Hello
I’m using Nextcloud 17 with the app draw.io. In order to use our own draw.io application, i set up a tomcat 9 server under a debian 10. Now I can reach the draw application using the URL localhost:8080/draw.
Further I created under apache 2.4 a proxy file using the domain drawio.example.com using https (PositivSSL from Comodo). Because I an proxy newbie I followed the collabora online proxy file in the first step. It worked to reach our own draw.io under the URL drawio.example.com (outside of Nextcloud and inside of Nextcloud).
As a next step I tried to block the way outside of Nextcloud. Our draw.io application should not be public. Therefore I added a proxy block to the apache 2.4 proxy file. But I couldn’t manage to allow the inside and block the outside. Either I block erverthing or I allow everything.
The conf file in use
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName drawio.example.com
# SSL configuration
SSLEngine On
SSLCertificateFile /path/to/file.crt
SSLCertificateChainFile /path/to/file.ca-bundle
SSLCertificateKeyFile /path/to/file.key
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite list of cipers
SSLHonorCipherOrder On
# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode
# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
# In order to prevent Apache host conflicts
ProxyPreserveHost On
# Dosent allow clients to see backend error messages
ProxyErrorOverride On
# Dosent allow clients to missuse backend as forward proxy
ProxyRequests Off
# static html, js, images, etc. served from tomcat/draw.io
ProxyPass / http://localhost:8080/draw/
ProxyPassReverse / http://localhost:8080/draw/
# control client that are allowed to access tomcat/draw.io
<Proxy *>
Require all denied
Require ip 127.0.0.1
Require ip 192.168.1
Require host example.com (Nextcloud Server URL)
</Proxy>
</VirtualHost>
</IfModule>
Further I tried the URL localhost:8080/draw in the draw.io app, but this gives me only a blank page inside Nextcloud.
Is there a way, that our tomact/draw combination is only reachable from within Nextcloud (except from localhost)?
Any hints a welcome!!
Kind regards, go4ncloud