I'm struggling with something here. I have an Ubuntu 18.04 VM in azure + Apache2 installed. I have a domain (example.com) pointing to my VM's web server /var/www/ and recently secured the server setting up SSL. I got a cert using letsencrypt and "certbot", choosing option to redirect all HTTP traffic to HTTPS. Here is my site's .conf :
root@wp-vm:/# cat /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/example.com/>
AllowOverride All
</Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.com [OR]
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
I am running some other web services on the same server: an RStudio shiny server (port 3838) and Rstudio Server IDE open source (8787). These are free versions where SSL is not an option. I learned that now with my web server using SSL I will not be able to embed content from my shiny server in my webpages (wordpress) via iframes. So whereas I could previously link to example.com:3838/app, that won't work any longer until I secure the port.
How do I achieve the following?
http(s)://example.com >> webserver (OK)
http(s)://example.com:48787 >> rstudio @ 8787
http(s)://example.com:43838 >> shiny @ 3838
Or even better, how do I set it up with subdomains like this (if it isn't too much added complexity):
http(s)://example.com >> apache webserver @ /var/www (OK)
http(s)://rstudio.example.com >> rstudio @ 8787
http(s)://shiny.example.com >> shiny @ 3838
To be clear, the browser needs to communicate w/ HTTPS, but the services at 8787/3838 will remain HTTP.
Some of the things I've tried already but couldn't make work: I've tried loading a bunch of modules and defining vhosts in various ways with ProxyPass and ProxyPassReverse, modifying the existing vhost with "Location" /subdomain tags, I've told apache to Listen to the new ports in ports.conf, and opened the firewalls (azure and ufw). I'm clearly missing something but don't know what. Here is my current firewall, let me know what else I can provide that might help with an answer.
root@wp-vm:/# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] Apache Full ALLOW IN Anywhere
[ 2] 3838 ALLOW IN Anywhere
[ 3] 8787 ALLOW IN Anywhere
[ 4] 43838 ALLOW IN Anywhere
[ 5] 48787 ALLOW IN Anywhere
[ 6] 22/tcp ALLOW IN Anywhere
[ 7] Apache Full (v6) ALLOW IN Anywhere (v6)
[ 8] 3838 (v6) ALLOW IN Anywhere (v6)
[ 9] 8787 (v6) ALLOW IN Anywhere (v6)
[10] 43838 (v6) ALLOW IN Anywhere (v6)
[11] 48787 (v6) ALLOW IN Anywhere (v6)
[12] 22/tcp (v6) ALLOW IN Anywhere (v6)
Apache
root@wp-vm:/# apache2 -v
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2020-08-12T21:33:25
EDIT/update: I realize I've left out the contents of an important file, and that I was probably messing around in the wrong file (example.com.conf) this whole time as well.
root@wp-vm:/etc/apache2/sites-available# cat example.com-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/example.com/>
AllowOverride All
</Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
</VirtualHost>
</IfModule
So I am leaving the example.com.conf file alone now as I think it simply rewrites all requests as https and redirects to 443. I've now tried adding this to the ssl conf file but no luck. Looks like I'll be retrying everything again in this file..
ProxyRequests off
ProxyPass /shiny/ http://localhost:3838/
ProxyHTMLURLMap http://localhost:3838 /shiny
<Location /shiny/>
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLURLMap / /shiny/
RequestHeader unset Accept-Encoding
</Location>
Edit #2 So close I can taste it! I've got it essentially working with subdirectories (example.com/shiny and /rstudio). However, it is finicky about how the address is typed in - whether it includes a final trailing "/" and same with the "https".
This guy seemed to run into similar problems with rstudio and 'solved' it with a bunch of rewriting and redirecting (scroll down to his final solution just before the "Set up resource limits" section). That works for the "root" paths but not for my application sub-directories under /shiny. So example.com/shiny/ works and example.com/shiny works via the redirect to ../shiny/, but example.com/shiny/app1 does NOT work and resolves to /app1. I need to enter example.com/shiny/app1/.
I did the same with mine for now, for both /shiny and /rstudio. Here is my current .conf. I think my problem & question has now been reduced to how to make it clean, correct, and robust to '/' omission?
root@wp-vm:/etc/apache2/sites-available# cat *-le*
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/example.com/>
AllowOverride All
</Directory>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLProxyEngine On
# extra redirect for shiny subdirectory
Redirect /shiny /shiny/
# extra redirects for the RStudio subdirectory
Redirect /rstudio /rstudio/
Redirect /auth-sign-in /rstudio/auth-sign-in
Redirect /auth-sign-out /rstudio/auth-sign-out
# Catch RStudio redirecting improperly from the auth-sign-in page
<If "%{HTTP_REFERER} =~ /auth-sign-in/">
RedirectMatch ^/$ /rstudio/
</If>
##
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
ProxyPass /shiny/ http://127.0.0.1:3838/
ProxyPassReverse /shiny/ http://127.0.0.1:3838/
ProxyPass /rstudio/ http://localhost:8787/
ProxyPassReverse /rstudio/ http://localhost:8787/
##
RequestHeader set X-Forwarded-Proto "https"
##
</VirtualHost>
</IfModule>
