Here is my tricky problem:
I want to make my frontend and backend working on same VPS dedicated server.
Frontend is an angular built app compiled to HTML, served by Apache with virtualhost on port 443 so that SSL is working on domain.com
Backend is a node app using websockets (socket.io) running on port 3000, so I made another virtualhost with ProxyPass to redirect port 443 to port 3000, working on api.domain.com
Here is the result config:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName domain.com
ServerAlias www.domain.com
DocumentRoot /var/www/html/
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
</VirtualHost>
<VirtualHost *:443>
ServerName api.domain.com
ServerAlias www.api.domain.com
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ProxyRequests off
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
</VirtualHost>
</IfModule>
Everything works fine, except Websocket that shows error:
WebSocket connection on wss://domain.com failed
By searching the web I found following config but it didnt worked either.
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L]
Making further researches, I came up to the conclusion that websocket needs to be running on port 443 to work correctly. Am I correct ? or is there any solution to make it work on port 3000 ?
In the case where port 443 is required, how would I do to serve frontend and backend on both port 443 ? I sounds like just impossible, so I will probabely have to install frontend on another server...
Can someone can give me any advices about how to fix this problem ?
Thank you
I'm trying to make a Node.js + Express + Vue.js + Apache + MySQL application work on my server via HTTPS protocol. (works fine locally or via HTTP on the server).
There is a URL (subdomain) for API which returns a JSON result, let's say "api.mysite.com".
I tried different approaches, right now I use port 443 in my app.js (it doesn't help):
const PORT = process.env.PORT || 443
app.listen(PORT, () => {
console.log(`Server stated on port ${PORT}`)
})
On my local machine I use port 5000 and access the app by "http://locahost:5000" (and it works fine).
"/etc/apache2/sites-available/my-site-api.conf":
<VirtualHost *:80>
ServerName api.mysite.com
ServerAlias api.mysite.com
DocumentRoot /var/www/mysite/api
RewriteEngine on
RewriteCond %{SERVER_NAME} =api.mysite.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
"/etc/apache2/sites-available/my-site-api-le-ssl.conf":
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName api.mysite.com
ServerAlias api.mysite.com
DocumentRoot /var/www/mysite/api
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
# RewriteCond %{SERVER_NAME} =api.mysite.com [OR]
# RewriteCond %{SERVER_NAME} =api.mysite.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/api.mysite.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/api.mysite.com/privkey.pem
</VirtualHost>
</IfModule>
Let me know if you need any other info.
Thanks a lot in advance!
Looks like both Apache and your app are configured to listen at port 443.
I assume the essence error you're getting is that there should be only one listener per port, and it tells you that 443 is already busy by apache.
I can see 2 ways to go, if you want to expose your app under HTTPS/443
set up Apache as a proxy, so that it listens to 443 and forwards requests to your app (which should continue to listen to 5000).
That would require adding into Apache config something like this:
ProxyPass "/" "http://localhost:5000"
Avoid using Apache and expose your app under https directly.
In this case you'd have to supply your app initialization with params telling where to find the certificates, and you will have to run your app as a super user.
More details here: Enabling HTTPS on express.js
As the title suggests, I'm trying to get Apache and Socket.io (node.js) to play nicely, especially on SSL. Currently, the client app at https://www.example.com uses Socket.io over SSL to connect to the server at [SSL protocol]://socket.example.com/socket.io/?query_stuff*. The connection to wss:// always fails, so Socket.io degrades to https://, which works fine. But I would like to take advantage of the websocket protocol and not rely on polling over http(s).
Linux & Apache
Server version: Apache/2.4.7 (Ubuntu)
Relevant mods: mod_proxy, mod_proxy_http, mod_proxy_wstunnel, mod_rewrite, mod_ssl
Iptables: I have opened ports 80, 443, and 9000.
VirtualHost:
I created a virtualhost on *:443 called socket.example.com. It's intended purpose is to reverse proxy [wss,https]://socket.example.com/ to point to the socket.io server running at http://localhost:9000/. Here it is, with extraneous bits removed:
<VirtualHost *:443>
ServerName socket.example.com
DocumentRoot /var/www/example/socket.io/
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/socket.io [NC]
RewriteCond %{QUERY_STRING} transport=websocket [NC]
RewriteRule /(.*) wss://localhost:9000/$1 [P,L]
## I have also tried the following RewriteRules: ##
# RewriteRule /(.*) http://localhost:9000/$1 [P,L]
# RewriteRule /(.*) http://localhost:9000/socket.io/$1 [P,L]
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/keys/0001_key-certbot.pem
SSLCACertificateFile /etc/letsencrypt/ca-bundle.pem
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
ProxyPass / http://localhost:9000/
ProxyPassReverse / http://localhost:9000/
</VirtualHost>
Success using PHP websockets over SSL
Before switching to node.js for my websocket server, I used the above Apache VirtualHost to successfully route wss://socket.example.com/ws_daemon.php to ws://localhost:9000/ws_daemon.php. In this scenario I 1. removed the rewrite rules and 2. changed the ProxyPass settings to:
ProxyPass / ws://localhost:9000/
ProxyPassReverse / ws://localhost:9000/
But the same logic does not seem to carry over to socket.io.
At this point I've run out of ideas. Any help would be greatly appreciated!
If you are using the <Location> block, you should add the following lines to it:
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule /socket.io/(.*) ws://localhost:3000/socket.io/$1 [P]
I have :
Apache 2.4 on port 80 of my server, with mod_proxy and mod_proxy_wstunnel enabled
Node.js + socket.io on port 3001 of the same server
Accessing example.com (with port 80) redirects to 2. thanks to this method with the following Apache configuration:
<VirtualHost *:80>
ServerName example.com
ProxyPass / http://localhost:3001/
ProxyPassReverse / http://localhost:3001/
ProxyPass / ws://localhost:3001/
ProxyPassReverse / ws://localhost:3001/
</VirtualHost>
It works for everything, except the websocket part : ws://... are not transmitted like it should by the proxy.
When I access the page on example.com, I have:
Impossible to connect ws://example.com/socket.io/?EIO=3&transport=websocket&sid=n30rqg9AEqZIk5c9AABN.
Question: How to make Apache proxy the WebSockets as well?
I finally managed to do it, thanks to this topic. TODO:
1) Have Apache 2.4 installed (doesn't work with 2.2), and do:
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_wstunnel
2) Have nodejs running on port 3001
3) Do this in the Apache config
<VirtualHost *:80>
ServerName example.com
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/socket.io [NC]
RewriteCond %{QUERY_STRING} transport=websocket [NC]
RewriteRule /(.*) ws://localhost:3001/$1 [P,L]
ProxyPass / http://localhost:3001/
ProxyPassReverse / http://localhost:3001/
</VirtualHost>
Note: if you have more than one service on the same server that uses websockets, you might want to do this to separate them.
Instead of filtering by URL, you can also filter by HTTP header. This configuration will work for any web applications that use websockets, also if they are not using socket.io:
<VirtualHost *:80>
ServerName www.domain2.com
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:3001/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://localhost:3001/$1 [P,L]
ProxyPassReverse / http://localhost:3001/
</VirtualHost>
May be will be useful.
Just all queries send via ws to node
<VirtualHost *:80>
ServerName www.domain2.com
<Location "/">
ProxyPass "ws://localhost:3001/"
</Location>
</VirtualHost>
As of Socket.IO 1.0 (May 2014), all connections begin with an HTTP polling request (more info here). That means that in addition to forwarding WebSocket traffic, you need to forward any transport=polling HTTP requests.
The solution below should redirect all socket traffic correctly, without redirecting any other traffic.
Enable the following Apache2 mods:
sudo a2enmod proxy rewrite proxy_http proxy_wstunnel
Use these settings in your *.conf file (e.g. /etc/apache2/sites-available/mysite.com.conf). I've included comments to explain each piece:
<VirtualHost *:80>
ServerName www.mydomain.com
# Enable the rewrite engine
# Requires: sudo a2enmod proxy rewrite proxy_http proxy_wstunnel
# In the rules/conds, [NC] means case-insensitve, [P] means proxy
RewriteEngine On
# socket.io 1.0+ starts all connections with an HTTP polling request
RewriteCond %{QUERY_STRING} transport=polling [NC]
RewriteRule /(.*) http://localhost:3001/$1 [P]
# When socket.io wants to initiate a WebSocket connection, it sends an
# "upgrade: websocket" request that should be transferred to ws://
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:3001/$1 [P]
# OPTIONAL: Route all HTTP traffic at /node to port 3001
ProxyRequests Off
ProxyPass /node http://localhost:3001
ProxyPassReverse /node http://localhost:3001
</VirtualHost>
I've included an extra section for routing /node traffic that I find handy, see here for more info.
With help from these answers, I finally got reverse proxy for Node-RED running on a Raspberry Pi with Ubuntu Mate and Apache2 working, using this Apache2 site config:
<VirtualHost *:80>
ServerName nodered.domain.com
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:1880/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://localhost:1880/$1 [P,L]
</VirtualHost>
I also had to enable modules like this:
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_wstunnel
For me it works after adding only one line in httpd.conf as below (bold line).
<VirtualHost *:80>
ServerName: xxxxx
#ProxyPassReverse is not needed
ProxyPass /log4j ws://localhost:4711/logs
<VirtualHost *:80>
Apache version is 2.4.6 on CentOS.
Did the following for a spring application running static, rest and websocket content.
The Apache is used as Proxy and SSL Endpoint for the following URIs:
/app → static content
/api → REST API
/api/ws → websocket
Apache configuration
<VirtualHost *:80>
ServerName xxx.xxx.xxx
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
<Proxy *>
Require all granted
</Proxy>
RewriteEngine On
# websocket
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule ^/api/ws/(.*) ws://localhost:8080/api/ws/$1 [P,L]
# rest
ProxyPass /api http://localhost:8080/api
ProxyPassReverse /api http://localhost:8080/api
# static content
ProxyPass /app http://localhost:8080/app
ProxyPassReverse /app http://localhost:8080/app
</VirtualHost>
I use the same vHost config for the SSL configuration, no need to change anything proxy related.
Spring configuration
server.use-forward-headers: true
My setup:
Apache 2.4.10 (running off Debian)
Node.js (version 4.1.1) App running on port 3000 that accepts WebSockets at path /api/ws
As mentioned above by #Basj, make sure a2enmod proxy and ws_tunnel are enabled.
This is a screenshot of the Apache config file that solved my problem:
The relevant part as text:
<VirtualHost *:80>
ServerName *******
ServerAlias *******
ProxyPass / http://localhost:3000/
ProxyPassReverse / http://localhost:3000/
<Location "/api/ws">
ProxyPass "ws://localhost:3000/api/ws"
</Location>
</VirtualHost>
Hope that helps.
In addition to the main answer: if you have more than one service on the same server that uses websockets, you might want to do this to separate them, by using a custom path (*):
Node server:
var io = require('socket.io')({ path: '/ws_website1'}).listen(server);
Client HTML:
<script src="/ws_website1/socket.io.js"></script>
...
<script>
var socket = io('', { path: '/ws_website1' });
...
Apache config:
RewriteEngine On
RewriteRule ^/website1(.*)$ http://localhost:3001$1 [P,L]
RewriteCond %{REQUEST_URI} ^/ws_website1 [NC]
RewriteCond %{QUERY_STRING} transport=websocket [NC]
RewriteRule ^(.*)$ ws://localhost:3001$1 [P,L]
RewriteCond %{REQUEST_URI} ^/ws_website1 [NC]
RewriteRule ^(.*)$ http://localhost:3001$1 [P,L]
(*) Note: using the default RewriteCond %{REQUEST_URI} ^/socket.io would not be specific to a website, and websockets requests would be mixed up between different websites!
User this link for perfact solution for ws https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html
You have to just do below step..
Go to /etc/apache2/mods-available
Step...1
Enable mode proxy_wstunnel.load by using below command
$a2enmod proxy_wstunnel.load
Step...2
Go to /etc/apache2/sites-available
and add below line in your .conf file inside virtual host
ProxyPass "/ws2/" "ws://localhost:8080/"
ProxyPass "/wss2/" "wss://localhost:8080/"
Note : 8080 mean your that your tomcat running port because we want to connect ws where our War file putted in tomcat and tomcat serve apache for ws.
thank you
My Configuration
ws://localhost/ws2/ALLCAD-Unifiedcommunication-1.0/chatserver?userid=4 =Connected
For "polling" transport.
Apache side:
<VirtualHost *:80>
ServerName mysite.com
DocumentRoot /my/path
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /my-connect-3001 http://127.0.0.1:3001/socket.io
ProxyPassReverse /my-connect-3001 http://127.0.0.1:3001/socket.io
</VirtualHost>
Client side:
var my_socket = new io.Manager(null, {
host: 'mysite.com',
path: '/my-connect-3001'
transports: ['polling'],
}).socket('/');
TODO:
Have Apache 2.4 installed (doesn't work with 2.2), a2enmod proxy and a2enmod proxy_wstunnel.load
Do this in the Apache config
just add two line in your file where 8080 is your tomcat running port
<VirtualHost *:80>
ProxyPass "/ws2/" "ws://localhost:8080/"
ProxyPass "/wss2/" "wss://localhost:8080/"
</VirtualHost *:80>
For the same issue on Windows, just uncomment the below line from http.conf:
Then add the below line to your apache config:
LoadModule proxy_module modules/mod_proxy_wstunnel.so
I'm trying to use Apache as a gateway to reverse proxy to a backend server with the same name as the requested http_host.
ex:
ProxyPass / https://%{HTTP_HOST}/
ProxyPassReverse / https://%{HTTP_HOST}/
I'm getting an error when I use this setup. Suggestions?
There's no way to dynamically reverse proxy like that using proxy pass. However, you can do it using mod_rewrite's P flag. The same thing with ProxyPassReverse, you can't use the %{HTTP_HOST}, however, since the hostnames are the same as the same, you don't need it at all. Just need:
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [L,P]
One issue you may run into is that since DNS resolves proxying server to some IP, the proxying server must know that the same DNS hostname does not resolve to itself and actually resolves to a backend server (the server to proxy to), otherwise it will cause a loop.
To use Apache ProxyPass directives with dynamic hostnames you will need to also use ModRewrite.
Objective
All requests to the virtualhost will ProxyPass and ProxyPassReverse (also known as an "Apache Gateway") to the %{HTTP_HOST}
The only reason this would make sense to do is if you have localhost entries on the apache server for specfic host names
Examples
Localhost File
10.0.0.2 foo.bar.com
10.0.0.3 bar.bar.com
How it works
The client makes a request to foo.bar.com (dnslookup is a public IP... YOUR APACHE SERVER)
Your apache server has a localhost entry of 10.0.0.2 for foo.bar.com (some other server on your network)
The request goes through ModRewrite and /path1 is appended, then handed off to ProxyPass and ProxyPassReverse
ProxyPass and ProxyPassReverse hand the call off to foo.bar.com at ip 10.0.0.2
Client requests foo.bar.com ---reverse proxies to----> foo.bar.com/path1 (on some OTHER internal server)
Apache Configuration
<VirtualHost *:443>
Servername *
# Must not contain /path1 in path (will add /path1)
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/path1/.*
RewriteRule ^/(.*) https://%{HTTP_HOST}/path1$1 [NC,R=302,L]
# Must contain /path1 in path (will send request to the proxy)
RewriteEngine On
RewriteOptions Inherit
RewriteCond %{REQUEST_URI} ^/path1/.*
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [NC,P]
SSLEngine on
SSLProxyEngine On
ProxyRequests Off
ProxyPass / https://$1/
ProxyPassReverse / https://$1/
ProxyPreserveHost On
###################
# SSL Constraints #
###################
SSLProtocol -ALL +SSLv3 +TLSv1
# Choose cipher suites
SSLHonorCipherOrder On
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
# SameOrigin The page can only be displayed in a frame on the same origin as the page itself
Header set X-Frame-Options SAMEORIGIN
SSLCertificateFile /etc/apache2/example.crt
SSLCertificateKeyFile /etc/apache2/example.key
SSLCertificateChainFile /etc/apache2/gd_bundle.crt
SetOutputFilter INFLATE;proxy-html;DEFLATE
</VirtualHost>
source: http://brakertech.com/apache-proxypass-with-dynamic-hostname/