Apache2 Reverse Proxy Help

[BaronVonJace]

Good evening, I have two web servers that I would like to get access to outside my network. One is a basic HTTP website for my radio club, the other is nextcloud.

Both are setup in separate VMs on my server and both use Apache2. Nextcloud has been installed via Snap.

The HTTP site is already on the internet and can be accessed outside my network. It uses one domain. I have another domain that I would like nextcloud to use.

In the HTTP site I navigated to /etc/apache2/sites-enabled and edited 000-default.conf

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName domain1.club

        ServerAdmin webmaster@domain1.club
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =domain1.club
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:80>
ServerName cloud.domain2.zone
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://192.168.21:81/
ProxyPassReverse / http://192.168.21:81/
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

I've also enabled the following modules on the HTTP site

rewrite headers env dir mime proxy proxy-http

I feel like this should be working but unfortunately its not.

Any input would be appreciated, thank you

[Eigenvektor]

ServerName domain1.club
ServerName cloud.domain2.zone

I assume both of the domain names you use already resolve to the server's external IP? Do you see anything in the server's access or error logs when you try to access the second domain?

 

Quote

In the HTTP site I navigated to /etc/apache2/sites-enabled and edited 000-default.conf

I would recommend to use two files, one for each virtual host. This is easier to maintain than a single file that contains the configuration of all hosts. I would also recommend to use HTTPS for stuff like Nextcloud, otherwise you're transmitting credentials in the clear.

[BaronVonJace]

14 minutes ago, Eigenvektor said:

ServerName domain1.club
ServerName cloud.domain2.zone

I assume both of the domain names you use already resolve to the server's external IP? Do you see anything in the server's access or error logs when you try to access the second domain?

 

I would recommend to use two files, one for each virtual host. This is easier to maintain than a single file that contains the configuration of all hosts. I would also recommend to use HTTPS for stuff like Nextcloud, otherwise you're transmitting credentials in the clear.

Wow, Ok I seem to need some coffee. When I entered the IP address for the proxy I forgot an octet. Added it in and boom now its working.

Quote

I would recommend to use two files, one for each virtual host. This is easier to maintain than a single file that contains the configuration of all hosts. I would also recommend to use HTTPS for stuff like Nextcloud, otherwise you're transmitting credentials in the clear.

I do plan on getting an SSL cert but I wanted to make sure I got the proxy stuff working first.

[Eigenvektor]

8 minutes ago, BaronVonJace said:

Wow, Ok I seem to need some coffee. When I entered the IP address for the proxy I forgot an octet. Added it in and boom now its working.

Oh, wow, I totally didn't see that.

 

8 minutes ago, BaronVonJace said:

I do plan on getting an SSL cert but I wanted to make sure I got the proxy stuff working first.

Sure, makes sense. I assume you know Let's Encrpyt?

[Master Disaster]

Don't ever edit the 000-default file, this file is used by Apache when hostname resolution fails and by editing it you'll make your webserver forward all failed requests to this virtual server by default. I tend to stick my 404 error page in there.

 

Create a new conf file for each vhost or subdomain in /etc/sites-available, its best practice to number them in order of importance so your top level domain should be 001 and subs should be 002, 003 etc.

 

Afterwards run sudo a2ensite sitename to enable to the site, for example if the config is called 001-hompage.conf then you'd run e2ensite 001-homepage. This creates a symlink for you so any further changes you make are reflected automatically. You can do a2dissite sitename to disable a site as well.

 

Finally run sudo systemctl reload apache2.

[BaronVonJace]

8 minutes ago, Eigenvektor said:

Sure, makes sense. I assume you know Let's Encrpyt?

I sure do! Main HTTP site already has one and soon so will my NextCloud instance. 

 

7 minutes ago, Master Disaster said:

Don't ever edit the 000-default file, this file is used by Apache when hostname resolution fails and by editing it you'll make your webserver forward all failed requests to this virtual server by default. I tend to stick my 404 error page in there.

 

Create a new conf file for each vhost or subdomain in /etc/sites-available, its best practice to number them in order of importance so your top level domain should be 001 and subs should be 002, 003 etc.

 

Afterwards run sudo a2ensite sitename to enable to the site, for example if the config is called 001-hompage.conf then you'd run e2ensite 001-homepage. This creates a symlink for you so any further changes you make are reflected automatically. You can do a2dissite sitename to disable a site as well.

 

Finally run sudo systemctl reload apache2.

Fantastic suggestion! Now that I know I can get this proxy stuff working I’ll totally do that. Thank you for the advice 

[BaronVonJace]

Reviving this topic,

 

Its been a few days now and I have sorted out my .conf files as recommended by @Master Disaster.

So now I am trying to get SSL traffic working across two domains. I used LetsEncrpyt to obtain two certs. One for Domain1 and another for Domain2.

I'm making a second Virtual Host in the 001-domain1.conf file

<VirtualHost *:443>
ServerName domain1.club
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/letsencrypt/live/domain1.club/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain1.club/privkey.pem
</VirtualHost>

I've also tried added a RewriteRule to the VirtualHost *:80 to rewrite HTTP to HTTPS but it goes to the local host index and not the remove server index.

 

I've done some searching and I can't seem to find the answer to my problem.

 

Thank you for your time.

[Master Disaster]

5 hours ago, BaronVonJace said:

Reviving this topic,

 

Its been a few days now and I have sorted out my .conf files as recommended by @Master Disaster.

So now I am trying to get SSL traffic working across two domains. I used LetsEncrpyt to obtain two certs. One for Domain1 and another for Domain2.

I'm making a second Virtual Host in the 001-domain1.conf file

<VirtualHost *:443>
ServerName domain1.club
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/letsencrypt/live/domain1.club/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain1.club/privkey.pem
</VirtualHost>

I've also tried added a RewriteRule to the VirtualHost *:80 to rewrite HTTP to HTTPS but it goes to the local host index and not the remove server index.

 

I've done some searching and I can't seem to find the answer to my problem.

 

Thank you for your time.

First you shouldn't be creating more than 1 VS per config, I'll explain the reason why below. Make sure every virtual server has its own conf file and only create a conf file for each HTTP VS on port 80. Enable each site and check they're accessible.

 

Next install Certbot & Certbot-apache then run certbot --apace2 and it will scan your sites-enabled folder and allow you to create and pull a certificate for each config it detects, it will automatically create a new set of configs (one for each virtual server) for HTTPS on port 443, enable them all and ask you if you want your existing HTTP configs to be edited to auto forward to HTTPS instead.

 

The only thing you should need to do manually is run sudo systemctl restart apache2 when it finishes.