-
Notifications
You must be signed in to change notification settings - Fork 0
How to put Etherpad Lite behind a reverse Proxy
Feel free to add your own config examples. We recommend using Nginx, cause it can handle multiple connections much better than Apache
If you want a secure SSL connection to your Etherpad, you can also use a native Node https server, see https://github.com/ether/etherpad-lite/pull/1202 .
Creating Certificate Authorities and self-signed SSL certificates: http://web.archive.org/web/20110704035103/http://www.tc.umn.edu/~brams006/selfsign.html
Simple example proxy server implemented in node.js with node-http-proxy. This example proxies on port 80 and 443. The port 80 proxy proxies to port 81 (where Apache is listening), and the port 443 proxy connects to Etherpad on port 9001.
var fs = require('fs'),
http = require('http'),
https = require('https'),
httpProxy = require('http-proxy');
//
// Create a HTTP proxy server
//
var regular_proxy = httpProxy.createServer(81, 'localhost').listen(80);
var routes_json = {
"server.org/pad": "127.0.0.1:9001",
".*": "127.0.0.1:81"
};
//
// Create a HTTPS proxy server
//
var ssl_proxy = httpProxy.createServer({
router: routes_json,
https: {
key: fs.readFileSync('/etc/apache2/ssl/server.org.key', 'utf8'),
cert: fs.readFileSync('/etc/apache2/ssl/server.org.crt', 'utf8'),
ca: fs.readFileSync('/etc/apache2/ssl/gd_bundle.crt', 'utf8')
},
}).listen(443); General Apache security advice [added 2011-11-26]:
Apache users should carefully check their version, and generally check their conf files for a potential security issue as described in http://www.h-online.com/open/news/item/Apache-patch-patches-poorly-1385107.html which could allow access to internal systems if the reverse proxy rules are configured incorrectly. The following configuration appears to be correct and safe, as the proxy statements ends with a closing "/".
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName etherpad.example.org
ServerSignature Off
CustomLog /var/log/apache2/etherpad_access.log combined
ErrorLog /var/log/apache2/etherpad_error.log
ErrorLog syslog:local2
<Location />
AuthType Basic
AuthName "Welcome to the example.org Etherpad"
AuthUserFile /path/to/svn.passwd
AuthGroupFile /path/to/svn.group
Require group etherpad
</Location>
<IfModule mod_proxy.c>
ProxyVia On
ProxyRequests Off
ProxyPass / http://etherpad.internal.example.org:9001/
ProxyPassReverse / http://etherpad.internal.example.org:9001/
ProxyPreserveHost on
<Proxy *>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Proxy>
</IfModule>
</VirtualHost>
</IfModule><IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin [email protected]
ServerName etherpad.example.org
ServerSignature Off
CustomLog /var/log/apache2/etherpad_access.log combined
ErrorLog /var/log/apache2/etherpad_error.log
ErrorLog syslog:local2
<Location />
AuthType Basic
AuthName "Welcome to the example.org Etherpad"
AuthUserFile /path/to/svn.passwd
AuthGroupFile /path/to/svn.group
Require group etherpad
</Location>
<IfModule mod_proxy.c>
# the following allows "nice" urls such as https://etherpad.example.org/padname
# But, some users reported issues with this
RewriteEngine On
RewriteRule /p/*$ https://etherpad.example.org/ [NC,L]
RewriteCond %{REQUEST_URI} !^/locales/
RewriteCond %{REQUEST_URI} !^/locales.json
RewriteCond %{REQUEST_URI} !^/admin
RewriteCond %{REQUEST_URI} !^/p/
RewriteCond %{REQUEST_URI} !^/static/
RewriteCond %{REQUEST_URI} !^/pluginfw/
RewriteCond %{REQUEST_URI} !^/javascripts/
RewriteCond %{REQUEST_URI} !^/socket.io/
RewriteCond %{REQUEST_URI} !^/ep/
RewriteCond %{REQUEST_URI} !^/minified/
RewriteCond %{REQUEST_URI} !^/api/
RewriteCond %{REQUEST_URI} !^/ro/
RewriteCond %{REQUEST_URI} !^/error/
RewriteCond %{REQUEST_URI} !^/jserror
RewriteCond %{REQUEST_URI} !/favicon.ico
RewriteCond %{REQUEST_URI} !/robots.txt
RewriteRule ^/+(.+)$ https://etherpad.example.org/p/$1 [L]
ProxyVia On
ProxyRequests Off
ProxyPass / http://etherpad.internal.example.org:9001/
ProxyPassReverse / http://etherpad.internal.example.org:9001/
ProxyPreserveHost on
<Proxy *>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Proxy>
</IfModule>
</VirtualHost>
</IfModule>Probably bad to use this on production servers, but it works!
Redirect /pad /pad/
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
LoadModule deflate_module /usr/lib/apache2/modules/mod_deflate.so
ProxyVia On
ProxyRequests Off
ProxyPass /pad/ http://localhost:9001/
ProxyPassReverse /pad/ http://localhost:9001/
ProxyPreserveHost on
<Proxy *>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Proxy>/etc/apache2/webapps/org.etherpad.etherpad-lite.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!-- See man pages for webapp.plist(5) and webappctl(8) for information about this example webapp.plist -->
<plist version="1.0">
<dict>
<key>includeFiles</key>
<array> <!-- Include files are activated in virtual host when webapp is started -->
<string>/etc/apache2/httpd_etherpad.conf</string>
</array>
<key>launchKeys</key>
<array> <!-- Launchd plists in /System/Library/LaunchDaemons are loaded when webapp is started -->
<!-- <string>com.example.mywebapp</string> -->
</array>
<key>name</key>
<string>org.etherpad.etherpad-lite</string>
<key>proxies</key> <!-- ProxyPass/ProxyPassReverse directives are activated when webapp is started -->
<dict>
<key>/etherpad</key> <!-- Sets up a reverse proxy -->
<dict>
<key>path</key>
<string>/etherpad</string>
<key>urls</key> <!-- URLs comprise a proxy_balancer group -->
<array>
<string>http://localhost:9001</string>
</array>
</dict>
</dict>
<key>requiredModuleNames</key>
<array> <!-- Apache plugin modules are enabled when webapp is started -->
<string>proxy_module</string>
</array>
<key>requiredWebAppNames</key>
<array> <!-- Required web apps are started when this webapp is started -->
<!-- <string>com.example.webapp.myotherwebapp</string> -->
</array>
<key>sslPolicy</key> <!-- Determines webapp SSL behavior -->
<integer>0</integer> <!-- 0: default, UseSSLWhenEnabled -->
<!-- 1: UseSSLAlways -->
<!-- 2: UseSSLOnlyWhenCertificateIsTrustable -->
<!-- 3: UseSSLNever -->
<!-- 4: UseSSLAndNonSSL -->
</dict>
</plist>To restrict access only to a specific usergroup save the next listing to /etc/apache2/httpd_etherpad.conf
<Location "/etherpad">
AuthType Digest
AuthName "Access Etherpad-Lite"
Require group etherpad_users
</Location>If you don't want to restrict access to specific group delete
<string>/etc/apache2/httpd_etherpad.conf</string>
from /etc/apache2/webapps/org.etherpad.etherpad-lite.plist
We know that there is a problem with Lighttpd and socket.io. At the moment it doesn't work with lighttpd :/, see this bug https://github.com/Pita/etherpad-lite/issues/28
$HTTP["host"] =~ "^example.com$" {
proxy.balance = "hash"
proxy.server = ( "" => ( (
"host" => "127.0.0.1",
"port" => 9001
) )
)
}
If you use more than one server behind lighty (you can add more server - look at the lighty docs linked above) you have to use the hash balancer. So for any request the same server will be used. But remember: If you restart lighty this probably does not work anymore. (TODO: add synchronization in etherpad-lite)
Additional information: http://redmine.lighttpd.net/wiki/lighttpd/Docs:ModProxy
server {
listen 443;
server_name pad.example.com;
access_log /var/log/nginx/eplite.access.log;
error_log /var/log/nginx/eplite.error.log;
ssl on;
ssl_certificate /etc/nginx/ssl/eplite.crt;
ssl_certificate_key /etc/nginx/ssl/eplite.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://localhost:9001/;
proxy_set_header Host $host;
# be carefull, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
proxy_buffering off;
}
}
server {
listen 80;
server_name pad.example.com;
rewrite ^(.*) https://$server_name$1 permanent;
}In newer versions of nginx you can use:
server {
listen 443 ssl;
server_name pad.example.com;
access_log /var/log/nginx/eplite.access.log;
error_log /var/log/nginx/eplite.error.log;
ssl_certificate /etc/nginx/ssl/eplite.crt;
ssl_certificate_key /etc/nginx/ssl/eplite.key;
location / { ... }
}
... location /pad {
rewrite /pad/(.*) /$1 break;
rewrite ^/pad$ /pad/ permanent;
proxy_pass http://localhost:9001/;
proxy_redirect / /pad/;
proxy_set_header Host $host;
proxy_buffering off;
}You need to download and install Ionics Isapi Rewrite Filter, when installing select the site you wish to use to reverse proxy. Browse to your websites root and create a file called IIRF.ini
Add this to the file:
RewriteBase OFF
ProxyPass ^/pad/(.*)$ http://etherpad.internal.example.org:9001/
ProxyPass ^/p/(.*)$ http://etherpad.internal.example.org:9001/p/$1
ProxyPass ^/static/(.*)$ http://etherpad.internal.example.org:9001/static/$1
ProxyPass ^/pluginfw/(.*)$ http://etherpad.internal.example.org:9001/pluginfw/$1
ProxyPass ^/javascripts/(.*)$ http://etherpad.internal.example.org:9001/javascripts/$1
ProxyPass ^/socket.io/(.*)$ http://etherpad.internal.example.org:9001/socket.io/$1
ProxyPass ^/minified/(.*)$ http://etherpad.internal.example.org:9001/minified/$1
ProxyPass ^/ep/(.*)$ http://etherpad.internal.example.org:9001/ep/$1
ProxyPass ^/api/(.*)$ http://etherpad.internal.example.org:9001/api/$1
ProxyPass ^/error/(.*)$ http://etherpad.internal.example.org:9001/error/$1
ProxyPass ^/jserror/(.*)$ http://etherpad.internal.example.org:9001/jserror/$1
ProxyPassReverse / http://etherpad.internal.example.org:9001/
Save and close
Stop and Start the IIS site.
You need to install the Application Request Routing module to IIS first, using the Web platform installer. This is fairly straightforward to do: Open the Webplattform-Installer, e.g. by clicking your server in the server management console under Roles / Webserver (IIS) / Internet Information Services (I got this in German, so don't get confused when the terms are a little different on your installation - I'm trying to translate this back to English; if you follow these instructions on an English installation it would be nice if you could correct any wrong terms). It's in the Management section (probably the lowest entry in the list).
Here you will find "Application Request Routing" (currently 2.5). Click "Add" and then "Install". Wait.
Once the installation is complete, you'll find "Serverfarms" below "Sites" in your server. Add one with the name of your EtherPad Lite installation. Make sure to enter the correct ports under "Extended Settings" (I'm using 9001 for both httpPort and httpsPort).
Now be careful to not have the console create any default routing settings (that might route any request to any of the sites hosted on your machine to EtherPad Lite). Double click your newly created server farm, then double click "Routing Rules". Under "Advanced Routing", click "URL Rewrite..."
Make sure there are no rules (if any were created, delete them). Create a new empty rule.
You can almost follow the instructions from here:
BUT: If you have multiple sites hosted on that IIS, make sure to add conditions to check against the hostname. Use {HTTP_HOST} as "entry", "matches pattern" and your full domain for EtherPad Lite as pattern.
Finally, in action, I used "forward to server farm" with schema "http://", Serverfarm "the one I created before" and Path "/{R:0}". That's it.
For me, this worked both with HTTP and HTTPS.
The important part is the TimeOut value, as otherwise Pound will fail with 500 - Internal Server Error.
ListenHTTP
Address 0.0.0.0
Port 80
Service
HeadRequire "Host: .*example.com.*"
BackEnd
Address 127.0.0.1
Port 9001
TimeOut 300
End
End
End
backend etherpad {
.host = "localhost";
.port = "9001";
.probe = {
.url = "/";
.interval = 5s;
.timeout = 1s;
.window = 5;
.threshold = 3;
}
}
sub vcl_recv{
set req.backend = etherpad;
return (pipe);
}