Apache, Ubuntu multiple ports or subdomains with SSL reverse proxy to different ports same server

Question

I'm struggling with something here. I have an Ubuntu 18.04 VM in azure + Apache2 installed. I have a domain (example.com) pointing to my VM's web server /var/www/ and recently secured the server setting up SSL. I got a cert using letsencrypt and "certbot", choosing option to redirect all HTTP traffic to HTTPS. Here is my site's .conf :

root@wp-vm:/# cat /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
&lt;Directory /var/www/example.com/&gt;
    AllowOverride All
&lt;/Directory&gt;

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.com [OR]
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

I am running some other web services on the same server: an RStudio shiny server (port 3838) and Rstudio Server IDE open source (8787). These are free versions where SSL is not an option. I learned that now with my web server using SSL I will not be able to embed content from my shiny server in my webpages (wordpress) via iframes. So whereas I could previously link to example.com:3838/app, that won't work any longer until I secure the port.

How do I achieve the following?

http(s)://example.com >> webserver (OK)
http(s)://example.com:48787 >> rstudio @ 8787
http(s)://example.com:43838 >> shiny @ 3838

Or even better, how do I set it up with subdomains like this (if it isn't too much added complexity):

http(s)://example.com >> apache webserver @ /var/www (OK)
http(s)://rstudio.example.com >> rstudio @ 8787
http(s)://shiny.example.com >> shiny @ 3838

To be clear, the browser needs to communicate w/ HTTPS, but the services at 8787/3838 will remain HTTP.

Some of the things I've tried already but couldn't make work: I've tried loading a bunch of modules and defining vhosts in various ways with ProxyPass and ProxyPassReverse, modifying the existing vhost with "Location" /subdomain tags, I've told apache to Listen to the new ports in ports.conf, and opened the firewalls (azure and ufw). I'm clearly missing something but don't know what. Here is my current firewall, let me know what else I can provide that might help with an answer.

root@wp-vm:/# ufw status numbered
Status: active
 To                         Action      From
 --                         ------      ----

[ 1] Apache Full                ALLOW IN    Anywhere
[ 2] 3838                       ALLOW IN    Anywhere
[ 3] 8787                       ALLOW IN    Anywhere
[ 4] 43838                      ALLOW IN    Anywhere
[ 5] 48787                      ALLOW IN    Anywhere
[ 6] 22/tcp                     ALLOW IN    Anywhere
[ 7] Apache Full (v6)           ALLOW IN    Anywhere (v6)
[ 8] 3838 (v6)                  ALLOW IN    Anywhere (v6)
[ 9] 8787 (v6)                  ALLOW IN    Anywhere (v6)
[10] 43838 (v6)                 ALLOW IN    Anywhere (v6)
[11] 48787 (v6)                 ALLOW IN    Anywhere (v6)
[12] 22/tcp (v6)                ALLOW IN    Anywhere (v6)

Apache

root@wp-vm:/# apache2 -v
Server version: Apache/2.4.29 (Ubuntu)
Server built:   2020-08-12T21:33:25

EDIT/update: I realize I've left out the contents of an important file, and that I was probably messing around in the wrong file (example.com.conf) this whole time as well.

root@wp-vm:/etc/apache2/sites-available# cat example.com-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin webmaster@localhost
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
&lt;Directory /var/www/example.com/&gt;
    AllowOverride All
&lt;/Directory&gt;



Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
</IfModule

So I am leaving the example.com.conf file alone now as I think it simply rewrites all requests as https and redirects to 443. I've now tried adding this to the ssl conf file but no luck. Looks like I'll be retrying everything again in this file..

ProxyRequests off
ProxyPass /shiny/ http://localhost:3838/
ProxyHTMLURLMap http://localhost:3838 /shiny
<Location /shiny/>
        ProxyPassReverse /
        ProxyHTMLEnable On
        ProxyHTMLURLMap  /      /shiny/
        RequestHeader    unset  Accept-Encoding
</Location>

Edit #2 So close I can taste it! I've got it essentially working with subdirectories (example.com/shiny and /rstudio). However, it is finicky about how the address is typed in - whether it includes a final trailing "/" and same with the "https".

This guy seemed to run into similar problems with rstudio and 'solved' it with a bunch of rewriting and redirecting (scroll down to his final solution just before the "Set up resource limits" section). That works for the "root" paths but not for my application sub-directories under /shiny. So example.com/shiny/ works and example.com/shiny works via the redirect to ../shiny/, but example.com/shiny/app1 does NOT work and resolves to /app1. I need to enter example.com/shiny/app1/.

I did the same with mine for now, for both /shiny and /rstudio. Here is my current .conf. I think my problem & question has now been reduced to how to make it clean, correct, and robust to '/' omission?

root@wp-vm:/etc/apache2/sites-available# cat *-le*
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin webmaster@localhost
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
&lt;Directory /var/www/example.com/&gt;
    AllowOverride All
&lt;/Directory&gt;



Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLProxyEngine On
extra redirect for shiny subdirectory
Redirect /shiny /shiny/
extra redirects for the RStudio subdirectory
Redirect /rstudio /rstudio/
Redirect /auth-sign-in /rstudio/auth-sign-in
Redirect /auth-sign-out /rstudio/auth-sign-out
Catch RStudio redirecting improperly from the auth-sign-in page
<If "%{HTTP_REFERER} =~ /auth-sign-in/">
  RedirectMatch ^/$     /rstudio/
</If>

ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
    AddDefaultCharset Off
    Order deny,allow
    Allow from all
</Proxy>
ProxyPass /shiny/ http://127.0.0.1:3838/
ProxyPassReverse /shiny/ http://127.0.0.1:3838/
ProxyPass /rstudio/ http://localhost:8787/
ProxyPassReverse /rstudio/ http://localhost:8787/

RequestHeader set X-Forwarded-Proto "https"

</VirtualHost>
</IfModule>

Does this answer your question? How can I forward requests from my web server? — Gerald Schneider, Dec 30 '20 at 09:31

Apache, Ubuntu multiple ports or subdomains with SSL reverse proxy to different ports same server

extra redirect for shiny subdirectory

extra redirects for the RStudio subdirectory

Catch RStudio redirecting improperly from the auth-sign-in page

0 Answers0