Apache2 virtual path reverse proxy to docker container

IIS, Apache
Post Reply
DragonQ
Posts: 3
Joined: Mon Apr 20, 2020 11:22 am

Apache2 virtual path reverse proxy to docker container

Post by DragonQ » Mon Apr 20, 2020 11:38 am

I have the OnlyOffice Document Server docker container running and working correctly. I forward port 80 to 8134 on the host, and port 443 to port 8135 on the host. Both of these ports are forwarded in the host's firewall. My Nextcloud settings are:

Document Editing Service address: https://mydomain.com:8135/
Document Editing Service address for internal requests from the server: https://192.168.1.89:8135/
Server address for internal requests from the Document Editing Service: https://192.168.1.89/nextcloud/

where 192.168.1.89 is the internal IP. This works perfectly and going to https://mydomain.com:8135/ shows the green tick as expected. However, I need to have OnlyOffice available from a standard port (80/443) rather than 8135. The host's web server is running Apache2 and I'm trying to set up a virtual path reverse proxy to port 8135 but it isn't working. I'm using this example:

https://github.com/ONLYOFFICE/document- ... -path.conf

My configuration is below:

Code: Select all

<IfModule mod_ssl.c>
	<VirtualHost 192.168.1.89:443>
		# Server Settings:
		ServerAdmin admin@mydomain.com
		ServerName mydomain.com
		DocumentRoot /var/www/mydomain.com/html

		# Log Settings:
		LogLevel info ssl:info
		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined

		# SSL Engine:
		SSLEngine on
		SSLProxyEngine on
		SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
		SSLHonorCipherOrder on

		# Security Settings:
		SSLCompression off
		Header always set X-XSS-Protection "1; mode=block"
		Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
		Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

		# Certificates:
		SSLCertificateFile	/etc/letsencrypt/live/mydomain.com/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem

		# SSL Engine Options:
		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars
		</Directory>

		# Redirects for Grafana:
		ProxyPreserveHost on
		RewriteEngine on
		RewriteRule ^/grafana$ /grafana/ [R=permanent,L]
		<Location "/grafana">
			ProxyPass http://localhost:3000
		</Location>
		ProxyPassReverse /grafana http://localhost:3000

		# Redirects for OnlyOffice DocumentServer:
		LoadModule authn_core_module modules/mod_authn_core.so
		LoadModule authz_core_module modules/mod_authz_core.so
		LoadModule proxy_module modules/mod_proxy.so
		LoadModule proxy_http_module modules/mod_proxy_http.so
		LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
		LoadModule headers_module modules/mod_headers.so
		LoadModule setenvif_module modules/mod_setenvif.so
		LoadModule ssl_module modules/mod_ssl.so

		Define VPATH /onlyoffice
		Define DS_ADDRESS localhost:8135

		<Location ${VPATH}>
		  Require all granted
		  SetEnvIf Host "^(.*)$" THE_HOST=$1
		  RequestHeader setifempty X-Forwarded-Proto https
		  RequestHeader setifempty X-Forwarded-Host %{THE_HOST}e
		  RequestHeader edit X-Forwarded-Host (.*) $1${VPATH}
		  ProxyAddHeaders Off
		  ProxyPass "https://${DS_ADDRESS}/"
		</Location>

		ProxyPassMatch ^\${VPATH}(.*)(\/websocket)$ "ws://${DS_ADDRESS}/$1$2"
		ProxyPassReverse ${VPATH} "https://${DS_ADDRESS}/"
	</VirtualHost>

	# NextCloud DAV Redirects:
	Redirect 301 /.well-known/carddav /nextcloud/remote.php/dav
	Redirect 301 /.well-known/caldav /nextcloud/remote.php/dav
</IfModule>
As you can see, I also have a virtual path set up for Grafana, which works perfectly. When I try to go to https://mydomain.com/onlyoffice/, this gets changed to https://mydomain.com// and I get a blank screen. I've tried to redirect to both the HTTP and HTTPS ports, neither works. I've also tried to forward directly to <docker container IP:443> without success. I've also exhausted all other forum and github posts I've found with suggestions to tweak the config to make it work, so I'm stuck.

Am I missing something here?

Alexandre
Posts: 110
Joined: Thu Dec 12, 2019 11:08 am

Re: Apache2 virtual path reverse proxy to docker container

Post by Alexandre » Mon Apr 27, 2020 12:02 pm

Hello DragonQ.
Please execute docker ps from the host and show me the result.
By the way, why are you forwarding ports through a proxy\firewall if you can run a container with the necessary ports?

DragonQ
Posts: 3
Joined: Mon Apr 20, 2020 11:22 am

Re: Apache2 virtual path reverse proxy to docker container

Post by DragonQ » Mon May 04, 2020 7:40 pm

Code: Select all

CONTAINER ID        IMAGE                                COMMAND                  CREATED             STATUS
  PORTS                                         NAMES
59ebf0b4db9c        onlyoffice/documentserver:5.4.2.46   "/bin/sh -c /app/ds/…"   2 weeks ago         Up 2 weeks
  0.0.0.0:8134->80/tcp, 0.0.0.0:8135->443/tcp   onlyoffice-documentserver
76a9166369eb        pyouroboros/ouroboros                "ouroboros"              2 weeks ago         Up 2 weeks
                                                ouroboros
I don't understand your second question. As I said, I'm need to have OnlyOffice available via port 80/443 but those ports are already used on the host server for other services (Nextcloud, Grafana, etc.), hence the need to have some kind of reverse proxy so that OnlyOffice is available either on a subdomain or subdirectory.

DragonQ
Posts: 3
Joined: Mon Apr 20, 2020 11:22 am

Re: Apache2 virtual path reverse proxy to docker container

Post by DragonQ » Thu May 21, 2020 4:30 pm

OK I finally got this working. I don't know why but using a subdomain and using the actual external address everywhere (to avoid certificate problems) seemed to fix the problem. For the benefit of others, this is what I have now:

Code: Select all

<IfModule mod_ssl.c>
        <VirtualHost 192.168.1.89:443>
                ServerName onlyoffice.domain.com

                # SSL (Proxy) Engine:
                SSLEngine on
                SSLProxyEngine on
                SSLProxyVerify require
                SSLProxyVerifyDepth 2
                SSLProxyCheckPeerName on
                SSLProxyCACertificatePath /etc/ssl/certs
                SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
                SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                SSLHonorCipherOrder on

                # Certificates:
                SSLCertificateFile  /etc/letsencrypt/live/domain.com/fullchain.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem

                # Security Settings:
                SSLCompression off
                Header always set X-XSS-Protection "1; mode=block"
                Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
                Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

                # Proxy:
                ProxyPreserveHost On
                ProxyPass / https://domain.com:8135/
                ProxyPassReverse / https://domain.com:8135/
                <IfModule mod_headers.c>
                        RewriteEngine On
                        SetEnvIf Host "^(.*)$" THE_HOST=$1
                        RequestHeader set X-Forwarded-Proto "https"
                        ProxyAddHeaders Off
                </IfModule>
        </VirtualHost>
</IfModule>
The docker-compose I'm using is as follows:

Code: Select all

version: '3.7'
services:
    onlyoffice:
        container_name: onlyoffice-documentserver
        image: 'onlyoffice/documentserver:5.4.2.46'
        restart: unless-stopped
        volumes:
            - ${ROOT_ONLYOFFICE_PATH}/logs:/var/log/onlyoffice
            - ${ROOT_ONLYOFFICE_PATH}/data:/var/www/onlyoffice/Data
            - ${ROOT_ONLYOFFICE_PATH}/lib:/var/lib/onlyoffice
            - ${ROOT_ONLYOFFICE_PATH}/db:/var/lib/postgresql
            - ${ROOT_ONLYOFFICE_PATH}/etc:/etc/onlyoffice/documentserver
            - /etc/letsencrypt:/etc/letsencrypt
        ports:
            - '8134:80'
            - '8135:443'
        environment:
            - SSL_CERTIFICATE_PATH=${SSL_CERTIFICATE_PATH}
            - SSL_KEY_PATH=${SSL_KEY_PATH}
with this .env file:

Code: Select all

# Root path
ROOT_ONLYOFFICE_PATH=/docker/onlyoffice

# SSL Certificates
SSL_CERTIFICATE_PATH=/etc/letsencrypt/live/domain.com/fullchain.pem
SSL_KEY_PATH=/etc/letsencrypt/live/domain.com/privkey.pem
These are the Nextcloud settings:

Code: Select all

Document Editing Service address: https://onlyoffice.domain.com/
Document Editing Service address for internal requests from the server: https://domain.com:8135/
Server address for internal requests from the Document Editing Service: https://domain.com/nextcloud/
And finally, this entry in /etc/hosts on the host machine:

Code: Select all

127.0.0.1 domain.com

Post Reply