxyPassReverse "/" "https://127.0.0.1:8008/"
</VirtualHost>

[thelamer]

Tagging WIP to keep open, until I can figure out a method of disseminating information like this to users.

[kasie-zhang]

You need to configure Apache to be able to handle websockets which I would expect to be covered in kasm's docs. We can provide support using our swag reverse proxy(nginx) but not others.

If you use Nginx, you can add two lines to handle websockets.

# WebSocket Support
proxy_set_header        Upgrade $http_upgrade;
proxy_set_header        Connection "upgrade";

See more in kasm's docs.