LT behind a Proxy

hello, has anyone had success in running libretime behind a proxy, like apache or nginx? Ideas and experiences welcome!

hello,
yes, running libretime behind a proxy works
in our case, we have 3 instances of Libretime running in 3 LXC containers behind proxies driven by apache (see below examples of vhosts).
The only problem that remains in our configuration is that with https, the content on the home page is not shown :
Blocage du chargement du contenu mixte actif (mixed active content) http://ourdomain.org/embed/weekly-program?style=premium
Blocage du chargement du contenu mixte actif (mixed active content) http://ourdomain.org/embed/player?stream=auto&style=premium

So for typical vhosts :

       <VirtualHost ourip:80>

       ServerAdmin root@ourdomain.org
       ServerName airX.ourdomain.org

       ErrorLog ${APACHE_LOG_DIR}/airX-error.log
       CustomLog ${APACHE_LOG_DIR}/airX-access.log combined

         ProxyPreserveHost       On
         ProxyRequests           Off

         ProxyPass / http://10.0.3.188/
         ProxyPassReverse http://10.0.3.188/ /

       <Proxy *>
               Order deny,allow
               Allow from all
       </Proxy>

       RewriteEngine on
       RewriteCond %{SERVER_NAME} = ourdomain.org
       RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
       </VirtualHost>

and

       <IfModule mod_ssl.c>
       <VirtualHost  ourip:443>
       ServerAdmin root@ourdomain.org
       ServerName airX.ourdomain.org

       ErrorLog ${APACHE_LOG_DIR}/airX-error.log
       CustomLog ${APACHE_LOG_DIR}/airX-access.log combined

       ProxyPreserveHost       On
       ProxyRequests           Off
       ProxyPass /  http://10.0.3.188/
       ProxyPassReverse / http://10.0.3.188/

       <Proxy *>
               Order deny,allow
               Allow from all
       </Proxy>
       SSLEngine on
       SSLProxyEngine On
       SSLProxyVerify none
       SSLProxyCheckPeerCN off
       SSLProxyCheckPeerName off
       SSLProxyCheckPeerExpire off

       Include /etc/letsencrypt/options-ssl-apache.conf
       SSLCertificateFile /etc/letsencrypt/live/airX.ourdomain.org/fullchain.pem
       SSLCertificateKeyFile /etc/letsencrypt/live/airX.ourdomain.org/privkey.pem
       </VirtualHost>
       </IfModule>

The let’sencrypt SSL certificates remains on the 1st level server, you can use a wild card certificate to have only one for all the containers and subdomains

++
b

Thanks!
Are you sure that you need the SSLProxy* directives? I don’t see why…

I can’t get it to work, have to look deeper. When I try to login to LT through the proxy, I get the “Oops soemthing went wrong” page after sending username and password…

Hi,
not sure about the SSLProxy* directives, I’m not an apache expert

When I try to login to LT through the proxy, I get the “Oops soemthing went wrong” page after sending username and password…

so it must mean that your proxy configuration works :slight_smile:

the “Oops something went wrong” page is an error 500 of the server, it can come from many reasons, maybe have a look at apache and airtime logs (zend, rabbitmq and +) http://libretime.org/manual/troubleshooting/

my problem so far was the allowed CORS Urls. I’ve had to add the proxy host, makes sense. so, actually the only thing needed in apache.conf for reverse proxy seems to be:

       ProxyPass /  http://my_internal_ip/
       ProxyPassReverse / http://my_internal_ip/

next step is to add SSL…

the reason for mixed content warnings when using SSL comes from
application/views/scripts/index/index.phtml

$this->stationUrl returns the internal Url of the server behind the proxy. Unless you use SSL also behind the proxy, you’ll have http here instead of https.

Yeah there is a feature request to fix this - https://github.com/LibreTime/libretime/issues/515
The main challenge is that LibreTime is being developed by a lot of developers that have other projects and we just do what we can to fix things in our free time.