Apache/httpd reverse proxy?

Waggle-Irritable · December 21, 2023, 5:20pm

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

The Problem

Hey all -

I’m wondering what I’m supposed to do here as far as setting up a proxy to my site. I’m using the Docker version of Passbolt, so the database and PHP versions are all contained within the image, but we’re using Docker in conjunction with Portainer, so as to have a nice web interface with which to check the status of our services and what-have-you.

I see that Passbolt is running on ports 8005 (HTTP) and 8445 (HTTPS), but I have no idea how to get Apache to proxy it. We have Apache running on the same host that’s running Portainer, so I should be able to simply alias those ports and be off to the races… but that doesn’t appear to be working.

System Information:


Server operating system name and version	Alma Linux 8.8
Web server name and version	Apache httpd 2.4.37
Database server name and version	n/a
PHP version	n/a
Passbolt version

clayton · December 27, 2023, 3:37pm

Hey @Waggle-Irritable welcome to the forum! Could you share your apache config for this?

Also could you elaborate a bit more on the “doesn’t appear to be working” as in what do you get when navigating to the page?

Waggle-Irritable · January 3, 2024, 11:36pm

Sorry - yeah, I seem to be getting a 502 proxy error - I’m trying to set it up such that Apache handles the HTTPS, rather than the container itself, but I want it to live on “standard” HTTP/HTTPS ports so I don’t have to explain to users to append :8005 or whatever to the end of a URL.

clayton · January 5, 2024, 7:38am

I definitely understand the desire to not have to use the ports here.

Could you share the apache config?

Additionally your docker compose file with the sensitive data removed could be helpful here

Waggle-Irritable · March 13, 2024, 4:48am

Apologies for the immensely delayed response - some other matters came up that I had to attend to.

Okay. Actually, I have to admit I have a bit of an interesting configuration here - we’re trying to use Portainer as our container management interface and so I set it up all on there - and from what I can tell, it’s running just fine, but I cannot get to the URL it generates for me for initial setup, and I’ve configured our internal DNS to CNAME passbolt.example.com to our Portainer VM, portainer.example.com. I even later tried Caddy, to see if I could get it to work (it’s way easier than Apache).

Anyways. Configs, sanitized:

Apache HTTPD:

<VirtualHost *:80>  
  ServerName passbolt.example.com

  RewriteEngine on
  RewriteCond %{HTTPS} !=on
  RewriteRule ^/?(.*)$ https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>

<VirtualHost *:443>
  ServerAdmin administrator@example.com
  ServerName passbolt.example.com

  SSLProxyEngine On
  ProxyRequests Off

  RequestHeader set "X-Forwarded-Proto" https

  SSLEngine On
  SSLCertificateFile /etc/pki/tls/certs/example-wildcard.crt
  SSLCertificateKeyFile /etc/pki/tls/private/example-wildcard.key

  <Location "/">
    ProxyPreserveHost On
    ProxyPass http://localhost:8005/
    ProxyPassReverse http://localhost:8005/
  </Location>

  ErrorLog logs/passbolt-error_log
  CustomLog logs/passbolt-access_log common
</VirtualHost>

Caddy:

passbolt.example.com {
        reverse_proxy localhost:8005
}

Docker-Compose Config:

version: "3.9"
services:
  db:
    image: mariadb:10.11
    restart: unless-stopped
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "passbolt"
      MYSQL_PASSWORD: "P4ssb0lt"
    volumes:
      - database_volume:/var/lib/mysql

  passbolt:
    image: passbolt/passbolt:latest-ce
    #Alternatively you can use rootless:
    #image: passbolt/passbolt:latest-ce-non-root
    restart: unless-stopped
    depends_on:
      - db
    environment:
      APP_FULL_BASE_URL: https://passbolt.example.com
      DATASOURCES_DEFAULT_HOST: "db"
      DATASOURCES_DEFAULT_USERNAME: "passbolt"
      DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
      DATASOURCES_DEFAULT_DATABASE: "passbolt"
    volumes:
      - gpg_volume:/etc/passbolt/gpg
      - jwt_volume:/etc/passbolt/jwt
    command:
      [
        "/usr/bin/wait-for.sh",
        "-t",
        "0",
        "db:3306",
        "--",
        "/docker-entrypoint.sh",
      ]
    ports:
    #  - 80:80
    #  - 443:443
    #Alternatively for non-root images:
     - 8005:8080
     - 9444:4433

volumes:
  database_volume:
  gpg_volume:
  jwt_volume:

Noooo dicey. I just get “Unable to connect” (on Firefox 123 64-bit on Windows 10 Pro x64, although I get the same on my Fedora 36 box at work).

I’ve also got SELinux turned off, although for obvious reasons, we’d like that turned on. Lastly - is there any way for us to customize the database passwords and such, just for that added bit of security? Because that, too, would be nice.

EDIT: I should add!

I also tried connecting directly - by configuring firewalld to simply allow TCP ports 8005 and 9444 through and by disabling httpd.service as well as caddy.service. Again - no dice.