Drupal 8 behind reverse proxy

alpreseidente · November 29, 2017, 12:00pm

Hi Folks has anyone got experience getting drupal (8) working properly behind nethservers reverse proxy - ive spent a few days and am failing miserably. The site will load when accessed directly (via vpn) but is giving 404 responses for all the css files - i see a basic unrendered web home page. Ive made what i think are the basic updates to the drupal settings.php file to tell it there’s a proxy. Some hints on diagnosing this and/or any assistance appreciated!.. can this be fixed with apache’s mod_rewrite? is it an XFF issue? …
Thanks
Alex

Jclendineng · November 29, 2017, 2:04pm

How did you do the reverse proxy? I created a sites-enabled and sites-available folder under etc/httpd and made a drupal.domain.com file with all the code I needed for reverse proxy, I can post it if you like. Then make a symlink to sites enabled and restart apache and youre done. Oh, you need to make sure apache conf file is looking for your conf files in sites-enabled but that should be there by default. Thats how I do all of my reverse proxy stuff, I have several sites I run, some on the gateway and some on another server and that works fine. You need to set up letsencrypt for the new drupal though, so that the reverse proxy will use the letsencrypt cert.

Jclendineng · November 29, 2017, 2:07pm

You will need putty or another ssh program, or winscp, which is a ssh file manager.
Put this into your sites-available in drupal.YOUR_DOMAIN.com.conf file
Internal IP is just the IP address on your network (preferably static) drupal is on.

Summary

<VirtualHost *:80>
    RewriteEngine on
    RewriteCond %{HTTPS} !on
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301]
    ProxyPreserveHost On
    ServerName drupal.YOUR_GATEWAY.com
    ProxyPass / http://INTERNAL_IP/
    ProxyPassReverse / http://INTERNAL_IP/
</VirtualHost>

<VirtualHost *:443>
   # RewriteEngine on
   # RewriteCond %{HTTPS} !on
   # RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301]
   # RewriteRule ^ https://%{INTERNAL_IP/}%{REQUEST_URI} [END,QSA,R=permanent]
    ProxyPreserveHost On
    ServerName drupal.YOUR_GATEWAY(I use drupal.mydomain.com)
    ProxyPass / http://INTERNAL_IP/
    ProxyPassReverse / https://INTERNAL_IP/
</VirtualHost>

sudo ln -s /etc/httpd/sites-available/drupal.YOUR_DOMAIN.com.conf /etc/httpd/sites-enabled/drupal.YOUR_DOMAIN.com.conf

sudo nano /etc/httpd/conf/httpd.conf

Put this at very bottom if its not there:

IncludeOptional sites-enabled/*.conf

sudo apachectl restart

alpreseidente · November 29, 2017, 3:37pm

Hi Joel thanks for your feedback - im confident I can get this running with the benefit of your experience! Ive been using the a2ensite command which seems to create the links you describe between sites-available and sites-enabled.

Can you give a little more explanation of the .conf updates you describe - some lines are commented out and some lines seem to be repeated betwen the 2 paragraphs of code (im good with putty/ssh/vi etc btw - its just making the correct updates to the config files that im failing on!)

also i need to make sure im correctly understanding what HTTP_HOST, INTERNAL_IP, 192.168.10.4, REQUEST_URI, INTERNAL_IP should represent - i will go and do my own digging but it would be great if you could clarify

thanks in advance

alpreseidente · November 29, 2017, 4:13pm

ok i can see that most of the lines of the conf file you gave me were system variables as oposed to user defined. Im a bit confused regarding the Proxy directives you give though - from looking at the documentation these seem to be configuration items relating to apache’s proxy_mod module which is part of the reverse proxy server as opposed to the web server sat behind it… now more confused than ever!

Jclendineng · December 4, 2017, 5:18pm

OOPS lol I am sorry, 192.168.10.4 is an ip I forgot to rewrite! So that is my bad. Corrected. INTERNAL_IP is the drupal ip (mine is 192.168.10.4 on my network), HTTP_HOST do not change thats part of rewrite rule. Only thing you need to change are INTERNAL_IP and change server name to whatever you want.

Jclendineng · December 4, 2017, 5:21pm

Copy that verbatim, change the INTERNAL_IP to whatever your drupal ip is, and server name to drupal.yoursite.com, or whateveryouwant.yourgateway.local or whatever. I don’t know what domain you set up when you installed nethserver. I use proxypass to make things clean, there are other ways.

robb · December 4, 2017, 7:13pm

I must admit I never fully understood how a reverse proxy works. But if I have a webserver on my local LAN, I create a DNS record for the website in my local DNS server. Works for me.

planet_jeroen · December 4, 2017, 8:23pm

It takes a webrequest and does all the traffic between itself and the actual server hosting the content. That way, you only expose the proxy to the internet or intranet, and limit attack vectors. It also helps when you only have one public IP and multiple services you do not want to host on the same machine.

alpreseidente · December 4, 2017, 11:12pm

thanks Joel i eventually pieced things together and made the changes to the nethserver as you described - drupal has been accessible via reverse proxy. However, i have not yet managed to access drupal as anything other than the root of the domain - i.e. i would like drupal to be accessed as follows: http://mydomain.co.uk/drupal but my attempts to configure this have failed and i am only able to access drupal as follows: http://mydomain.co.uk
…a partial success - some work to be done!

alpreseidente · December 5, 2017, 11:56am

you are accessing your webserver directly Robb - DNS steers traffic to it - i am trying to use nethserver as a proxy to my webserver - as such all internet traffic is directed (by DNS!) to my proxy server (nethserver) . The proxy server then chooses how to relay the information to any number of webservers based on various rules … thats the theory at least… there are many reasons for doing this as Jeroen aludes below