Admin Console behind Apache ProxyPass

akrherz · July 22, 2008, 3:50am

My fun for the evening was attempting to get the Openfire Console to behave behind an apache ProxyPass. The use case is that I can’t reach port 9090 due to firewall (I can’t change) and would like the OF admin console to appear at http://myserver/admin/

Anywhoooo, this doesn’t appear possible I found this JM-496 , whose patch doesn’t appear to work cleanly with SVN trunk?)

I am probably missing something obvious, so if a kind person could let me off the hook!

thanks,

daryl

Terence1 · October 28, 2011, 8:36am

Need a solution too!

Bob_Brandt · February 28, 2013, 5:02pm

Did you ever find a solution? I’m trying the exact same solution.
I have found plenty of articles on how to proxy Jetty behind Apache, but it doesn’t work, it seems the page’s pathes are hard coded rather then relative so it keeps returning incorrect URLs.

David29 · February 28, 2013, 5:25pm

We simply do a NAT rule from 443 to 9091 and do https://openfire.whatever.com/ - Works without issues.

Bob_Brandt · February 28, 2013, 5:32pm

That is a very good idea!

But unforunately I am using this server for SparkWeb on https as well. I might be able to use a secondary IP address…

Terence1 · February 28, 2013, 8:27pm

Please expain! Why is natrule better or works, how do you do the nat rule exactly - and why via https?

Bob_Brandt · March 1, 2013, 9:13am

Terence,

If the default port 443 is not is use, you can use iptables to redirect all port traffic from port 80 to 9090 and port 443 to 9091. This means that the client is able to connect to admin console on standard http and https ports without manually defining ports in the url.

You want to connect via https because it is secure (even if you are using self-signed certificates) and will not send your password across the network unencrypted.

David,

I am thinking that you could just change the Admin Console Port in the server properties to listen on 80 and 443 without needed iptables at all.

My problem is I think I’m stuck needed to run Apache listening to 80 and 443 on the same ip address as openfire. So I’m back to using the apache mod_proxy module.

Bob

David29 · March 1, 2013, 11:21am

You would need to run Openfire as root for it to bind to ports 80/443, so it is better just to use iptables.

I’ll setup Apache w/ mod_proxy later and see if it works.

David29 · March 1, 2013, 11:48am

I just tried to get OF Admin working with ProxyPass, and like you said it doesn’t like the absolute URLs in most of the links.

Another approach would be to use mod_rewrite and match based on hostname, so you could still do it on a single IP and either define a separate virtual host for it, or just throw it in the default virtual host.

RewriteEngine On

RewriteCond %{HTTP_HOST} ^ofadmin.whatever.com$ [NC]

RewriteRule /(.*)$ http://openfire.whatever.com:9090/$1 [NC,L,P]

Bob_Brandt · March 1, 2013, 2:04pm

After a little work I came up with this solution. On the same IP address I use two different hostnames:

im.local.dom for all production traffic
openfire.local.dom for admin traffic

ProxyRequests Off

<Proxy *>

Order allow,deny

Allow from all

ProxyVia On

ProxyPass /http-bind/ http://im.local.dom:7070/

ProxyPassReverse /http-bind/ http://im.local.dom:7070/

NameVirtualHost *:80

NameVirtualHost *:443

<VirtualHost *:80>

ServerName im.local.dom

ServerAlias im

Force clients to use HTTPS

RewriteEngine on

RewriteCond %{HTTPS} off

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R]

<VirtualHost *:443>

ServerName im.local.dom

ServerAlias im

DocumentRoot /srv/www/sparkweb

<Directory “/srv/www/sparkweb”>

Options FollowSymLinks

AllowOverride All

Order allow,deny

Allow from all

DirectoryIndex SparkWeb.html

SSLEngine on

SSLProtocol all

SSLCipherSuite ALL

SSLCertificateFile /etc/ssl/servercerts/servercert.pem

SSLCertificateKeyFile /etc/ssl/servercerts/serverkey.pem

<VirtualHost *:80>

ServerName openfire.local.dom

ServerAlias openfire

Force clients to use HTTPS

RewriteEngine on

RewriteCond %{HTTPS} off

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R]

<VirtualHost *:443>

ServerName openfire.local.dom

ServerAlias openfire

ProxyPass / http://im.local.dom:9090/

ProxyPassReverse / http://im.local.dom:9090/

SSLEngine on

SSLProtocol all

SSLCipherSuite ALL

SSLCertificateFile /etc/ssl/servercerts/servercert.pem

SSLCertificateKeyFile /etc/ssl/servercerts/serverkey.pem

David29 · March 1, 2013, 2:46pm

One thing to note with this configuration - You either have to have SNI support in Apache and all your clients, or make sure both names are in the certificate. Looks like in this example you’re using the same key/cert, but it might catch someone out if they use different certs.

Chris77 · March 1, 2013, 4:53pm

I had the same issue with, look at mod_proxy_html, you will need to build it if not on apache 2.4. http://apache.webthing.com/mod_proxy_html/

It worked for me(made some changes to apache for another web app and now it doesn’t work), here we do not control DNS and are not “officially” allowed to use any chat client, yet some hire ups want it working.

So I needed the ability to run multiple websites/web apps behind apache when the client only has access to a couple ports on the server.

I know have it redirecting to https always, since we auth to AD in all our apps. Now I just have to get webadmin/openfire admin and sparkweb working again behind apache.

I had built the module, but probably just going to go to the latest version of apache for this.

Chris77 · March 11, 2013, 2:58pm

I finally got the other 2 applications straightned out and I went back to get mod_proxy_html working with Apace and mod_proxy_html, I can get the login page, then I can get to the main page but after that it does not seem to be rewritting correctly… Darn if I can remember how I had it when it was working…