Skip to content

docs: add apache reverse-proxy example #6213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Feb 16, 2023
Merged

docs: add apache reverse-proxy example #6213

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
1728e26
docs: apache reverse proxy
matifali Feb 14, 2023
3df101b
fixed to correctly pass WebSocket headers
matifali Feb 15, 2023
6be8c4e
Merge branch 'coder:main' into apache2-rev-proxy
matifali Feb 15, 2023
646c560
add a sample configuration file
matifali Feb 15, 2023
1706997
Merge branch 'apache2-rev-proxy' of https://github.com/matifali/coder…
matifali Feb 15, 2023
d533368
updating with suggestions
matifali Feb 15, 2023
c1ac6ec
Update coder.conf
matifali Feb 15, 2023
8780145
fix http to https redirection
matifali Feb 15, 2023
53772e6
fix: upgrade http to https
matifali Feb 15, 2023
93c948f
Update examples/web-server/apache/README.md
matifali Feb 15, 2023
61f5c99
add other dns providers documentation link
matifali Feb 15, 2023
a2c1676
Merge branch 'main' into apache2-rev-proxy
bpmct Feb 15, 2023
c87314f
Merge remote-tracking branch 'origin/main' into pr/matifali/6213
bpmct Feb 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/admin/configure.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ subdomain that resolves to Coder (e.g. `*.coder.example.com`).
The Coder server can directly use TLS certificates with `CODER_TLS_ENABLE` and accompanying configuration flags. However, Coder can also run behind a reverse-proxy to terminate TLS certificates from LetsEncrypt, for example.

- Example: [Run Coder with Caddy and LetsEncrypt](https://github.com/coder/coder/tree/main/examples/web-server/caddy)
- Apache: [Run Coder with Apache and LetsEncrypt](https://github.com/coder/coder/tree/main/examples/web-server/apache)

## PostgreSQL Database

Expand Down
154 changes: 154 additions & 0 deletions examples/web-server/apache/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
# How to use Apache as a reverse-proxy with LetsEncrypt

## Requirements

1. Start a Coder deployment and be sure to set the following [configuration values](https://coder.com/docs/v2/latest/admin/configure):

```console
CODER_HTTP_ADDRESS=127.0.0.1:3000
CODER_ACCESS_URL=https://coder.example.com
CODER_WILDCARD_ACCESS_URL=*coder.example.com
```

Throughout the guide, be sure to replace `coder.example.com` with the domain you intend to use with Coder.

2. Configure your DNS provider to point your coder.example.com and \*.coder.example.com to your server's public IP address.

> For example, to use `coder.example.com` as your subdomain, configure `coder.example.com` and `*.coder.example.com` to point to your server's public ip. This can be done by adding A records in your DNS provider's dashboard.

3. Install Apache (assuming you're on Debian/Ubuntu):

```console
sudo apt install apache2
```

4. Enable the following Apache modules:

```console
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod ssl
sudo a2enmod rewrite
```

5. Stop Apache service and disable default site:

```console
sudo a2dissite 000-default.conf
sudo systemctl stop apache2
```

## Install and configure LetsEncrypt Certbot

1. Install LetsEncrypt Certbot: Refer to the [CertBot documentation](https://certbot.eff.org/instructions?ws=apache&os=ubuntufocal&tab=wildcard). Be sure to pick the wildcard tab and select your DNS provider for instructions to install the necessary DNS plugin.

## Create DNS provider credentials

1. Create an API token for the DNS provider you're using: e.g [CloudFlare](https://dash.cloudflare.com/profile/api-tokens) with the following permissions:

- Zone - DNS - Edit

2. Create a file in `.secrets/certbot/cloudflare.ini` with the following content:

```ini
dns_cloudflare_api_token = YOUR_API_TOKEN
```

```console
mkdir -p ~/.secrets/certbot
touch ~/.secrets/certbot/cloudflare.ini
nano ~/.secrets/certbot/cloudflare.ini
```

3. Set the correct permissions:

```console
sudo chmod 600 ~/.secrets/certbot/cloudflare.ini
```

## Create the certificate

1. Create the wildcard certificate:

```console
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com -d *.coder.example.com
```

## Configure Apache

> This example assumes Coder is running locally on `127.0.0.1:3000` and that you're using `coder.example.com` as your subdomain.

1. Create Apache configuration for Coder:

```console
sudo nano /etc/apache2/sites-available/coder.conf
```

2. Add the following content:

```apache
# Redirect HTTP to HTTPS
<VirtualHost *:80>
ServerName coder.example.com
ServerAlias *.coder.example.com
Redirect permanent / https://coder.example.com/
</VirtualHost>

<VirtualHost *:443>
ServerName coder.example.com
ServerAlias *.coder.example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
ProxyRequests Off
ProxyPreserveHost On

RewriteEngine On
# Websockets are required for workspace connectivity
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L]

SSLCertificateFile /etc/letsencrypt/live/coder.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/coder.example.com/privkey.pem
</VirtualHost>
```

> Don't forget to change: `coder.example.com` by your (sub)domain

3. Enable the site:

```console
sudo a2ensite coder.conf
```

4. Restart Apache:

```console
sudo systemctl restart apache2
```

## Refresh certificates automatically

1. Create a new file in `/etc/cron.weekly`:

```console
sudo touch /etc/cron.weekly/certbot
```

2. Make it executable:

```console
sudo chmod +x /etc/cron.weekly/certbot
```

3. And add this code:

```sh
#!/bin/sh
sudo certbot renew -q
```

And that's it, you should now be able to access Coder at your sub(domain) e.g. `https://coder.example.com`.
28 changes: 28 additions & 0 deletions examples/web-server/apache/coder.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
<VirtualHost *:80>
ServerName coder.example.com
ServerAlias *.coder.example.com
<Location "/">
Redirect permanent "https://%{HTTP_HOST}%{REQUEST_URI}"
</Location>
</VirtualHost>

<VirtualHost *:443>
ServerName coder.example.com
ServerAlias *.coder.example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
ProxyRequests Off
ProxyPreserveHost On

RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L]

SSLCertificateFile /etc/letsencrypt/live/coder.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/coder.example.com/privkey.pem
</VirtualHost>