Join Log in
Score:0
TomS avatar Server

Apache Reverse Proxy setup with some exemptions

kr flag
TomS

I would like to install Mattermost on my server also running ISPConfig hosting software. ISPConfig has a mechanism to automatically obtain and install Letsencrypt certificates based on the hostname. For this, Letsencrypt needs access to the /.well-known directory (I guess) to check for some verification string.

My Mattermost system is running on port 8065 and uses my ISPConfig hosting environment running on the same server as Reverse Proxy for SSL offloading.

I was following the instructions on https://docs.mattermost.com/configure/config-proxy-apache2.html which is working fine for unencrypted connections.

But as soon as I try to obtain a SSL certificate, this does not work anymore. I am not fully sure what's going on, but I guess that above mentioned code is proxying ALL the traffic to my mattermost system, while it should NOT proxy requests to the directory ./well-known which is needed for the letsencrypt stuff.

Does that sound reasonable? If so, how can I exempt the ./well-known directory from the proxying function?

(Maybe this is fairly easy for an expert, but I do not really know where to start - maybe because I do not fully understand how this reverse proxying works and what all the apache directives mean exactly...)

Here's a snippet of my current modifications to the standard apache vhost configuration:

ServerAdmin [email protected]
ProxyPreserveHost On
RewriteEngine On

RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* ws://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]

ProxyPass /.well-known/ !  # <-- I inserted this line, but this does not seem to work...

<Location />
      Require all granted
      ProxyPass http://127.0.0.1:8065/
      ProxyPassReverse http://127.0.0.1:8065/
      ProxyPassReverseCookieDomain 127.0.0.1 mattermost.mydomain.com
</Location>

(I've stolen the above modification from https://stackoverflow.com/questions/44651809/no-lets-encrypt-renewal-with-reverse-proxy-in-ispconfig3, but that does not seem to work. Maybe because of the <Location /> statement? But how to specify the whole directory / without /well-known in my <Location> statement?)

Any ideas on how to solve my issue?

214
1 + 0
Score:0
TomS avatar Server
kr flag
TomS

Maybe I was giving up too early. I think I found out how to solve the problem. In addition to <Location>, there's also a <LocationMatch> which works with regular expressions. I am not an expert with regular expressions, but after some fiddling around, I found that the following directive did the trick:

<LocationMatch "^(?:(?!\/\.well-known).)*$">

If my understanding is correct, this matches all directories not beginning with /.well-known.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.