Pathfinder – Apache Configuration
Apache Proxy Setting & An Exception For Letsencrypt
I assume you have already installed apache and it’s up and running. Now you have to configure the apache vhost configuration proxy pathfinder URL to the docker 8081 port. You also want to configure to have it letsencrypt authentication service to accessible. Pathfinder docker is not going to let letsencrypt authentication service to .well-known folder.
<VirtualHost *:80>
ServerName pathfinder.mydomain.com
<Location "/.well-known">
ProxyPass !
</Location>
Alias /.well-known /var/www/pathfinder/.well-known
<Directory /var/www/pathfinder/.well-known/>
Order deny,allow
Allow from all
</Directory>
CustomLog /var/log/apache2/pathfinder.mydomain.com/access_log combined
ErrorLog /var/log/apache2/pathfinder.mydomain.com/error_log
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
ProxyPass "/ws/map/update" "ws://localhost:8081/ws/map/update"
ProxyPassReverse "/ws/map/update" "ws://localhost:8081/ws/map/update"
ProxyPass / http://localhost:8081/
ProxyPassReverse / http://localhost:8081/
ProxyTimeout 3600
</VirtualHost>
<VirtualHost *:443>
ServerName pathfinder.mydomain
CustomLog "/var/log/apache2/pathfinder.mydomain/ssl_access_log" combined
ErrorLog "/var/log/apache2/pathfinder.mydomain/ssl_error_log"
SSLProxyEngine On
RequestHeader set X-Forwarded-Proto "https"
KeepAlive On
MaxKeepAliveRequests 100
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
ProxyPass "/ws/map/update" "ws://localhost:8081/ws/map/update"
ProxyPassReverse "/ws/map/update" "ws://localhost:8081/ws/map/update"
ProxyPass / http://localhost:8081/
ProxyPassReverse / http://localhost:8081/
ProxyTimeout 3600
SSLEngine on
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:!aNULL:!eNULL:!DES:!3DES:!RC4:!RC2:!IDEA:!MD5:!SHA1:!SSLv3:!TLSv1:!EXP:!LOW:!MEDIUM:!DH:!DSS:!aNULL
SSLHonorCipherOrder on
SSLCertificateFile /etc/letsencrypt/live/pathfinder.mydomain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pathfinder.mydomain/privkey.pem
RewriteEngine on
RewriteOptions inherit
Header always set Strict-Transport-Security "max-age=315360000; includeSubDomains"
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
</VirtualHost>The <Location> bracket comes before the proxy setting to allow letsencrypt authentication to access the .well-known folder. This is a common setting for any docker service and if you want to set up properly installing SSL certification. If you have a bare installation like SeAT 5.0, you can place .well-known under [your seat folder]/public/.well-known. This get you a certification.
Firewall Setting if You Use iptables
An instance on cloud service using ubuntu 24.04 uses ufw which is a little bit relaxed than my other environment which very tight iptables config (deny everything unless specified to allow). If your iptables are like
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
... (your accepting rules)
iptables -A OUTPUT -o ${WAN} -s ${LADDR} -j drop-log
iptables -A INPUT -j drop-log
iptables -A FORWARD -j drop-logThen, your proxy will not reach to a docker container. You may need to add
iptables -I INPUT 1 -p tcp -i ${DOCKER} -j input-accept
iptables -I OUTPUT 1 -p tcp -i ${DOCKER} -j output-acceptwhere ${DOCKER} is pointing to a docker bridge. it would start with br-some numbers. I had to analyse the iptable log to find out about this (I’m not a big docker fan…).