SSL Reverse Proxy documentation for Apache

Help / Discuss
#1

Hi,
I have some trouble with the XWiki in a Docker container behind an Apache2 reverse proxy.
The forwarding itself is working but the autentication for the XHR isn’t working correctly.
There is a documentation for Nginx prepared:


Question:
Is there any documentation for Apache as well? Especially how to set the Headers as mentioned in the comment:
“Set X-Forwarded-For and X-Forwarded-Proto headers on HTTPS guard server(on which Apache httpd or Nginx runs)!”
I’m not an expert in Tomcat neither Apache and feel a bit lost.

Thanks a lot!

#2

You may find some useful tips here:
https://forum.xwiki.org/t/issue-with-reverse-proxy/4824/14?u=pdwalker

Setting up an apache reverse proxy for xwiki is relatively straight forward, although you may wish to call a friend who knows how to configure apache properly to make sure you have all the correct apache modules enabled, and your vhost configuration correct.

#3

Thanx for the useful tips, I have seen before already and it solved at least the routing problem earlier on.
https://opa-wetterwachs.de/xwiki/ --> http://127.0.0.1:38080/xwiki
(it took me a while to recognize the docker-container option to add the /xwiki)

But my problem is a bit beyond: the routing works fine, I see the right wiki pages with their proper address but if I want to save a document then I get an 403 Forbidden error in an XMLHttpRequest.
https://opa-wetterwachs.de/xwiki/bin/view/Main/?xpage=get&outputTitle=true&outputSyntax=annotatedxhtml&language=en&timestamp=1611677936271 in jquery.js:9175

This error doesn’t occur when I call the site directly unsecured without reverse proxy
https://:38080/xwiki/

And now I don’t know how to proceed as I’m not the deepest expert in Tomcat and Apache.
Could be a CORS problem or a Header problem.
I have spent now several hours with different proposals to change the Tomcat server and web config files but no improvement.

The best would be a solution out of the box.
I’ve studied the Installation guide for XWiki but there is just an example for Nginx I cannot use unfortunately and therefore clean config would help me a lot.

But at any way, do you know what I can test just to find out where the problem principally can come from?

#4

Unfortunately, I know nothing about docker, so I don’t know how that might impact your setup.

Can you show me your apache vhost configuration?

Can you tell me which proxy* modules are enabled for your apache configuration?

Is there anything in the error logs regarding this error?

The 403 error is permission denied and is coming from your Apache installation. The trick is in finding out why Apache is giving you that error.

#5

I’ve found the problem.
I was completely on the wrong trip as I have thought it is either problem with the request headers or with CORS. Even I played a longer time with Tomcat and the different reverse proxy protocol options as nothing runs out of the box and need configuration :frowning:

But at the end it was mod_security that caused the problem and I had to fix it with some SecRuleRemoveById rules. means you are right, it is Apache raises the error but caused somewhere in Tomcat and should be considered by the XWiki team. I cannot imagine to be the only one using mod_security.

    # xwiki
    <Location /xwiki>
            ProxyPreserveHost On
            ProxyPass ajp://127.0.0.1:8009/xwiki
            ProxyPassReverse ajp://127.0.0.1:8009/xwiki
            SecRuleRemoveById 949110 941130 980130
    </Location>

Now it runs even I don’t know what security concerns I should have now.
But at any way thanks a lot for help :slight_smile:

#6

Interesting.

I’m using a stock ubuntu distribution and libapache2-mod-security2 is not installed by default which is why I don’t have the problem.

mod_security is not part of the default apache installation, so it’s not surprising there is no documentation in the xwiki documentation about it. It’d be like asking the xwiki documentation to include rules on how to configure every firewall to make sure xwiki can communicate over the internet.

#7

Hello,
I’ve been trying to get xwiki to work on a docker container for a week now.
I guess I have a redirection error with the urls because i got “404” error .
And I can’t find any documentation that could help me with this. If you have already set up an xwiki container with an Apache server, i need your help.
Container conf :

CONTAINER ID   IMAGE                       COMMAND                  CREATED          STATUS          PORTS                                             NAMES
ea2c4b260451   xwiki:lts-postgres-tomcat   "docker-entrypoint.s…"   12 minutes ago   Up 12 minutes   8080/tcp, 0.0.0.0:8080->80/tcp, :::8080->80/tcp   xwiki
634235624b2c   postgres:13                 "docker-entrypoint.s…"   5 days ago       Up 12 minutes   5432/tcp                                          xwiki-postgres

Apache conf :

<VirtualHost *:80>
        ServerName wiki.fake-domain.ovh
        ServerAlias xwiki.fake-domain.ovh

        ErrorLog ${APACHE_LOG_DIR}/wiki.fake-domain.ovh.log
        CustomLog ${APACHE_LOG_DIR}/wiki.fake-domain.ovh.log combined

        ProxyRequests off
        ProxyPreserveHost On

        ProxyPass /xwiki/ http://127.0.0.1:8080/xwiki/
        ProxyPassReverse /xwiki/ http://127.0.0.1:8080/xwiki/

        ProxyPass / http://127.0.0.1:8080/xwiki/
        ProxyPassReverse / http://127.0.0.1:8080/xwiki/
</VirtualHost>

I really don’t know what I’m doing wrong as I’ve already set up a nextcloud and postgres container .

#8

Hi,

This is too late, but might be usefull for others.

If you have already set up an xwiki container with an Apache server, i need your help.

This is the config I use.

<VirtualHost *:80>
	ServerAdmin contact@mydomain.com
	DocumentRoot "/path/to/apache/html/files"

	ServerName wiki.mydomain.com

	# Redirect the example.com to the www.example.com
	# See https://serverfault.com/questions/120488/redirect-url-within-apache-virtualhost#120507
	RewriteEngine on
	RewriteCond %{HTTP_HOST} ^mydomain.com
	RewriteRule ^/(.*)$ http://www.mydomain.com/$1 [L,R=301,E=nocache:1]
	## Set the response header if the "nocache" environment variable is set
	## in the RewriteRule above.
	Header always set Cache-Control "no-store, no-cache, must-revalidate" env=nocache
	## Set Expires too ...
	Header always set Expires "Thu, 01 Jan 1970 00:00:00 GMT" env=nocache

	ErrorLog ${APACHE_LOG_DIR}/wiki_example_com-error.log
	CustomLog ${APACHE_LOG_DIR}/wiki_example_com-access.log combined

	# definit les fichiers index, dans l'ordre de preference.
	DirectoryIndex index.php index.php3 index.html index.htm

	ErrorDocument 401 /errorpages/401_Authorization_Required.html
	ErrorDocument 403 /errorpages/403_Forbidden.html
	ErrorDocument 404 /errorpages/404_Not_Found.html

	# INTERDIT LA NAVIGATION DANS LES REPERTOIRES
	Options -Indexes

	<IfModule mod_proxy.c>
        ProxyRequests Off
        <Proxy *>
            Require all granted
        </Proxy>

        # See : https://stackoverflow.com/a/65430414
        # This avoid relying on Regular Expressions. 
        # ProxyPass can take "!" as a second parameter, in which case it doesn't proxy the matching URL.
        # This is for the Cerbot process for SSL Certificates renewal.
        ProxyPass /.well-known ! 
        ProxyPass /htdocs_static ! 
        
		# This domain name is set in the /etc/hosts file of the server : myserver.mylocalnetwork1.lan
		ProxyPass /xwiki http://myserver.mylocalnetwork1.lan:8080/xwiki
        ProxyPassReverse /xwiki http://myserver.mylocalnetwork1.lan:8080/xwiki
	</IfModule>

</VirtualHost>

I use another VirtualHost for the www.mydomain.com domain (for static files, or Nextcloud, or PHP apps).

This config allow to have the XWiki pages served, and also some static pages served, by Apache Httpd, on the same domain (wiki.mydomain.com).

As an example :
http://wiki.mydomain.com/htdocs_static/index.html

Also, this allow to have the creation and renew of the Let’s Encrypt SSL Certificates, through the Cerbot process.

Hope it helps,

#9

None of the xwiki developers use a reverse proxy and thus the documentation at https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Installation/InstallationWAR/InstallationTomcat/#HHTTPreverseproxy has been managed by contributors. Would be good if someone could check it and update it if need be (or post various configs to achieve different use cases).

Anything that makes it simpler for users with this config need is most welcome.

Thx!

#10

Hi,

Yes.
I am not sure I can do so.

But, yet,…

In the page :
https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Installation/InstallationWAR/InstallationTomcat/#HHTTPreverseproxy

The sentence :

See ApacheHTTPD for a producting setup example with Apache HTTP Server.

is not clear.

Suggestion :

For setup example with Apache HTTP Server, in production : ApacheHTTPD.

(if “a producting setup example” is what it means : for prod ?).

The page Setting up the Apache HTTP Server Proxy in the doc is giving good explaination.

It seems to me that :

Workaround for 58001 – Implement Forwarded header (RFC 7239) to mod_proxy_http (ProxyPreserveHost does not includes Forwarded)
RequestHeader set Forwarded “proto=https”

is not needed anymore.
See : Bug 61234
Summary: Add X-Forwarded-Proto to backend requests

but this need to be checked and confirmed

In the documentation page, the config is for SSL and Https secured reverse proxy way.
With Tomcat.

My sample is for Http on port 80, for quick and easy configuration with some Apache Httpd server in front.
With Jetty.

Nice for quick and easy setup and testing something.
For dev (with Httpd server in place) or for some trials of miscellanous configuration before to go to Integration => Pre-prod => Prod.

This config is running ok with some SSL and Https in the front (port 443 on Apache Httpd), and the reverse proxy running with simple http en port 8080 to Jetty.
Though I never did intensive testing nor prod run like that.

I took some of it in this post :
SSL With Jetty in Standard Flavor Pre-installed

I added the ability to serve some static pages.
To be able to setup and renew the SSL Certificates, and to serve a few static html or php pages aside with the wiki.

Is there an easy way to temporarily disable realtime editing?
#11

This is not fully true, the example configuration in https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Installation/ApacheHTTPD/ is coming from what we use on myxwiki.org and xwiki.org (among others). I just noticed that someone recently added some wrong suggestions about tomcat setting and I reverted it. But the nginx part is definitely only contributors without much validation right now.

Done, thanks.

It was definitely still needed not long ago.

This issue is still status NEW, so not sure what you mean.

#12

I think it would be usefull to update the example config for already including realtime editing.

Im currently evaluating if we change from nginx to apache in the future, as seemingly everyone that uses SSO also uses apache - I can’t tell if its just coincidence or if it is more difficult to accomplish with nginx.
For realtime editing to work, the ProxyPass config line has to be expanded with " upgrade=websockets"
example: ProxyPass /xwiki http://localhost:8080/xwiki nocanon upgrade=websocket

At least this small modification was required for realtime to work in a small test, I don’t know if additional configuration is required. With nginx I had to add 4 lines of configuration for the same thing.
Im not sure if there are downsides to always having this websockets upgrade parameter on (even when not using realtime editing), but in my opinion it is helpful for both newer admins and also the realtime project if it “just works”.

#13

Indeed, good point. It’s not something that was experimented much on xwiki.org yet, and it’s not really my area of expertise so putting your suggestion as is for now.

#14

Sorry, I did not see this detail in the bug page properly.
Reading to quickly.

There is only a patch provided.
And adding the directive is more simple.

The modification in the code and commit have been asked, … but since 2020, it is not yet done…

=> Adding the directive is more simple.