Please can some Genius help me!
I have installed, MariaDB, Php, Apache, Certbot, WordPress and Nextcloud on my Ubuntu 18.04 server. I also have a render-server within my network with the port 9090. So I need a proxy
Now I need a good apache.conf setting to get everything to work together.
But I’m not very good at this
https://mydomain.com - this should be the WordPress site
https://mydomain.com/nextcloud - this should be the Nextcloud site
https://mydomain.com/renderserver this should be the path to my renderserver
I have installed on thepaths:
/var/www/nextcloud
/var/www/wordpress
I also like all traffic coming from the internet to redirect to port 443 and not the network internal.
I also have problems with the
Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains” to work
Please can someone provide me with the right settings
you probably will not be able to avoid reading some apache doc.
you might run into some complexity because AFAIK wp ist designed to catch everything “below” its path - which in you case would include https://mydomain.com/nextcloud (but you can define an exception for it).
using vhosts might make things a little easier, you could map nc.mydomain.com to the path /var/www/nc; wp.mydomain.com to /var/www/wp and so on.
I also like all traffic coming from the internet to redirect to port 443 and not the network internal.
configure you firewall to drop all incoming packets except the ones for the port(s) you want to run services on and to forward those to your server (and don’t forget to allow the necessary packets back out.)
GOOD LUCK!
Okay I was afraid to hear that.
But thanks for the reply!
I will deep dive in the Apache doc.
try to work with subdomains e.g. cloud.domain.tld or wp.domain.tld
doing this you won’t run into problems with CSP either.
Why do you think so? A website cannot know/catch any access, if it is redirected/proxyed first by the webserver, AFAIK? Also I could not find any .htaccess file in default wordpress install that might override the webserver config.
@LukeVader
I just successfully set up the following on Debian Stretch test server:
- Nextcloud in
/var/www/nextcloud
- Wordpress in
/var/www/wordpress
- I don’t know render-server, but to have something similar, installed Syncthing to listen to port
8384.
As quick test I didn’t switch to HTTPS, letting webserver just listen on port 80 HTTP.
Database is MariaDB as well, but that should not have any influence.
My single vhost looks like this:
cat /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
DocumentRoot /var/www/wordpress
ErrorLog ${APACHE_LOG_DIR}/error.log
alias /nextcloud /var/www/nextcloud
ProxyPass /syncthing http://localhost:8384
ProxyPassReverse /syncthing http://localhost:8384
</VirtualHost>
- Webserver root moved to
/var/www/wordpress, so that Wordpress it is available on main domain.
Alias /nextcloud pointing to /var/www/nextcloud to allow Nextcloud access via this sub directory.- Proxy (+Reverse)
/syncthing to Syncthing port.
About port 443:
- Browsers anyway access port 80/443 only, if not given explicitly. Certbot default setup rewrites port 80 HTTP to port 443 HTTPS anyway. Just close all other ports via router and/or firewall (besides e.g. 21/22 for (S)FTP/SSH and such, if required.
- I did not test 443/HTTPS, as my test server is on VM without own domain (no Certbot setup possible), but the
000-default.conf after default Certbot install and setup should contain a RewriteRule block that handles redirection to HTTPS. The above stuff then needs to be inside the HTTPS vhost (as well as Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains”), which is with Certbot by default 000-default-le-ssl.conf. Proxy target needs to be https://localhost:8384 then of course and the service needs to handle HTTPS as well. In Syncthing I can configure this, hope render-server allows this as well?
- The only issue I can imaging is indeed, that the server on the other port does not support HTTPS, what the webserver in the first place redirects everything to. Not sure if this can be solved with HTTPS redirection/rewrite exclusions/priorities.
with “catch” i was just imprecisely describing webserver-reconfiguration by .htaccess.
i re-checked and my default-wp-install (on debian stretch also) does contain the following .htaccess:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
but i use the vanilla-version from wp directly and not the version provided by apt.
i run a similar setup (coupla’ vhosts, nc, wp, …) and have one "extra-"site in the URL-path that “belongs” to wp and it is definitely doable - just a little more comlex than a default apache-config.
if the backend-server does not support https this might be solved by a reverse-proxy-configuration with mod_proxy (which is not an uncommon config).
GOOD LUCK!