Deploy with Apache2 as a Reverse-Proxy

[OlafCIT]

Hi,

When I use NGINX reverse-proxy only my websites on Apache2 are working, but cannot get pwpusher working.
If I adjust the config for use with ssl I get ERR_SSL_PROTOCOL_ERROR (or too many redirects on all my websites).

If I use Apache2 proxy the website is working, only cannot copy or push the link.

Am I missing something here?

[pglombardo]

Hi @OlafCIT - It sounds like the backend Password Pusher app is giving back redirects for some reason.

1. Can you share the settings.yml or list of environment variables that you set for Password Pusher?
2. Which proxy do you want to use? To simplify, let's pick one and focus on that one alone. Could you share the config block for that proxy?
3. Could you try it with Password Pusher v1.30.11?

I'll see if I can recreate the issue here locally.

[OlafCIT]

Hi Peter, Sorry for not providing correct information. I spent a very long time testing different configurations and was exhausted yesterday. It concerns an existing production environment, on which our ticket system and asset management runs and concerns an Ubuntu 22.04 server, which previously only ran Apache2 and now also NGINX for the Reverse-Proxy plus a basic MTA for sending the mail. When using the sample config file, I can still use the ticket system & asset management, but can only access PWPUSH on Public IP + Port. When I test with the Apache2 proxy, I can access everything and the SSL is also working, but it hangs on generating the password link. The intention is that Apache2 will continue to run, but that NGINX will forward the requests to Apache2 and the Docker Container as a Reverse-Proxy. The websites just run in /var/www/, but the Docker is launched from a different location, which currently only contains the docker-compose.yml, .env and the nginx.conf (the file from Github and then modified). From this directory I started the container via docker-compose up -d. This way my changes are taken from the .env file, which was not the case with the one-liners from the manual (except for a few settings). When I use the Apache2 Proxy with the configuration below, the redirect works i.c.m. SSL, however it is not possible to generate a password link. <VirtualHost *:443> ServerName pw.de-wolk.nl ServerAdmin ***@***.*** DocumentRoot /var/www/pwpush/ ProxyPreserveHost On ProxyRequests Off <Location / > Order allow,deny Allow from all ProxyPass http://127.0.0.1:5100/ ProxyPassReverse http://127.0.0.1:5100/ ProxyPassReverseCookiePath / / </Location> ErrorLog ${APACHE_LOG_DIR}/pwpush.error.log CustomLog ${APACHE_LOG_DIR}/pwpush.access.log combined RewriteEngine on RewriteCond %{SERVER_NAME} =pw.de-wolk.nl RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI}<https://%25%7bSERVER_NAME%7d%25%7bREQUEST_URI%7d> [END,NE,R=permanent] </VirtualHost> I will send the nginx.conf, .env and docker-compose.yml later this day. Hi @OlafCIT<https://github.com/OlafCIT> - It sounds like the backend Password Pusher app is giving back redirects for some reason. 1. Can you share the settings.yml or environment variables that you set for Password Pusher? 2. Which proxy do you want to use? To simplify, let's pick one and focus on that one alone. Could you share the config block for that proxy? I'll see if I can recreate the issue here locally. — Reply to this email directly, view it on GitHub<#1341 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BBTDCE5WQ2EYE6LQW3RFPLTXUXP2BANCNFSM6AAAAAA3MFYIE4>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[OlafCIT]

since I'm used to working with Apache2, I've tested Apache2's Proxy again and can already see where it goes wrong on Apache2.

As soon as a certificate is linked to the VHOST, the rest of the traffic appears to still go over HTTP, so that the link is not generated.

When I force SSL in the .env I get the error "too many redirects" and seems to be stuck in a loop.

[pglombardo]

Ok thanks for the information. If I understood correctly, I would just use Apache2 and let it talk directly to the backend container on 5100 over http.

I would also avoid using FORCE_SSL. That is a special case, breaks the Apache2 <--> 127.0.0.1:5100 communication and causes the redirect loop.

Instead make sure that the proxy (both Apache2 and nginx) both pass the X-Forwarded-Host, X-Forwarded-Port and X-Forwarded-Proto headers. This will tell the application how to generate secret URLs and to handle redirects.

Some proxy documentation is available here.

The SSL termination point should solely be your apache2 instance.

For reference, others have posted their Apache configs if you feel like digging a bit.

This is the first step which is a fairly standard setup. Let me know if this helps but simplifying the setup is probably a good first step.

[OlafCIT]

That's correct! I had allready Header always set Content-Security-Policy "upgrade-insecure-requests;" in my config, but this was in the wrong config (was late yesterday).

I have placed it in the right config and everything is working on Apache2.

Now I need to fix this with NGINX, but I will do that at a later stage.
since I now know where it went wrong, NGINX will no longer be a challenge to get it working.

Thanks for the support!

[pglombardo]

That's great to hear! If you hit any issues with nginx, let me know.