How can I reverse proxy FBox?

karmajoon · April 14, 2019, 11:53pm

Hi

I am running FBox inside Virtualbox, it all works. Now I want to proxy web services via Apache running on the host.

I have setup a subdomain for it, obtained LE certs in the host machine and added the lines below to dedicated vhost.

I am also running it under NAT network in Virtualbox so I forwarded :80 as 30080 to the host therefor you see these lines

  ProxyPass / http://127.0.0.1:30080/
  ProxyPassReverse / http://127.0.0.1:30080/
  RequestHeader set X-Forwarded-Proto "https"

It does not work. I am wondering if such setup is possible? I alsready have a webserver running so my 443 and 80 are already taken. That is why I am trying to proxy it.

thanks

karmajoon · April 30, 2019, 10:51pm

Any recommendations?

sunil · May 1, 2019, 1:11am

Looking at this setup, I understand why you want to use FreedomBox with HTTP only. My solution in the other thread should do that job.

So, I don’t see major issues with why this setup would not work. I tried this and it work as follows:

On Host machine:

$ apt install apache2
$ a2enmod http
$ a2enmod http_proxy
$ a2enmod headers
$ cat /etc/apache2/conf-available/proxy.conf
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost on
$ a2enconf proxy
$ systemctl restart apache2

On FreedomBox:

$ a2dissite plinth-ssl
$ systemctl apache2 restart
$ vi /etc/plinth/plinth.conf (Set use_x_forwarded_host = False)
$ systemctl restart plinth

On browser:

http://localhost/plinth/

(worked)

I haven’t evaluated the security implications of setting use_x_forwarded_host = False. So, do your own research on that.

karmajoon · May 1, 2019, 3:53am

Hi

Thanks for the reply. Well I have some progress but hitting this issue when I try to login (which I was not even able to load the login page whatsoever before)


Forbidden (403)

CSRF verification failed. Request aborted.

sunil · May 1, 2019, 6:19pm

Would you please try setting ProxyPreserveHost yes in both Apache configurations? For FreedomBox it should be in /etc/apache2/sites-enabled/plinth.conf, I think.

karmajoon · May 2, 2019, 3:23am

Hi

Thanks for the help, so far that works. I think this should be in the official wiki, I am pretty sure many people might want to proxy it.

sunil · May 2, 2019, 7:15pm

If you are interested to contribute this piece to the official wiki, please feel free to edit the page /FreedomBox/Hardware/VirtualBox. Someone can always review the changes.

emorrp1 · August 7, 2019, 10:59pm

Ditto, but I didn’t want my existing webserver to do the ssl handoff, i.e. I wanted Lets Encrypt to just work on both my webserver and freedombox independently. It turns out this is called “SNI pass through” and is deceptively simple with nginx-full on debian:

/etc/nginx/modules-enabled/99-sni.conf

stream {
        map_hash_bucket_size 64;
        map $ssl_preread_server_name $name {
                freedombox.emorrp1.name freedombox.emorrp1.name;
                default                 localhost;
        }

        server {
                listen debian.emorrp1.name:443;
                ssl_preread on;        
                resolver localhost;    
                proxy_pass $name:443;  
        }
}

Literally the only change I had to make to my existing webserver config was to change listen 443 ssl lines to not bind to the external ip: listen localhost:443 ssl.