unraid apache docker not liking proxy pass

[cTurtle98]

I am using the Apache-PHP docker from the unraid community applications pane

I have configured this docker as a host

I also have the emby media server docker made by emby running on port 8096

 

Apache Config:

Spoiler

<VirtualHost *:80>
    ServerName media.cturtle98.com

    ProxyPreserveHost Off
    ProxyPass "/" "http://localhost:8096/"
    ProxyPassReverse "/" "http://localhost:8096/"

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

but when that is enabled I get error 500 when I go to the server name and the error log says this

Spoiler

[Thu Sep 06 17:38:34.283862 2018] [proxy:warn] [pid 27] [client 207.62.184.20:27767] AH01144: No protocol handler was valid for the URL /. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Thu Sep 06 17:38:35.376967 2018] [proxy:warn] [pid 28] [client 207.62.184.20:48009] AH01144: No protocol handler was valid for the URL /favicon.ico. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer: http://media.cturtle98.com/

any ideas how to fix this?

 

how do I list my enabled modules?

 

Thanks

Ciaran

[jde3]

You need to enable the right apache module for this.. Hang on I'll get back to you..

 

I think:

mod_proxy.so
mod_proxy_connect.so
mod_proxy_http.so

 

[jde3]

<VirtualHost *:80>
        ## Rewrite HTTP
        ServerName media.stripedhost.com
        DocumentRoot "/usr/local/www/apache24/data"
        RewriteEngine On
        RewriteRule ^/?(.*) https://%{SERVER_NAME}:8920/$1 [R,L]
        CustomLog /var/log/apache/media.stripedhost.com.log combined
        ErrorLog /var/log/apache/media.stripedhost.com-error.log
        LogLevel warn
</VirtualHost>

<VirtualHost *:443>
        ## Rewrite HTTPS
        ServerName media.stripedhost.com
        ServerAlias media.stripedhost2.com
        DocumentRoot "/usr/local/www/apache24/data"
        RewriteEngine On
        RewriteRule ^/?(.*) https://%{SERVER_NAME}:8920/$1 [R,L]
        CustomLog /var/log/apache/media.stripedhost.com.log combined
        ErrorLog /var/log/apache/media.stripedhost.com-error.log
        LogLevel warn
</VirtualHost>

<VirtualHost *:8096>
        ## Rewrite Emby HTTP
        ServerName media.stripedhost.com
        DocumentRoot "/usr/local/www/apache24/data"
        RewriteEngine On
        RewriteRule ^/?(.*) https://%{SERVER_NAME}:8920/$1 [R,L]
        CustomLog /var/log/apache/media.stripedhost.com.log combined
        ErrorLog /var/log/apache/media.stripedhost.com-error.log
        LogLevel warn
</VirtualHost>

<VirtualHost *:8920>
        SSLEngine on
        SSLCertificateFile /usr/local/etc/apache24/ssl/complete-chain.pem
        SSLCertificateKeyFile /usr/local/etc/apache24/ssl/privkey.pem
        ServerName media.stripedhost.com

        DocumentRoot "/usr/local/www/apache24/data"

        CustomLog /var/log/apache/media.stripedhost.com.log combined
        ErrorLog /var/log/apache/media.stripedhost.com-error.log
        LogLevel warn

        SSLProxyEngine on
        # Bug? Something weird with client saying cert out of date.. was working before.
        # SSLProxyCheckPeerExpire Off
        ProxyAddHeaders On
        ProxyPreserveHost On
        ProxyPass / https://192.168.0.66:8920/
        ProxyPassReverse / https://192.168.0.66:8920/
</VirtualHost>

This is how I did Apache proxy for Emby in the past. It causes Apache to force Emby to use encryption on a frontend device. Ovis it needs the rewrite module. Those 3 ports are forwarded to Emby's actual SSL port. This works fine with all known Emby apps too.

[cTurtle98]

I have mod_proxy and mod_proxy_http enabled dont have proxy_connect though, maybe that will fix it

[jde3]

If you go my route there you may need a proxy_ssl one. it's defined by "SSLProxyEngine on"

[cTurtle98]

1 hour ago, jde3 said:

<VirtualHost *:80>
        ## Rewrite HTTP
        ServerName media.stripedhost.com
        DocumentRoot "/usr/local/www/apache24/data"
        RewriteEngine On
        RewriteRule ^/?(.*) https://%{SERVER_NAME}:8920/$1 [R,L]
        CustomLog /var/log/apache/media.stripedhost.com.log combined
        ErrorLog /var/log/apache/media.stripedhost.com-error.log
        LogLevel warn
</VirtualHost>

<VirtualHost *:443>
        ## Rewrite HTTPS
        ServerName media.stripedhost.com
        ServerAlias media.stripedhost2.com
        DocumentRoot "/usr/local/www/apache24/data"
        RewriteEngine On
        RewriteRule ^/?(.*) https://%{SERVER_NAME}:8920/$1 [R,L]
        CustomLog /var/log/apache/media.stripedhost.com.log combined
        ErrorLog /var/log/apache/media.stripedhost.com-error.log
        LogLevel warn
</VirtualHost>

<VirtualHost *:8096>
        ## Rewrite Emby HTTP
        ServerName media.stripedhost.com
        DocumentRoot "/usr/local/www/apache24/data"
        RewriteEngine On
        RewriteRule ^/?(.*) https://%{SERVER_NAME}:8920/$1 [R,L]
        CustomLog /var/log/apache/media.stripedhost.com.log combined
        ErrorLog /var/log/apache/media.stripedhost.com-error.log
        LogLevel warn
</VirtualHost>

<VirtualHost *:8920>
        SSLEngine on
        SSLCertificateFile /usr/local/etc/apache24/ssl/complete-chain.pem
        SSLCertificateKeyFile /usr/local/etc/apache24/ssl/privkey.pem
        ServerName media.stripedhost.com

        DocumentRoot "/usr/local/www/apache24/data"

        CustomLog /var/log/apache/media.stripedhost.com.log combined
        ErrorLog /var/log/apache/media.stripedhost.com-error.log
        LogLevel warn

        SSLProxyEngine on
        # Bug? Something weird with client saying cert out of date.. was working before.
        # SSLProxyCheckPeerExpire Off
        ProxyAddHeaders On
        ProxyPreserveHost On
        ProxyPass / https://192.168.0.66:8920/
        ProxyPassReverse / https://192.168.0.66:8920/
</VirtualHost>

This is how I did Apache proxy for Emby in the past. It causes Apache to force Emby to use encryption on a frontend device. Ovis it needs the rewrite module. Those 3 ports are forwarded to Emby's actual SSL port. This works fine with all known Emby apps too.

why do you have document roots on your rewrites ?

[cTurtle98]

1 hour ago, jde3 said:

<VirtualHost *:80>
        ## Rewrite HTTP
        ServerName media.stripedhost.com
        DocumentRoot "/usr/local/www/apache24/data"
        RewriteEngine On
        RewriteRule ^/?(.*) https://%{SERVER_NAME}:8920/$1 [R,L]
        CustomLog /var/log/apache/media.stripedhost.com.log combined
        ErrorLog /var/log/apache/media.stripedhost.com-error.log
        LogLevel warn
</VirtualHost>

<VirtualHost *:443>
        ## Rewrite HTTPS
        ServerName media.stripedhost.com
        ServerAlias media.stripedhost2.com
        DocumentRoot "/usr/local/www/apache24/data"
        RewriteEngine On
        RewriteRule ^/?(.*) https://%{SERVER_NAME}:8920/$1 [R,L]
        CustomLog /var/log/apache/media.stripedhost.com.log combined
        ErrorLog /var/log/apache/media.stripedhost.com-error.log
        LogLevel warn
</VirtualHost>

<VirtualHost *:8096>
        ## Rewrite Emby HTTP
        ServerName media.stripedhost.com
        DocumentRoot "/usr/local/www/apache24/data"
        RewriteEngine On
        RewriteRule ^/?(.*) https://%{SERVER_NAME}:8920/$1 [R,L]
        CustomLog /var/log/apache/media.stripedhost.com.log combined
        ErrorLog /var/log/apache/media.stripedhost.com-error.log
        LogLevel warn
</VirtualHost>

<VirtualHost *:8920>
        SSLEngine on
        SSLCertificateFile /usr/local/etc/apache24/ssl/complete-chain.pem
        SSLCertificateKeyFile /usr/local/etc/apache24/ssl/privkey.pem
        ServerName media.stripedhost.com

        DocumentRoot "/usr/local/www/apache24/data"

        CustomLog /var/log/apache/media.stripedhost.com.log combined
        ErrorLog /var/log/apache/media.stripedhost.com-error.log
        LogLevel warn

        SSLProxyEngine on
        # Bug? Something weird with client saying cert out of date.. was working before.
        # SSLProxyCheckPeerExpire Off
        ProxyAddHeaders On
        ProxyPreserveHost On
        ProxyPass / https://192.168.0.66:8920/
        ProxyPassReverse / https://192.168.0.66:8920/
</VirtualHost>

This is how I did Apache proxy for Emby in the past. It causes Apache to force Emby to use encryption on a frontend device. Ovis it needs the rewrite module. Those 3 ports are forwarded to Emby's actual SSL port. This works fine with all known Emby apps too.

if im reading this correctly you are taking all incoming connections on media. and forwarding them to your website:8920 ?

 

so if you go to media.example.com is forwards you to :8920 so your not really transparently proxying

 

I just want it such that if you go to my site it transparently looks like your at my media server even though its going through apache

[jde3]

Yeah, The reason that the document root is specified is just overlap. (if the rewrite module isn't loaded, or if something is wrong it will return an error page) There is more to this config, that is just the Emby part of it. It also does header injection. You can feel free to drop that stuff.

 

It forwards and proxys. so it you go to https://media. it will rewrite to itself on :8920 and proxy that. The reason that is done is so that there is no way Emby can communicate unencrypted but apps can just use the defaults when users are setting it up.

[cTurtle98]

2 hours ago, jde3 said:

Yeah, The reason that the document root is specified is just overlap. (if the rewrite module isn't loaded, or if something is wrong it will return an error page) There is more to this config, that is just the Emby part of it. It also does header injection. You can feel free to drop that stuff.

 

It forwards and proxys. so it you go to https://media. it will rewrite to itself on :8920 and proxy that. The reason that is done is so that there is no way Emby can communicate unencrypted but apps can just use the defaults when users are setting it up.

my solution for that is to just block 8096 from external connections and only allow loopback connections on my firewall

 

so I just want to proxy to the default port

[jde3]

I had problems with users just using the default settings so... that was my solution. "just make it work (tm)" no matter what they used.

[jde3]

2 hours ago, cTurtle98 said:

my solution for that is to just block 8096 from external connections and only allow loopback connections on my firewall

 

so I just want to proxy to the default port

Your network seems a little strange. If it's all an internal network, why do you want to use an apache frontend? Emby can run on port 80 directly.

 

I'm using it as a frontend for an internet facing application server. That is a pretty common use case..

 

Regardless if you want to use a reverse proxy (transparent proxy is something else) you want to do it.. who am I to ask why.. so all you need to do is just load the right modules in your httpd.conf and restart using the config you have. (remove the quotes around the proxy site)

 

[Jarsky]

Heres what im using for Apache 2.4.29 with SSL

 

<VirtualHost *:443>
                ServerAdmin admin@<domain name>
                ServerName <domain name>

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on
                SSLProxyEngine on
                SSLProxyVerify none
                SSLProxyCheckPeerCN off
                SSLProxyCheckPeerName off

                SSLProtocol all -SSLv2 -SSLv3
                SSLHonorCipherOrder on
                SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

                SSLCertificateFile      /etc/apache2/ssl/website.pem
                SSLCertificateKeyFile /etc/apache2/ssl/website.key
                SSLCertificateChainFile /etc/apache2/ssl/website.ca-bundle

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                RewriteEngine  on
                RewriteCond %{THE_REQUEST} !HTTP/1.1$
                RewriteRule .* - [F]

                <Location /ruTorrent/>
                ProxyPass https://seedbox/ruTorrent/
                ProxyPassReverse https://seedbox/ruTorrent/
                </Location>
</VirtualHost>

 

Heres my enabled modules:

 

Loaded Modules:
 core_module (static)
 so_module (static)
 watchdog_module (static)
 http_module (static)
 log_config_module (static)
 logio_module (static)
 version_module (static)
 unixd_module (static)
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 mime_module (shared)
 mpm_event_module (shared)
 negotiation_module (shared)
 proxy_module (shared)
 proxy_balancer_module (shared)
 proxy_fcgi_module (shared)
 proxy_http_module (shared)
 reqtimeout_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 slotmem_shm_module (shared)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)

 

 

Looks like you don't have the right modules loaded - so just make sure you run these

sudo a2enmod ssl
sudo a2enmod proxy
sudo a2enmod proxy_balancer
sudo a2enmod proxy_http

 

[jde3]

Do this @Jarsky

 

SSLProtocol             -ALL +TLSv1.2

SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:!SHA1

You don't want to enable all protocols. Instead of allow all deny specific, deny all and allow only a few. You would be allowing TLSv1 and 1.1 that have downgrade problems. (Sha1 is known busted. EDH may be better than ECDHE there are also arguments for 128 AES being stronger than 256.)

 

Also:

SSLSessionTickets      Off

(Just spin up a new handshake, looks prone to abuse)

SSLCompression         Off

(unsupported in libressl because it's totally busted but works on openssl and allows CRIME attack)

 

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

 

(that can also be disabled other ways.)

TraceEnable off