Apache ProxyPass not work

Install/Maintain/Configure

BadFsaadKl August 9, 2024, 12:41pm 1

Hi together,

i try to install my gitea installation behind the apache vhost.
but it dont work with the proxy and i dont find my error

the local usage with http://git.domain.de:3000 works fine, but when i use the url in my vhost config http://git.domain.de/ i will get only an “404 page not found”.
maybe i have some settings in the app.ini or vhost config wrong and hope you could help me.

app.ini:

[server]
SSH_DOMAIN = git.domain.de
DOMAIN = git.domain.de
HTTP_PORT = 3000
ROOT_URL = http://git.domain.de/
LOCAL_ROOT_URL = http://localhost:3000/
APP_DATA_PATH = /var/lib/gitea/data

vhost.conf

<VirtualHost git.domain.de>
    ProxyRequests on
    ProxyRequests off
    AllowEncodedSlashes NoDecode
    ProxyPass * http://git.domain.de:3000 nocanon
    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}

</VirtualHost>

the proxy and proxy_http modules in the apache2 are enabled.

iam using the Apache/2.4.52 (Ubuntu) and gitea 1.22.1

there i see no messages in the error or access logs of the apache.

have anyone an idea where i have an wrong config ?

thanks and regards
Michél

reetp August 9, 2024, 2:52pm 2

I think your proxy pass is wrong.

ProxyPass * http://git.domain.de:3000 nocanon

Should be like:

    ProxyPass / http://localhost:3000/ nocanon
    ProxyPassReverse / http://localhost:3000/

Form my working box:

app.ini

[server]
PROTOCOL = http
HTTP_PORT = 3000
START_SSH_SERVER = false
SSH_ROOT_PATH = /home/git/.ssh
SSH_CREATE_AUTHORIZED_PRINCIPALS_FILE = false
CERT_FILE = /etc/dehydrated/certs/gitea.mydomain.org/fullchain.pem
KEY_FILE = /etc/dehydrated/certs/gitea.mydomain.org/privkey.pem
SSH_DOMAIN = gitea.mydomain.org
DOMAIN = gitea.mydomain.org
ROOT_URL = https://gitea.mydomain.org
; LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
APP_DATA_PATH = /var/lib/gitea/data

And apache - ignore the Letsencrypt stuff

<VirtualHost *:443>

    ServerAdmin server@localhost
    ServerName gitea.mydomain.org
    # ServerAlias mysite.wherever.org

    ErrorLog ${APACHE_LOG_DIR}/error-https.log
    CustomLog ${APACHE_LOG_DIR}/access-https.log combined

    SSLEngine on
    SSLProxyEngine on
    SSLCertificateChainFile /etc/dehydrated/certs/gitea.mydomain.org/fullchain.pem
    SSLCertificateFile /etc/dehydrated/certs/gitea.mydomain.org/cert.pem
    SSLCertificateKeyFile /etc/dehydrated/certs/gitea.mydomain.org/privkey.pem

    DocumentRoot "/var/www/html"

    # Desperate Letsencrypt passthrough attemtps start here

    Alias /.well-known/acme-challenge/ /var/www/html/.well-known/acme-challenge/

    <Location /.well-known/acme-challenge/>
        RewriteEngine off
        ProxyPass !
    </Location>

    <Directory /var/www/html/.well-known/acme-challenge>
        AllowOverride None
        Require all granted
    </Directory>

    # Getting worse
    RewriteCond %{REQUEST_URI} ^/\.well\-known
    RewriteRule . - [L]

    ProxyPreserveHost On
    ProxyRequests off
    AllowEncodedSlashes NoDecode

    # Last gasp
    ProxyPass /.well-known/acme-challenge/ !

    ProxyPass / http://localhost:3000/ nocanon
    ProxyPassReverse / http://localhost:3000/

    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>

</VirtualHost>

HTH.

BadFsaadKl August 13, 2024, 1:22pm 3

Hi,

i have try some settings seems like your setup, but i get still an error.
at the moment i try de letsencrypt settings in the app.ini, but wenn ich start the server i get the following error:

2024/08/13 15:06:28 cmd/web.go:311:listen() [I] LFS server enabled
2024/08/13 15:06:28 cmd/web.go:353:listen() [E] Failed to start server: git.domain.de: obtaining certificate: failed storage check: mkdir https: permission denied - storage is probably misconfigured
2024/08/13 15:06:28 cmd/web.go:355:listen() [I] HTTP Listener: 0.0.0.0:3000 Closed

i have no idea where there try to make an directory which i could check the permissions.

do you have an idea ?

regards

reetp August 13, 2024, 2:33pm 4

BadFsaadKl:

git.domain.de: obtaining certificate: failed storage check: mkdir https: permission denied - storage is probably misconfigured

So at a guess you haven’t got your DNS or https certificates properly configured for external access.

You need to make sure that your Apache is working correctly with https certificates for your domain. If that doesn’t work correctly from OUTSIDE your LAN then nothing will work.

If you don’t understand any of this then there are multitudes of pages on the interwebs about setting up https with Apache and letsencrypt certificates.

Personally I use the dehydrated script to get Letsencrypt https/ssl certificates on all my boxes. Light and simple.

Apache enabled with ssl certificates will then proxy (passthrough) information to gitea and back again.