Draw.io app: looking for an tomcat/apache 2.4 proxy expert

🚧 Installation
1

Hello
I’m using Nextcloud 17 with the app draw.io. In order to use our own draw.io application, i set up a tomcat 9 server under a debian 10. Now I can reach the draw application using the URL localhost:8080/draw.

Further I created under apache 2.4 a proxy file using the domain drawio.example.com using https (PositivSSL from Comodo). Because I an proxy newbie I followed the collabora online proxy file in the first step. It worked to reach our own draw.io under the URL drawio.example.com (outside of Nextcloud and inside of Nextcloud).

As a next step I tried to block the way outside of Nextcloud. Our draw.io application should not be public. Therefore I added a proxy block to the apache 2.4 proxy file. But I couldn’t manage to allow the inside and block the outside. Either I block erverthing or I allow everything.

The conf file in use

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerName drawio.example.com

    # SSL configuration
    SSLEngine On
    SSLCertificateFile /path/to/file.crt
    SSLCertificateChainFile /path/to/file.ca-bundle
    SSLCertificateKeyFile /path/to/file.key
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite list of cipers
    SSLHonorCipherOrder On

    # Encoded slashes need to be allowed
    AllowEncodedSlashes NoDecode

    # Container uses a unique non-signed certificate
    SSLProxyEngine On
    SSLProxyVerify None
    SSLProxyCheckPeerCN Off
    SSLProxyCheckPeerName Off

    # In order to prevent Apache host conflicts
    ProxyPreserveHost On

    # Dosent allow clients to see backend error messages 
    ProxyErrorOverride On

    # Dosent allow clients to missuse backend as forward proxy 
    ProxyRequests Off

    # static html, js, images, etc. served from tomcat/draw.io
    ProxyPass /  http://localhost:8080/draw/
    ProxyPassReverse /  http://localhost:8080/draw/

    # control client that are allowed to access tomcat/draw.io
    <Proxy *>
	   Require all denied
	   Require ip 127.0.0.1
	   Require ip 192.168.1
	   Require host example.com (Nextcloud Server URL)
    </Proxy>
  </VirtualHost>
</IfModule>

Further I tried the URL localhost:8080/draw in the draw.io app, but this gives me only a blank page inside Nextcloud.

Is there a way, that our tomact/draw combination is only reachable from within Nextcloud (except from localhost)?

Any hints a welcome!!

Kind regards, go4ncloud

2

Hello go4ncloud,
I am not sure, if I understood, what you have been trying to achieve…
Maybe you should not expose draw.io at all in Httpd, but instead configure http://localhost:8080/draw directly in Nextcloud?
These is just a thought, I am not familiar with draw.io.
Best regards