Read-Only domain setting for reverse proxy

[Alex8000]

Goodmorning all,

We have configured a reverse proxy for our customers so that they will be able to access our instance through a subdomain of ours. The wiki states that the service.network.allowedOriginDomains setting will have to be changed in order to for anyone be able to access the instance from that subdomain.
If anyone reading this is interested in also configuring a reverse proxy I would be happy to share our setup details!

Would someone be so kind as to add our subdomain to the service.network.allowedOriginDomains setting of our instance?

Best regards,

Alex

[TrevorKillick]

Good Morning @Alex8000

What domain name would you like to be set?

We would also need you confirm a date and time when you would be happy for a quick (less than a minute) reboot of the services to allow this new setting to be picked up, we recommend a time out of your normal working hours for the minimum disruption. 

Kind Regards

Trevor Killick

[Alex8000]

Hi @TrevorKillick,

support.panas.nl would be terrific!

If you would be able to do it within 26 minutes then the reboot could happen right away (before 12:00 UK)! If not it can be done from 16:00 UK time.

[TrevorKillick]

Hi @Alex8000

the setting has been changed I will get cloud to bump the services, let me know how it goes i will keep an eye on this thread.

The services have been restarted.

Kind Regards

Trevor Killick

[Alex8000]

Hi @TrevorKillick,

Thanks! Do you know if the instance has been restarted yet? Getting a 403 at the moment.

Best regards,

Alex

[TrevorKillick]

Hi @Alex8000

It has, i will get one of our cloud guys to take a look and i will get back to you.

Kind Regards

Trevor Killick

[Alex8000]

@TrevorKillick,

please note that the public DNS record for support.panas.nl is not currently pointing at the reverse proxy. I have a record in my hosts file pointing to 95.85.57.127 in order to test this.

[TrevorKillick]

Hi @Alex8000

We think there is some configuration missing from the documentation, can you provide a copy of the configuration you are using and if its Apache or Nginx that you are using for the Proxy.

Thanks

Trevor Killick

[Alex8000]

Hi @TrevorKillick,

Sorry for the delay. I have only now gotten around to giving it another go. Reinstalled LAMP and did everything by the book, unfortunately I am still getting the same error.

VirtualHost file:

<VirtualHost *:443>

        ServerAdmin webmaster@panas.nl
        DocumentRoot /var/www/
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine On
        SSLProxyEngine on
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
        # Set the path to SSL certificate
        # Usage: SSLCertificateFile /path/to/cert.pem
        SSLCertificateFile /etc/apache2/ssl/certificate.crt
        SSLCertificateKeyFile /etc/apache2/ssl/certificate.key
        ProxyRequests off
        ProxyPreserveHost On
        ProxyPass / https://customer.hornbill.com/*instancename*/
        ProxyPassReverse / https://customer.hornbill.com/*instancename*/
        ServerName support.panas.nl
	
</VirtualHost>

apache2.conf loaded modules:

LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
LoadModule proxy_connect_module /usr/lib/apache2/modules/mod_proxy_connect.so
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
LoadModule cache_module /usr/lib/apache2/modules/mod_cache.so
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so

ports.conf

Listen 80
Listen 443

Unfortunately I am still getting the following.

 

Thanks in advance! I am running out of ideas as to how to fix this ;-)
The A-record to support.panas.nl has been configured. You should run into the same error when going to that URL.

Best regards,

Alex

[Alex8000]

After setting        

ProxyRequests Off
ProxyPreserveHost Off

in the virtual host file I am now getting a 502 error.. That's progress.. maybe?

https://i.imgur.com/xaIHoFa.png

Best Regards,

Alex

[Alex8000]

Hi @TrevorKillick, all,

Just to be sure, do I need to reverse proxy every subdomain for this to work? (i.e. api.*, service.*, live,* etc)

One thing I have noticed is that navigating to support.panas.nl/servicemanager generates a significantly URL than customer.hornbill.com/panashornbill/servicemanager does. (about double/triple the length)

Surely we're not the first ones to try this, someone must have gotten this to work! ;-)

Happy holidays,

Alex

[Alex8000]

Hello all, 

Just an update: I noticed that proxying support.panas.nl/whatever/ to our instance does work, and that the error only occurs when trying to proxy the root support.panas.nl to our instance. Will continue playing with this tomorrow. 

Updating this starts to feel like some kind of diary, I hope someone gets something useful out of this! 

Best regards, 

Alex

[Alex8000]

Hi @TrevorKillick,

So I got the thing working with https://support.panas.nl/[INSTANCENAME]/ by loading the API and support subdomain and triple checking that all modules were loaded. (it tripped over wstunnel once, but that's nothing a2enmod can't fix)

I can't however for the life of me get the thing to proxy to "just" https://support.panas.nl/. When trying this I get the 502 error. Apache gives this as the error: 
 

[Tue Jan 03 12:20:28.394887 2017] [ssl:warn] [pid 20114] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Tue Jan 03 12:20:28.396196 2017] [ssl:warn] [pid 20114] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Tue Jan 03 12:20:28.402392 2017] [mpm_prefork:notice] [pid 20114] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.20 OpenSSL/1.0.1f configured -- resuming normal operations
[Tue Jan 03 12:20:28.402458 2017] [core:notice] [pid 20114] AH00094: Command line: '/usr/sbin/apache2'
[Tue Jan 03 12:22:33.566619 2017] [ssl:warn] [pid 20178] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Tue Jan 03 12:22:32.594522 2017] [mpm_prefork:notice] [pid 20114] AH00169: caught SIGTERM, shutting down

Does this mean that Cloudflare does not support RFC 4366?
Is there a way to have it reverse proxy to 'just' a domain without exposing endusers to our instancename at all? 

Pastebin for config: http://pastebin.com/89mpeG8b

[TrevorKillick]

Hi @Alex8000

Thanks for continuing to look into this, i will feedback this information to our Cloud Team and see if they can advice further. 

Kind Regards

Trevor Killick