mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2024-11-22 17:26:03 +03:00
[docs] Update Apache2 HTTP Server docs for websockets (#934)
This commit is contained in:
parent
c0a2d702a3
commit
972bd17aaa
1 changed files with 49 additions and 45 deletions
|
@ -1,8 +1,9 @@
|
||||||
# Reverse proxy with Apache httpd
|
# Reverse proxy with Apache HTTP Server
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
For this you will need Apache httpd server.
|
For this you will need the Apache HTTP Server.
|
||||||
|
|
||||||
That is a fairly popular package so your distro will probably have it.
|
That is a fairly popular package so your distro will probably have it.
|
||||||
|
|
||||||
### Ubuntu
|
### Ubuntu
|
||||||
|
@ -23,10 +24,19 @@ sudo pacman -S apache
|
||||||
sudo zypper install apache2
|
sudo zypper install apache2
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Install modules
|
||||||
|
|
||||||
|
You'll also need to install additional modules for Apache HTTP Server. You can do that with the following command:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo a2enmod proxy_http md ssl headers proxy_wstunnel
|
||||||
|
```
|
||||||
|
|
||||||
## Configure GoToSocial
|
## Configure GoToSocial
|
||||||
|
|
||||||
In your GoToSocial config turn off letsencrypt.
|
We're going to have Apache handle LetsEncrypt certificates, so you need to turn off built-in LetsEncrypt support in your GoToSocial config.
|
||||||
First open the file in your text editor.
|
|
||||||
|
First open the file in your text editor:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
sudoedit /gotosocial/config.yaml
|
sudoedit /gotosocial/config.yaml
|
||||||
|
@ -42,42 +52,57 @@ sudo systemctl restart gotosocial.service
|
||||||
|
|
||||||
Or if you don't have a systemd service just restart it manually.
|
Or if you don't have a systemd service just restart it manually.
|
||||||
|
|
||||||
## Set up Apache httpd
|
## Set up Apache HTTP Server with LetsEncrypt SSL
|
||||||
|
|
||||||
First we will set up Apache httpd to serve GoToSocial as unsecured http and then later use certbot to automatically upgrade to https.
|
Now we'll configure Apache HTTP Server to serve GoToSocial requests.
|
||||||
Please do not try to use it until that's done or you'll be transmitting passwords over clear text.
|
|
||||||
|
|
||||||
First we'll write a configuration for Apache httpd and put it in `/etc/apache2/sites-available`.
|
First we'll write a configuration for Apache HTTP Server and put it in `/etc/apache2/sites-available`:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
sudo mkdir /etc/apache2/sites-available/
|
sudo mkdir -p /etc/apache2/sites-available/
|
||||||
sudoedit /etc/apache2/sites-available/yourgotosocial.url.conf
|
sudoedit /etc/apache2/sites-available/example.com.conf
|
||||||
```
|
```
|
||||||
|
|
||||||
|
In the above `sudoedit` command, replace `example.com` with the hostname of your GoToSocial server.
|
||||||
|
|
||||||
The file you're about to create should look a bit like this:
|
The file you're about to create should look a bit like this:
|
||||||
|
|
||||||
```apache
|
```apache
|
||||||
<VirtualHost *:80>
|
MDomain example.com auto
|
||||||
|
MDCertificateAgreement accepted
|
||||||
|
<VirtualHost *:80 >
|
||||||
ServerName example.com
|
ServerName example.com
|
||||||
|
</VirtualHost>
|
||||||
|
<VirtualHost *:443>
|
||||||
|
ServerName example.com
|
||||||
|
SSLEngine On
|
||||||
ProxyPreserveHost On
|
ProxyPreserveHost On
|
||||||
|
ProxyPassMatch ^/(api/v1/streaming.*)$ ws://localhost:8080/$1
|
||||||
ProxyPass / http://localhost:8080/
|
ProxyPass / http://localhost:8080/
|
||||||
ProxyPassReverse / http://localhost:8080/
|
ProxyPassReverse / http://localhost:8080/
|
||||||
|
RequestHeader set "X-Forwarded-Proto" expr=https
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
```
|
```
|
||||||
|
|
||||||
**Note***: `ProxyPreserveHost On` is essential: It guarantees that the proxy and the gotosocial speak of the same Server name. If not, gotosocial will build the wrong authentication headers, and all attempts at federation will be rejected with 401.
|
Again, replace occurrences of `example.com` in the above config file with the hostname of your GtS server. If your domain name is `gotosocial.example.com`, then `gotosocial.example.com` would be the correct value.
|
||||||
|
|
||||||
Change `ProxyPass` to the ip and port that you're actually serving GoToSocial on and change `ServerName` to your own domain name.
|
You should also change `http://localhost:8080` to the correct address and port of your GtS server. For example, if you're running GoToSocial on another machine with the local ip of `192.168.178.69` and on port `8080` then `http://192.168.178.69:8080/` would be the correct value.
|
||||||
If your domain name is `gotosocial.example.com` then `ServerName gotosocial.example.com;` would be the correct value.
|
|
||||||
If you're running GoToSocial on another machine with the local ip of 192.168.178.69 and on port 8080 then `ProxyPass / http://192.168.178.69:8080/` would be the correct value.
|
|
||||||
|
|
||||||
Next we'll need to link the file we just created to the folder that Apache httpd reads configurations for active sites from.
|
`ProxyPreserveHost On` is essential: It guarantees that the proxy and the GoToSocial speak of the same Server name. If not, GoToSocial will build the wrong authentication headers, and all attempts at federation will be rejected with 401 Unauthorized.
|
||||||
|
|
||||||
|
The line `ProxyPassMatch ^/(api/v1/streaming.*)$ ws://localhost:8080/$1` ensures that Websocket streaming connections also work. See the [websocket](./websocket.md) document for more information on this.
|
||||||
|
|
||||||
|
Save and close the config file.
|
||||||
|
|
||||||
|
Now we'll need to link the file we just created to the folder that Apache HTTP Server reads configurations for active sites from.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
sudo mkdir /etc/apache2/sites-enabled
|
sudo mkdir /etc/apache2/sites-enabled
|
||||||
sudo ln -s /etc/apache2/sites-available/yourgotosocial.url.conf /etc/apache2/sites-enabled/
|
sudo ln -s /etc/apache2/sites-available/example.com.conf /etc/apache2/sites-enabled/
|
||||||
```
|
```
|
||||||
|
|
||||||
|
In the above `ln` command, replace `example.com` with the hostname of your GoToSocial server.
|
||||||
|
|
||||||
Now check for configuration errors.
|
Now check for configuration errors.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
@ -90,40 +115,19 @@ If everything is fine you should get this as output:
|
||||||
Syntax OK
|
Syntax OK
|
||||||
```
|
```
|
||||||
|
|
||||||
Everything working? Great! Then restart Apache httpd to load your new config file.
|
Everything working? Great! Then restart Apache HTTP Server to load your new config file.
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
sudo systemctl restart apache2
|
sudo systemctl restart apache2
|
||||||
```
|
```
|
||||||
|
|
||||||
## Setting up SSL with mod_md
|
Now, monitor the logs to see when the new LetsEncrypt certificate arrives (`tail -F /var/log/apache2/error.log`), and then reload Apache one last time with the above `systemctl restart` command. After that you should be good to go!
|
||||||
|
|
||||||
To setup Apache httpd with mod_md, we'll need to load the module and then modify our vhost files:
|
Apache HTTP Server needs to be restart (or reloaded), every time `mod_md` gets a new certificate; see the module's docs for [more information](https://github.com/icing/mod_md#how-to-manage-server-reloads).
|
||||||
|
|
||||||
```apache
|
Depending on your version of Apache HTTP Server, you may see the following error: `error (specific information not available): acme problem urn:ietf:params:acme:error:invalidEmail: Error creating new account :: contact email "webmaster@localhost" has invalid domain : Domain name needs at least one dot`
|
||||||
MDomain example auto
|
|
||||||
|
|
||||||
<VirtualHost *:80>
|
If this happens, you'll need to do one (or all) of the below:
|
||||||
ServerName example.com
|
|
||||||
</VirtualHost>
|
|
||||||
|
|
||||||
<VirtualHost *:443>
|
1. Update `/etc/apache2/sites-enabled/000-default.conf` and change the `ServerAdmin` value to a valid email address (then reload Apache HTTP Server).
|
||||||
SSLEngine On
|
2. Add the line `MDContactEmail your.email.address@whatever.com` below the `MDomain` line in `/etc/apache2/sites-available/example.com.conf`, replacing `your.email.address@whatever.com` with a valid email address, and `example.com` with your GtS host name.
|
||||||
ServerName example.com
|
|
||||||
ProxyPreserveHost On
|
|
||||||
ProxyPass / http://localhost:8080/
|
|
||||||
ProxyPassReverse / http://localhost:8080/
|
|
||||||
RequestHeader set "X-Forwarded-Proto" expr=https
|
|
||||||
</VirtualHost>
|
|
||||||
```
|
|
||||||
|
|
||||||
This allows mod_md to take care of the SSL setup, and it will also redirect from http to https.
|
|
||||||
After we put this into place, we'll need to restart Apache httpd
|
|
||||||
|
|
||||||
```bash
|
|
||||||
sudo systemctl restart apache2
|
|
||||||
```
|
|
||||||
|
|
||||||
and monitor the logs to see when the new certificate arrives, and then reload it one last time and after that you should be good to go!
|
|
||||||
|
|
||||||
Apache httpd needs to be restart (or reloaded), every time mod_md gets a new certificate, see the module's docs for [more information](https://github.com/icing/mod_md#how-to-manage-server-reloads) on that.
|
|
||||||
|
|
Loading…
Reference in a new issue