From 1728e2652d46e5ec6f366f9e77f4ae37a4d71080 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 15 Feb 2023 01:02:50 +0300 Subject: [PATCH 1/9] docs: apache reverse proxy --- docs/admin/configure.md | 1 + examples/web-server/apache/README.md | 120 +++++++++++++++++++++++++++ 2 files changed, 121 insertions(+) create mode 100644 examples/web-server/apache/README.md diff --git a/docs/admin/configure.md b/docs/admin/configure.md index ea28afaa403ef..91b92dd065a05 100644 --- a/docs/admin/configure.md +++ b/docs/admin/configure.md @@ -47,6 +47,7 @@ subdomain that resolves to Coder (e.g. `*.coder.example.com`). The Coder server can directly use TLS certificates with `CODER_TLS_ENABLE` and accompanying configuration flags. However, Coder can also run behind a reverse-proxy to terminate TLS certificates from LetsEncrypt, for example. - Example: [Run Coder with Caddy and LetsEncrypt](https://github.com/coder/coder/tree/main/examples/web-server/caddy) +- Apache: [Run Coder with Apache and LetsEncrypt](https://github.com/coder/coder/tree/main/examples/web-server/apache) ## PostgreSQL Database diff --git a/examples/web-server/apache/README.md b/examples/web-server/apache/README.md new file mode 100644 index 0000000000000..4e5fa1e884678 --- /dev/null +++ b/examples/web-server/apache/README.md @@ -0,0 +1,120 @@ +# How to use Apache as a reverse-proxy with LetsEncrypt + +## Requirements + +1. Start a Coder deployment with a wildcard subdomain. See [this guide](https://coder.com/docs/v2/latest/admin/configure#wildcard-access-url) for more information. + +2. Configure your DNS provider to point your YOUR_SUBDOMAIN and \*.YOUR_SUBDOMAIN to your server's public ip. + + > For example, to use `coder.example.com` as your subdomain, configure `coder.example.com` and `*.coder.example.com` to point to your server's public ip. This can be done by adding A records in your DNS provider's dashboard. + +3. Install Apache (assuming you're on Debian/Ubuntu): + + ```console + sudo apt install apache2 + ``` + +4. Stop Apache service and disable default site: + + ```console + sudo a2dissite 000-default.conf + sudo systemctl stop apache2 + ``` + +## Install and configure LetsEncrypt Certbot + +1. Install LetsEncrypt Certbot: Refer to the [CertBot documentation](https://certbot.eff.org/instructions?ws=other&os=pip&tab=wildcard) + +## Create DNS provider credentials + +1. Create an API token for the DNS provider you're using: e.g [CloudFlare](https://dash.cloudflare.com/profile/api-tokens) with the following permissions: + + - Zone - DNS - Edit + +2. Create a file in `.secrets/certbot/cloudflare.ini` with the following content: + + ```ini + dns_cloudflare_api_token = YOUR_API_TOKEN + ``` + +3. Set the correct permissions: + + ```console + sudo chmod 600 ~/.secrets/certbot/cloudflare.ini + ``` + +## Create the certificate + +1. Create the wildcard certificate: + + ```console + sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com -d *.coder.example.com + ``` + +## Configure Apache + +> This example assumes Coder is running locally on `127.0.0.1:3000` for the subdomain `YOUR_SUBDOMAIN` e.g. `coder.example.com`. + +1. Create Apache configuration for Coder: + + ```console + sudo nano /etc/apache2/sites-available/coder.conf + ``` + +2. Add the following content: + + ```apache + + ServerName YOUR_SUBDOMAIN + ServerAlias *.YOUR_SUBDOMAIN + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + ProxyPass / http://127.0.0.1:3000/ + ProxyPassReverse / http://127.0.0.1:3000/ + ProxyRequests Off + ProxyPreserveHost On + + # SSL configuration + SSLCertificateFile /etc/letsencrypt/live/YOUR_SUBDOMAIN/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/YOUR_SUBDOMAIN/privkey.pem + + ``` + + > Don't forget to change: + > `YOUR_SUBDOMAIN` by your (sub)domain e.g. `coder.example.com` + +3. Enable the site: + + ```console + sudo a2ensite coder.conf + ``` + +4. Restart Apache: + + ```console + sudo systemctl restart apache2 + ``` + +## Refresh certificates automatically + +1. Create a new file in `/etc/cron.weekly`: + + ```console + sudo touch /etc/cron.weekly/certbot + ``` + +2. Make it executable: + + ```console + sudo chmod +x /etc/cron.weekly/certbot + ``` + +3. And add this code: + + ```sh + #!/bin/sh + sudo certbot renew -q + ``` + +And that's it, you should now be able to access Coder at `https://YOUR_SUBDOMAIN`! From 3df101b6d548860c779e7f1339385adc608b24f2 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 15 Feb 2023 09:11:40 +0300 Subject: [PATCH 2/9] fixed to correctly pass WebSocket headers --- examples/web-server/apache/README.md | 41 ++++++++++++++++++---------- 1 file changed, 27 insertions(+), 14 deletions(-) diff --git a/examples/web-server/apache/README.md b/examples/web-server/apache/README.md index 4e5fa1e884678..f2c134d563b7e 100644 --- a/examples/web-server/apache/README.md +++ b/examples/web-server/apache/README.md @@ -14,7 +14,16 @@ sudo apt install apache2 ``` -4. Stop Apache service and disable default site: +4. Enable the following Apache modules: + + ```console + sudo a2enmod proxy + sudo a2enmod proxy_http + sudo a2enmod ssl + sudo a2enmod rewrite + ``` + +5. Stop Apache service and disable default site: ```console sudo a2dissite 000-default.conf @@ -65,19 +74,23 @@ ```apache - ServerName YOUR_SUBDOMAIN - ServerAlias *.YOUR_SUBDOMAIN - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined - - ProxyPass / http://127.0.0.1:3000/ - ProxyPassReverse / http://127.0.0.1:3000/ - ProxyRequests Off - ProxyPreserveHost On - - # SSL configuration - SSLCertificateFile /etc/letsencrypt/live/YOUR_SUBDOMAIN/fullchain.pem - SSLCertificateKeyFile /etc/letsencrypt/live/YOUR_SUBDOMAIN/privkey.pem + ServerName dev.dietstyler.com + ServerAlias *.dev.dietstyler.com + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + ProxyPass / http://127.0.0.1:3000/ + ProxyPassReverse / http://127.0.0.1:3000/ + ProxyRequests Off + ProxyPreserveHost On + + RewriteEngine On + RewriteCond %{HTTP:Connection} Upgrade [NC] + RewriteCond %{HTTP:Upgrade} websocket [NC] + RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L] + + SSLCertificateFile /etc/letsencrypt/live/dev.dietstyler.com/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/dev.dietstyler.com/privkey.pem ``` From 646c56065bfa78015b1a57b9de0176b6a8496f20 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 15 Feb 2023 09:56:34 +0300 Subject: [PATCH 3/9] add a sample configuration file --- examples/web-server/apache/coder.conf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 examples/web-server/apache/coder.conf diff --git a/examples/web-server/apache/coder.conf b/examples/web-server/apache/coder.conf new file mode 100644 index 0000000000000..492785baa08e5 --- /dev/null +++ b/examples/web-server/apache/coder.conf @@ -0,0 +1,19 @@ + + ServerName YOUR_SUBDOMAIN # e.g. dev.coder.com + ServerAlias *.YOUR_SUBDOMAIN # e.g. *.dev.coder.com + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + ProxyPass / http://127.0.0.1:3000/ + ProxyPassReverse / http://127.0.0.1:3000/ + ProxyRequests Off + ProxyPreserveHost On + + RewriteEngine On + RewriteCond %{HTTP:Connection} Upgrade [NC] + RewriteCond %{HTTP:Upgrade} websocket [NC] + RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L] + + SSLCertificateFile /etc/letsencrypt/live/dev.dietstyler.com/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/dev.dietstyler.com/privkey.pem + From d5333686f7dd7fc8c7342e98bf5b6dcb2177053e Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 15 Feb 2023 16:41:24 +0300 Subject: [PATCH 4/9] updating with suggestions --- examples/web-server/apache/README.md | 35 +++++++++++++++++++--------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/examples/web-server/apache/README.md b/examples/web-server/apache/README.md index f2c134d563b7e..1d793622b5a2d 100644 --- a/examples/web-server/apache/README.md +++ b/examples/web-server/apache/README.md @@ -2,9 +2,17 @@ ## Requirements -1. Start a Coder deployment with a wildcard subdomain. See [this guide](https://coder.com/docs/v2/latest/admin/configure#wildcard-access-url) for more information. +1. Start a Coder deployment and be sure to set the following [configuration values](https://coder.com/docs/v2/latest/admin/configure): -2. Configure your DNS provider to point your YOUR_SUBDOMAIN and \*.YOUR_SUBDOMAIN to your server's public ip. + ```console + CODER_HTTP_ADDRESS=127.0.0.1:3000 + CODER_ACCESS_URL=https://coder.example.com + CODER_WILDCARD_ACCESS_URL=*coder.example.com + ``` + + Throughout the guide, be sure to replace `coder.example.com` with the domain you intend to use with Coder. + +2. Configure your DNS provider to point your coder.example.com and \*.coder.example.com to your server's public IP address. > For example, to use `coder.example.com` as your subdomain, configure `coder.example.com` and `*.coder.example.com` to point to your server's public ip. This can be done by adding A records in your DNS provider's dashboard. @@ -32,7 +40,7 @@ ## Install and configure LetsEncrypt Certbot -1. Install LetsEncrypt Certbot: Refer to the [CertBot documentation](https://certbot.eff.org/instructions?ws=other&os=pip&tab=wildcard) +1. Install LetsEncrypt Certbot: Refer to the [CertBot documentation](https://certbot.eff.org/instructions?ws=apache&os=ubuntufocal&tab=wildcard). Be sure to pick the wildcard tab and select your DNS provider for instructions to install the necessary DNS plugin. ## Create DNS provider credentials @@ -46,6 +54,12 @@ dns_cloudflare_api_token = YOUR_API_TOKEN ``` + ```console + mkdir -p ~/.secrets/certbot + touch ~/.secrets/certbot/cloudflare.ini + nano ~/.secrets/certbot/cloudflare.ini + ``` + 3. Set the correct permissions: ```console @@ -62,7 +76,7 @@ ## Configure Apache -> This example assumes Coder is running locally on `127.0.0.1:3000` for the subdomain `YOUR_SUBDOMAIN` e.g. `coder.example.com`. +> This example assumes Coder is running locally on `127.0.0.1:3000` and that you're using `coder.example.com` as your subdomain. 1. Create Apache configuration for Coder: @@ -74,8 +88,8 @@ ```apache - ServerName dev.dietstyler.com - ServerAlias *.dev.dietstyler.com + ServerName coder.example.com + ServerAlias *.coder.example.com ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined @@ -89,13 +103,12 @@ RewriteCond %{HTTP:Upgrade} websocket [NC] RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L] - SSLCertificateFile /etc/letsencrypt/live/dev.dietstyler.com/fullchain.pem - SSLCertificateKeyFile /etc/letsencrypt/live/dev.dietstyler.com/privkey.pem + SSLCertificateFile /etc/letsencrypt/live/coder.example.com/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/coder.example.com/privkey.pem ``` - > Don't forget to change: - > `YOUR_SUBDOMAIN` by your (sub)domain e.g. `coder.example.com` + > Don't forget to change: `coder.example.com` by your (sub)domain 3. Enable the site: @@ -130,4 +143,4 @@ sudo certbot renew -q ``` -And that's it, you should now be able to access Coder at `https://YOUR_SUBDOMAIN`! +And that's it, you should now be able to access Coder at your sub(domain) e.g. `https://coder.example.com`. From c1ac6ec6cfd351b2587e77c6a0afc1e6a9ac962a Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 15 Feb 2023 16:42:27 +0300 Subject: [PATCH 5/9] Update coder.conf --- examples/web-server/apache/coder.conf | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/examples/web-server/apache/coder.conf b/examples/web-server/apache/coder.conf index 492785baa08e5..b9d0173db476e 100644 --- a/examples/web-server/apache/coder.conf +++ b/examples/web-server/apache/coder.conf @@ -1,6 +1,6 @@ - ServerName YOUR_SUBDOMAIN # e.g. dev.coder.com - ServerAlias *.YOUR_SUBDOMAIN # e.g. *.dev.coder.com + ServerName coder.example.com + ServerAlias *.coder.example.com ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined @@ -14,6 +14,7 @@ RewriteCond %{HTTP:Upgrade} websocket [NC] RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L] - SSLCertificateFile /etc/letsencrypt/live/dev.dietstyler.com/fullchain.pem - SSLCertificateKeyFile /etc/letsencrypt/live/dev.dietstyler.com/privkey.pem + SSLCertificateFile /etc/letsencrypt/live/coder.example.com/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/coder.example.com/privkey.pem + From 87801455e57e237cadfe1660e75e06961281ca42 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 15 Feb 2023 16:45:24 +0300 Subject: [PATCH 6/9] fix http to https redirection --- examples/web-server/apache/README.md | 7 +++++++ examples/web-server/apache/coder.conf | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/examples/web-server/apache/README.md b/examples/web-server/apache/README.md index 1d793622b5a2d..5204965f4d7e3 100644 --- a/examples/web-server/apache/README.md +++ b/examples/web-server/apache/README.md @@ -87,6 +87,13 @@ 2. Add the following content: ```apache + # Redirect HTTP to HTTPS + + ServerName coder.example.com + ServerAlias *.coder.example.com + Redirect permanent / https://coder.example.com/ + + ServerName coder.example.com ServerAlias *.coder.example.com diff --git a/examples/web-server/apache/coder.conf b/examples/web-server/apache/coder.conf index b9d0173db476e..dd5090537a45f 100644 --- a/examples/web-server/apache/coder.conf +++ b/examples/web-server/apache/coder.conf @@ -1,3 +1,9 @@ + + ServerName coder.example.com + ServerAlias *.coder.example.com + Redirect permanent / https://coder.example.com/ + + ServerName coder.example.com ServerAlias *.coder.example.com From 53772e6ed11a34d7f90ab4c966e9de7187548449 Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 15 Feb 2023 16:48:25 +0300 Subject: [PATCH 7/9] fix: upgrade http to https --- examples/web-server/apache/coder.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/web-server/apache/coder.conf b/examples/web-server/apache/coder.conf index dd5090537a45f..0961d44ff5a23 100644 --- a/examples/web-server/apache/coder.conf +++ b/examples/web-server/apache/coder.conf @@ -1,7 +1,9 @@ ServerName coder.example.com ServerAlias *.coder.example.com - Redirect permanent / https://coder.example.com/ + + Redirect permanent "https://%{HTTP_HOST}%{REQUEST_URI}" + From 93c948f64c94ff2c2f8cee33d4d307c5d545b1bc Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 15 Feb 2023 17:34:09 +0300 Subject: [PATCH 8/9] Update examples/web-server/apache/README.md Co-authored-by: Ben Potter --- examples/web-server/apache/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/examples/web-server/apache/README.md b/examples/web-server/apache/README.md index 5204965f4d7e3..c1f2ecfb10077 100644 --- a/examples/web-server/apache/README.md +++ b/examples/web-server/apache/README.md @@ -106,6 +106,7 @@ ProxyPreserveHost On RewriteEngine On + # Websockets are required for workspace connectivity RewriteCond %{HTTP:Connection} Upgrade [NC] RewriteCond %{HTTP:Upgrade} websocket [NC] RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L] From 61f5c99533b62e812fbb13c390583b2ef0d065ce Mon Sep 17 00:00:00 2001 From: Muhammad Atif Ali Date: Wed, 15 Feb 2023 20:47:32 +0300 Subject: [PATCH 9/9] add other dns providers documentation link --- examples/web-server/apache/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/web-server/apache/README.md b/examples/web-server/apache/README.md index c1f2ecfb10077..854f9cdaa6efa 100644 --- a/examples/web-server/apache/README.md +++ b/examples/web-server/apache/README.md @@ -44,7 +44,9 @@ ## Create DNS provider credentials -1. Create an API token for the DNS provider you're using: e.g [CloudFlare](https://dash.cloudflare.com/profile/api-tokens) with the following permissions: +> This example assumes you're using CloudFlare as your DNS provider. For other providers, refer to the [CertBot documentation](https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins). + +1. Create an API token for the DNS provider you're using: e.g. [CloudFlare](https://dash.cloudflare.com/profile/api-tokens) with the following permissions: - Zone - DNS - Edit