WebTunnel bridge with Apache as reverse proxy

Support Relay Operator
7

Sorry, folks, I forgot to post the config.
Was reminded via email notification caused by bakunin1848’s post.

Here is a working config:

<VirtualHost *:443>
    ServerName [[HOST_NAME]]

    Protocols http/1.1 h2

    SSLEngine on

    # Certificates generated via acme.sh
    SSLCertificateFile /root/.acme.sh/DOMAIN_ecc/fullchain.cer
    SSLCertificateKeyFile /root/.acme.sh/DOMAIN_ecc/DOMAIN.key

    SSLProtocol TLSv1.2 TLSv1.3
    SSLSessionCacheTimeout 900

    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

    ProxyPreserveHost On
    ProxyRequests off

    Header always set Strict-Transport-Security "max-age=63072000"

    <Location /[[SECRET_PATH]]>
        # This lets Apache set the "X-Forwarded-For", "X-Forwarded-Host" and
        # "X-Forwarded-Server" HTTP headers automatically if enabled (Default is 'On').
        # "X-Forwarded-For" is set manually below to avoid the other two
        # headers provided by this directive that we don't need.
        ProxyAddHeaders Off

        # Set Proxy headers
        RequestHeader unset Accept-Encoding
        RequestHeader set X-Real-IP         "%{REMOTE_ADDR}s"
        RequestHeader set X-Forwarded-For   "%{REMOTE_ADDR}s"
        RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"
        Header        set Front-End-Https   on

        ProxyPass "ws://127.0.0.1:15000/%{REQUEST_URI}s"
        ProxyPassReverse "ws://127.0.0.1:15000%{REQUEST_URI}s"
    </Location>

    ErrorLog off
</VirtualHost>

Don’t forget to turn off the CustomLog (access log) also.
If you don’t know how, use a search engine to find out.
CustomLog Off doesn’t work.

You don’t need to use rewrite engine (@bakunin1848). This causes an unnecessary internal redirect in Apache. Use ws:// prefix directly in ProxyPass and ProxyPassReverse.

There seems to be a bug in Apache’s mod_proxy.

In this line

ProxyPass "ws://127.0.0.1:15000/%{REQUEST_URI}s"

the slash after the port number has to be present, else mod_proxy complains, it cannot parse the URL. This will cause a double slash as result, but it doesn’t break anything.
ProxyPassReverse does not have this bug.

Pls somebody add it to the webtunnel bridge documentation. I currently don’t have the time for it.

Edit:
Caution!
Even when CustomLog is not explicitly defined in a virtual host, Apache might still log accesses for such a virtual host, but to a file you maybe wouldn’t expect.

This file is on Debian/Ubuntu and derivatives (can differ on other OSes):

/var/log/apache2/other_vhosts_access.log

To disable logging to this file run the following command as root:

a2disconf other-vhosts-access-log

And then if Apache is already running:

systemctl reload apache2
1 Like