Pathfinder – Apache Configuration

Apache Proxy Setting & An Exception For Letsencrypt

I assume you have already installed apache and it’s up and running. Now you have to configure the apache vhost configuration proxy pathfinder URL to the docker 8081 port. You also want to configure to have it letsencrypt authentication service to accessible. Pathfinder docker is not going to let letsencrypt authentication service to .well-known folder.

<VirtualHost *:80>
        ServerName pathfinder.mydomain.com
        <Location "/.well-known">
                ProxyPass !
        </Location>
        Alias /.well-known /var/www/pathfinder/.well-known
        <Directory /var/www/pathfinder/.well-known/>
                Order deny,allow
                Allow from all
        </Directory>
        CustomLog /var/log/apache2/pathfinder.mydomain.com/access_log combined
        ErrorLog  /var/log/apache2/pathfinder.mydomain.com/error_log
        ProxyRequests Off
        ProxyPreserveHost On
        ProxyVia Full
        ProxyPass "/ws/map/update" "ws://localhost:8081/ws/map/update"
        ProxyPassReverse "/ws/map/update" "ws://localhost:8081/ws/map/update"
        ProxyPass / http://localhost:8081/
        ProxyPassReverse / http://localhost:8081/
        ProxyTimeout 3600
</VirtualHost>

<VirtualHost *:443>
        ServerName pathfinder.mydomain
        CustomLog "/var/log/apache2/pathfinder.mydomain/ssl_access_log" combined
        ErrorLog  "/var/log/apache2/pathfinder.mydomain/ssl_error_log"

        SSLProxyEngine On
        RequestHeader set X-Forwarded-Proto "https"
        KeepAlive On
        MaxKeepAliveRequests 100
        ProxyRequests Off
        ProxyPreserveHost On
        ProxyVia Full
        ProxyPass "/ws/map/update" "ws://localhost:8081/ws/map/update"
        ProxyPassReverse "/ws/map/update" "ws://localhost:8081/ws/map/update"
        ProxyPass / http://localhost:8081/
        ProxyPassReverse / http://localhost:8081/
        ProxyTimeout 3600

        SSLEngine on
        SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:!aNULL:!eNULL:!DES:!3DES:!RC4:!RC2:!IDEA:!MD5:!SHA1:!SSLv3:!TLSv1:!EXP:!LOW:!MEDIUM:!DH:!DSS:!aNULL
        SSLHonorCipherOrder on
        SSLCertificateFile /etc/letsencrypt/live/pathfinder.mydomain/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/pathfinder.mydomain/privkey.pem
        RewriteEngine on
        RewriteOptions inherit
        Header always set Strict-Transport-Security "max-age=315360000; includeSubDomains"
        SSLProtocol All -SSLv2 -SSLv3 -TLSv1
</VirtualHost>

The <Location> bracket comes before the proxy setting to allow letsencrypt authentication to access the .well-known folder. This is a common setting for any docker service and if you want to set up properly installing SSL certification. If you have a bare installation like SeAT 5.0, you can place .well-known under [your seat folder]/public/.well-known. This get you a certification.

Firewall Setting if You Use iptables

An instance on cloud service using ubuntu 24.04 uses ufw which is a little bit relaxed than my other environment which very tight iptables config (deny everything unless specified to allow). If your iptables are like

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
... (your accepting rules)
iptables -A OUTPUT -o ${WAN} -s ${LADDR} -j drop-log
iptables -A INPUT -j drop-log
iptables -A FORWARD -j drop-log

Then, your proxy will not reach to a docker container. You may need to add

iptables -I INPUT 1 -p tcp -i ${DOCKER} -j input-accept
iptables -I OUTPUT 1 -p tcp -i ${DOCKER} -j output-accept

where ${DOCKER} is pointing to a docker bridge. it would start with br-some numbers. I had to analyse the iptable log to find out about this (I’m not a big docker fan…).

Tags: