2

I've got Apache OpenMeetings 4.0.4 witch Apache/2.2.22 as proxy.

In OM's conf/red5.properties I've got

http.port=8080

I want to do two things:

  1. Redirect HTTP (80) -> HTTPS (443)

  2. Redirect HTTP (8080) to HTTPS (443)

My /etc/apache2/sites-avilable/default conf is:

<VirtualHost *:80>
    ServerName domain.test-test.eu
    ServerAlias domain.test-test.eu

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

<VirtualHost *:8080>
    ServerName domain.test-test.eu
    ServerAlias domain.test-test.eu

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

My /etc/apache2/sites-avilable/default-ssl conf is:

<VirtualHost *:443>
    ServerName domain.test-test.eu
    ServerAlias domain.test-test.eu

    ProxyRequests Off
    ProxyPreserveHost On

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

    SSLEngine On
    SSLCerificateFile /etc/apache2/certs/collaboration.crt
    SSLCerificateKeyFile /etc/apache2/certs/collaboration.key
    SSLCerificateChainFile /etc/apache2/certs/chain.pem
</VirtualHost>

When I type http://domain.test-test.eu/ it redirects me to https://domain.test-test.eu.

When I type http://192.168.XXX.YYY it redirects me to https://192.168.XXX.YYY

But when I type http://192.168.XXX.YYY:8080 or http://domain.test-test.eu:8080 it doesn't redirect me to https://192.168.XXX.YYY or https://domain.test-test.eu/. The page opens up (without HTTPS).

The second problem is, that in OM's log I can see CSRF info and I can't log in through HTTPS.

Info from OM's log:

[http-nio-0.0.0.0-8080-exec-10] INFO o.a.w.p.h.CsrfPreventionRequestCycleListener - Possible CSRF attack, request URL: http://192.168.XXX.YYY/openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage, Origin: https://192.168.XXX.YYY, action: aborted with error 400 Origin does not correspond to request

How should I change Apache settings to make it work?

Thor1990
  • 63
  • 1
  • 8

3 Answers3

1

I'm afraid it would impossible to set up "Redirect HTTP (8080) to HTTPS (443)"

In case you are running OpenMeetings on port 8080, you can't use it for Apache and vise versa. Internet port should be exclusively used by OM or Apache, not both.

I would close port 8080 on FW level to deny direct access to OM. (and please remove rule for <VirtualHost *:8080> otherwise OM will fail to start with Port already in use message)

Now according to CSRF:

You need to modify conf/jee-container.xml and add following property

<property name="secure" value="true" />

To <!-- Tomcat without SSL enabled --> block right before <property name="connectionProperties">

This should fix your issue

BUT OpenMeetings will not work with this config ....

Cause you also need to proxy WebSockets ....

So you additionally need mod_rewrite and mod_proxy_wstunnel

then you need to add following section:

RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:8080/$1 [P,L]
RedirectMatch ^/$ https://domain.test-test.eu/openmeetings

Additionally you might want to perform tunneling for your RTMP traffic, this will require special rules for open, send, idle and close

below is final configuration for Apache 2.4:

<VirtualHost *:443>
  ServerName domain.test-test.eu

  ## Vhost docroot
  DocumentRoot "/var/www/"

  ## Directories, there should at least be a declaration for /var/www/

  <Directory "/var/www/">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
  </Directory>

  ## Logging
  ErrorLog "/var/log/apache2/domain.test-test.eu-ssl-error.log"
  ServerSignature Off
  CustomLog "/var/log/apache2/domain.test-test.eu.http_access.log" combined

  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/_certs_path_/domain.test-test.eu/fullchain.pem"
  SSLCertificateKeyFile   "/_certs_path_/domain.test-test.eu/privkey.pem"
  SSLCACertificatePath    "/_CA_certs_path_"

###      OpenMeetings    ###
## Custom fragment
RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) ws://localhost:5080/$1 [P,L]
RedirectMatch ^/$ https://domain.test-test.eu/openmeetings
ProxyPreserveHost On

<Location /openmeetings>
  Require all granted      
  ProxyPass http://localhost:5080/openmeetings
  ProxyPassReverse http://localhost:5080/openmeetings
  RewriteEngine On
  RewriteRule ^/(.*) http://localhost:5080/$1 [P]
</Location>
<Location /open>
  Require all granted
  ProxyPass http://localhost:5080/open
  ProxyPassReverse http://localhost:5080/open
</Location>
<Location /send>
  Require all granted
  ProxyPass http://localhost:5080/send
  ProxyPassReverse http://localhost:5080/send
</Location>
<Location /idle>
  Require all granted
  ProxyPass http://localhost:5080/idle
  ProxyPassReverse http://localhost:5080/idle
</Location>
<Location /close>
  Require all granted
  ProxyPass http://localhost:5080/close
  ProxyPassReverse http://localhost:5080/close
</Location>

</VirtualHost>

Work for me as expected :)

Maxim Solodovnik
  • 284
  • 1
  • 6
  • Hi, thanks for your info. I've added property you've gave me and I don't get CSRF error anymore. But now, when I log in nothings (except two spinning dots) appears. Log shows only infos about user. https://ibb.co/f1CNap – Thor1990 Aug 10 '18 at 10:06
  • It seems that on apache2 (2.2.22) there is no mod_proxy_wstunnel, so I'll have to compile it manually to make work config you've gave me... – Thor1990 Aug 10 '18 at 10:45
  • OpenMeetings require WebSockets, so you have to proxy both HTTP and WebSocket traffic .... – Maxim Solodovnik Aug 10 '18 at 10:58
  • I've upgraded apache to the 2.4.7 version and required dependencies (from .deb) - serwer doesn't have access to the Internet. Mods mod_proxy_webstunnel and mod_rewrite are enabled. Apache configuration is configured as you wrote ('default' file). 'default-ssl' file is like I wrote. And webpanel is still not showing up... I'm already tired of OM. Do you have any ideas what should be configured yet? – Thor1990 Aug 10 '18 at 12:26
  • Actually this "Apache configuration is configured as you wrote ('default' file). 'default-ssl' file is like I wrote." make no sense. All config should go to default-ssl (or whatever). OM is free software, you can tune it yourself, or hire someone who less tired :))) – Maxim Solodovnik Aug 11 '18 at 06:34
  • Maxim, could you send me Apache configuration which would work? – Thor1990 Aug 13 '18 at 06:40
  • I am facing same issue not able to login in chrome, while it works fine in firefox. I am using openmeeting 5.0.0-M2, and configuration files are different here. I am doing proxypass via nginx, how should I do this using nginx? Please suggest. – Diksha Sep 13 '19 at 10:16
0

In 'default' file I have:

<VirtualHost *:80>
    ServerName domain.test-test.eu
    ServerAlias domain.test-test.eu

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

So when smb type http://domain.test-test.eu it'll redirect it to https://domain.test-test.eu

My 'default-ssl' file is almost exact as Yours (I'm using 8080/tcp for OM). And I'm using selfsigned certificated for OM (for now they're not signed for CN=domain.test-test.eu but for CN=testname.eu - I'll change it after OM will works).

Unfortunatly this config doesn't work. I can see two black dots speening around. May it be because of outdated browsers (FF has version 52.4.1 and Chromium 51.0.2704.79) or wrong site certificate?

Thor1990
  • 63
  • 1
  • 8
  • Ok! I'm on vacations now so I can check this in next week. Could you send me screen of Administration -> Configuration page in GUI? It seems that I have sth wrong in configuration but I have to find it somehow... – Thor1990 Aug 15 '18 at 21:38
0

The apache's config given by Maxim is working. Thank you Maxim!

Thor1990
  • 63
  • 1
  • 8