workspaces-issues
workspaces-issues copied to clipboard
kasmtech
Issues using Apache as a HTTPS proxy: 403
Hello! I am trying to use Kasm behind an Apache HTTPD reverse proxy. When I try to connect to a workspace, it fails with 403 in the DevTools console. Can you help me? Here is my Apache config:
<VirtualHost *:443>
ServerName kasm.xxxxx.xxx
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLProxyEngine On
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
RemoteIPHeader X-Forwarded-For
RemoteIPHeader X-Real-IP
Header set X-Forwarded-Proto https
RewriteEngine On
RewriteCond %{HTTP:CONNECTION} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) wss://localhost:4937/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) https://localhost:4937/$1 [P,L]
ProxyPassReverse / https://localhost:4937/
SSLCertificateFile /etc/letsencrypt/live/kasm.xxxxx.xxx/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kasm.xxxxx.xxx/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
<VirtualHost *:80>
ServerName kasm.xxxxx.xxx
DocumentRoot /var/www/html/public_html
RewriteEngine on
RewriteCond %{SERVER_NAME} =kasm.xxxxx.xxx
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
We don't have a guide on apache, but we do have guides for Nginx that you may be able to map over to apache https://kasmweb.com/docs/latest/how_to/reverse_proxy.html
Whenever you place Kasm behind a revere proxy make sure to update the Zone settings : https://kasmweb.com/docs/latest/how_to/reverse_proxy.html#update-zones
We also have a troubleshooting guide that might help you identify the problem.
https://kasmweb.com/docs/latest/guide/troubleshooting.html
Posting the errors you see in browser and the log might help
I have looked at the reverse proxy guide, @j-travis. I am using Apache because I have multiple sites on my server already using it. It would be impractical for me to switch away. When it comes to Nginx, I have no idea what I am doing. I was trying to translate the instructions into apache directives, but it seems I was unsuccessful. I updated my zones and it still just redirects me back to the admin dashboard. Can you help me?
@RedstoneWizard08 Please check out the updated docs here: https://kasmweb.com/docs/latest/how_to/reverse_proxy.html#example-apache-config
When testing please initially try isolating a dedicated proxy from your current config and confirming functionality, just to make sure you do not have any conflicting rules in your setup.
Can you please be specific? I did test this config file with Apache and a current stable release of Kasm Workspaces. My recommendation would be to spinup a fresh container, install httpd along with enabling mod-proxy and ssl and use this base config to ensure functionality then work from there.
I have figured it out (as in: this works on my machine) and if you guys can confirm this works it would be awesome if Kasm can update their documentation with this code regarding the Apache HTTPD reverse proxy.
Note: The Kasm documentation example runs the Kasm on the same system as the HTTP Reverse proxy ... which in real situations never happens. I have a completely separate system in a completely separate network for the Apache HTTPD and the Kasm is in it's own isolated Vlan with only internet access.
This is the config I have that works on my machine.
NOTE: I have replaced my real hostnames with names that can be used in documentation as examples
<VirtualHost *:80>
ServerName kasm.example.nl
RewriteEngine on
RewriteCond %{SERVER_NAME} =kasm.example.nl
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
# Server and ssl
ServerName kasm.example.nl
SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/example.nl/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.nl/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.nl/chain.pem
# The actual server has bad certificates
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) wss://kasm.unsafe.example.local:443/$1 [P,L]
RewriteRule ^/(.*)$ https://kasm.unsafe.example.local:443/$1 [P]
</VirtualHost>
</IfModule>
And in the zone definition I have:
Zone Name: default
Allow Origin Domain: $request_host$
Upstream Auth Address: kasm.unsafe.example.local
Load Balance Strategy: Least Load
Search Alternate Zones: No
Proxy Connections: Yes
Proxy Hostname: $request_host$
Proxy Path: desktop
Proxy Port: 443
Looking forward to feedback.
@j-travis I this is confirmed to work by others then please copy this into your documentation.
@nielsbasjes thank you for the information on your deployment. Currently how our examples and docs are written they all reference a redirect to localhost (NGINX HAPROXY etc), the purpose of the examples are to provide a working base for users, I can understand that your deployment requires domain names and serving from an alternative server, but in general we are trying to provide the smallest possible working example to users. I need to discuss internally if we plan on writing more complex proxy examples for the current supported software and get back to you.
I'm totally fine you want to have the simplest working example in the documentation. Perhaps my code has too much (like the letsencrypt stuff), yet the documented code should work. However, the code you have in your documentation does not work, or at least: only works in the very rare and specific case of having both on the same host.
There were actually a couple of key config options that have no effect on a localhost proxy but are needed for a separate server:
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost on
Those are now included in the documented config to avoid confusion thanks to you.
Out of curiosity I tried your current example config and unfortunately it does not work. I get the UI and when opening a session I get some kind of infinite loop (and it does not open).
I just wanted to chime in that I was experiencing "error creating secure connection" problems (#284) and that @nielsbasjes config settings worked perfectly for me. I originally tried the Apache config provided by kasm here, and it didn't work. I know that you want the simplest working example, but that choice can cause more headaches if it only supports a limited subset of environments.
Maybe make more options available in a Wiki or something?
Here you have my config, it works fine in apache:
<VirtualHost *:443>
ServerName domain.com
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/public_ip.crt"
SSLCertificateKeyFile "/etc/apache2/ssl/public_ip.key"
SSLVerifyClient none
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL:+SSLv3
SSLProxyEngine On
##SSLProxyCheckPeerCN on
##SSLProxyCheckPeerExpire on
SSLVerifyClient optional
ProxyPreserveHost On
ProxyRequests Off
RequestHeader set X_FORWARDED_PROTO "https"
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPreserveHost on ProxyPreserveHost on
ProxyPass / http://front:3000/ ProxyPassReverse / http://front:3000/ RewriteEngine on RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteRule /(.) ws://front:3000/$1 [P,L] RewriteCond %{HTTP:Upgrade} !=websocket [NC] RewriteRule /(.) http://front:3000/$1 [P,L] </VirtualHost>
but i cant run in a subfolder that dont be root like https://domain.com/kasm and in the documentation i cant find how to change context
