Cach2019's picture
Cach2019 - Wed, 2023/12/13 - 21:56

Hi,

I am using apache proxy to manage traffic from only 1 public ip, to local ip assigned servers. Also certbot/letsencrypt is working on this proxy.

External Firewall is natting all traffic on ports 80 and 443 to this proxys internal ip.

Everything works well, except for that all my local servers are listening on port 80. So configuration on proxy with apache en lets encrypt take care of my pages are being seen as https.

 

My problem is that is the first time I install Avideo wich is coming full working on 443 and with own local encryption.

Have try multiple configurations but only got errors. How should I configure Apache proxy and Certbot in that case.

Thanks in advance,

CC

Forum: 
Support
Jeremy Davis's picture

Jeremy Davis - Thu, 2023/12/14 - 03:38

When I wrote my response, I ended up with a fairly large doc and this isn't the first time a similar issue/question like this has been posted. So it occurred to me that a better path might be to write up a more generic TurnKey behind a reverse proxy doc page. It doesn't (yet) include much in the way of specifics regarding config, but it's a solid start IMO - once it's padded out a bit more, I may even repost it to our blog. Regardless, please head over to the doc page and read that before you read the rest of this post.

To ensure that I understand your issue/problem correctly, let me recap:

Your Apache reverse proxy is doing external SSL/TLS termination and all your other backend servers are hosting on port 80 (vanilla HTTP) only. In other words, a bit like this:

                                                       backend server 1
                                                      /
internet <-https/http-> Apache rev proxy <-http-only-> backend server 2
                                                      \
                                                       backend server 3

But the Avideo server redirects to https, which breaks your setup, right?

Assuming that I understand correctly, I stand by my assertion in on that doc page that easiest and "best" option is to connect to the backend proxy via https and use a "proper" CA signed SSL cert on your Avideo server.

I.e. reverse proxy both port 80 and port 443 to your Avideo server and allow that to get it's own Let's Encrypt SSL cert. As I noted on that doc page, TurnKey has Let's Encrypt support built in - via Confconsole's Advanced menu. As your backend server will have it's own legitimate CA signed cert, the https connections will be valid and should "just work" (you'll just need to add a hosts file entry for the domain on your reverse proxy). You also then get the added security of a fully authenticated encrypted connection for "free".

Alternatively, if your video data is not particularly sensitive and/or you trust all the people/devices that will connect to your internal network, then as I say, whilst it is a security compromise, I think using vanilla http connection (within your internal network) is a valid option. If I understand correctly, this is the answer to the specific question you asked.

To disable the https redirect on the Avideo appliance, you'll need to adjust the Apache config on your Avideo server. You'll find that in the http section (i.e. the section starting "<VirtualHost *:80>" and ending with the following "</VirtualHost>") of the Avdieo Apache config (/etc/apache2/sites-available/avideo.conf). Simply remove (or comment out) all the lines in that section that start with 'Rewrite' and restart Apache:

systemctl restart apache2

Assuming that you are using static IP addresses internally and redirecting via IP (i.e. the reverse proxy server accepts the domain, then just forwards via IP) then you will also want to remove the "Rewrite" directives from the https section (i.e. the section starting "<VirtualHost *:443>" and ending with the following "</VirtualHost>"). No additional config should be required on your reverse proxy (it should already be only forwarding the relevant domain traffic to your server).

I hope that helps. If you need more guidance, that's fine, but please confirm which specific version you are using (if unsure, share the output of 'turnkey-version'). Please share any specific error messages you get (likely in the logs).

Otherwise, please let us know which path you go with and how it works out. If you care to share any specific changes you made to get it to work, that would also be warmly welcomed - and will almost certainly help others.

Cach2019's picture

Cach2019 - Thu, 2023/12/14 - 11:45

Hi Jeremy,

The version of Avideos is on Turnkeys iso 17.1, while Avideos version is 11.7

I tried first option just to see how it went, but I got "internal server error...."  

That is probably cause by me not adding the host file correctly that you mentioned. (I must say I give it another try to this if you can be more detailed on this since I am a bit ignorant on this part)

So I tried the second option, that worked perfectly but on port 80 all the way of course.

Then I added https to it on apache proxy/reverse server via #certbot --apache , and selecting the corresponding domain by number from the list. Restart apache and https://mydomain.xxx was working.

But problem is that now the site appears defaced as follows:

- Video Not Available ·

  •  
    •  

Warning!

We have not found any videos or audios to show.

WordPress Appliance - Powered by TurnKey Linux

So far I got until now. Many thanks for your help, and be expecting your comments.

Best Regards 

CC 

Jeremy Davis's picture

Jeremy Davis - Fri, 2023/12/15 - 03:36

A little research reveals that Avideo doesn't "officially" support running behind a reverse proxy and the dev doesn't seem to have any interest in actively supporting it or even assisting those that want to. That's a bit of a pity as a server behind a reverse proxy is pretty common these days. So whilst initially your results (broken but vaguely working site) were not what I expected, in light of the above, it seems somewhat expected.

Having said that, my suspicion is that it's still possible, it's just a matter of working out exactly which Apache config is required (on your reverse proxy). So hopefully we can still get it to work.

Before I go any further, thanks for asking about "adding a hosts entry". Apologies that I just glossed over that. It's a curse of knowledge issue (it seems so obvious and intuitive to me, that I forget that it's not knowledge that most people have). In case you haven't already noticed, my default is to either gloss over stuff, or dive in really deep (i.e. too shallow or too deep; nothing in between). But I'll try to not go too far down the rabbit hole. If you need more details/explanation, please do not hesitate to ask ask. If you have the question, then it's almost certain that other have the same question!

Adding an entry to your hosts file is essentially a way to resolve a domain without needing to configure DNS.

On Linux, you'll find it at /etc/hosts and by default, it looks like this (at least on TurnKey):

127.0.0.1 localhost 127.0.1.1 HOSTNAME #Required for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts

Where HOSTNAME is the hostname of your system. Assuming that your reverse proxy isn't a TurnKey system, then it may look a little different but should be somewhat similar and should at the very least have the first line (so 'localhost' can be resolved). Note that as is quite common on Linux, lines that start with '#' are considered "comments" and are ignored (so useful for adding additional info and reminders for future you).

To add a hosts entry, simply add a new line in the same format. I.e. IP address, space(s) (or tab(s) - aka "white space separated") and then domain. You can also add a (white space separated) short name as well if you wish, but for your purposes, it's not required and probably doesn't add any value. Regarding formatting, I personally like to keep the IPv4 addresses together, so I add new entries below the '127.0.1.1 HOSTNAME', before the commented line re IPv6 - but I'm 99% sure that you could add an IPv4 at the end if you want.

To be explicit, here is an example hosts entry for 'www.example.com' that points to 192.168.1.100:

192.168.1.100 www.example.com

Simple as that. To double check that it worked, try pinging it. As you can see, I get an error as I don't have a computer using 192.168.1.100 - but it demonstrates that www.example.com maps to 192.168.1.100 (FYI 192.168.1.158 is my PC):

# ping -c 1 www.example.com
PING www.example.com (192.168.1.100) 56(84) bytes of data.
From 192.168.1.158 (192.168.1.158) icmp_seq=1 Destination Host Unreachable

--- www.example.com ping statistics ---
1 packets transmitted, 0 received, +1 errors, 100% packet loss, time 0ms

So if you want to try that path again, you can give that a go. Having said that, my suspicion is that that still won't be enough to resolve your current issues (see my comment above about Avideo reverse proxy support). I suspect that you may still have issues with the reverse proxy. But perhaps I'm wrong?

Re the missing assets, my guess is that they are not being mapped properly to where they "really" are. The lack of styling suggests that CSS files aren't being served from a URL that Avideo expects. So first thing I recommend, is clearing your web browser cache and cookies for your Avideo site. Also if you have any caching configured in your reverse proxy, clear those caches too (if unsure, just manually restarting your Apache reverse proxy server should do that).

Assuming that doesn't just fix it, to work out what might be going on, you'll need to check if my suspicion is correct. To do that open "web developer tools" in your web browser and look for any errors there. How you do that will depend on your web browser (and possibly OS), but on Firefox (at least on Linux); click the "hamburger" icon >> More Tools >> Web Developer Tools (or Shift-Ctrl-i). I suggest focusing on 404 errors as that will likely be related to missing resources that the page expects, but aren't being served. Any 50x errors are also worth noting too. At this point, I'd recommend not focussing on javascript errors. They may be related, but often are just "noise".

Also FWIW, I did come across an Apache reverse proxy config that might be of value. TBH, I'm not sure, but it may give you some things to test?

<VirtualHost *:443>
        ServerName video.example.com

        SSLEngine On
        SSLProxyEngine On
        SSLProxyVerify none
        SSLProxyCheckPeerCN Off
        SSLProxyCheckPeerName Off

        SSLCertificateFile /local/path/to/letsencrypt/video.example.com.cer
        SSLCertificateKeyFile /local/path/to/letsencrypt/video.example.com.key

        RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}

        ProxyVia On
        ProxyRequests Off
        ProxyPreserveHost On

        <Proxy *>
            Options FollowSymLinks MultiViews
            AllowOverride All
            Order allow,deny
            allow from all
        

        ProxyPass / https://192.168.1.100/
        ProxyPassReverse / https://192.168.1.100/
</VirtualHost>

Good luck and I hope that helps. If not, please post back with what happens and we'll try some more. If I get a chance, I may even try setting one up myself.

Add new comment