Heimdall icon indicating copy to clipboard operation
Heimdall copied to clipboard
verified publisher icon linuxserver

[Enhancement Request] Document Apache Reverse Proxy Settings

Open tkedwards opened this issue 2 months ago • 1 comments

I've started using Heimdall with an Apache reverse proxy. I needed to search the web and even use ChatGPT to find the right settings, which don't seem to be documented in one place anywhere. I'm using the Docker image and the Apache r-proxy is running on the Docker host machine, with Heimdall Docker running on 10080 on that Docker host.

I was getting a problem where no CSS or scripts would load. These are the fixed settings that reverse-proxy Heimdall properly:

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com

    # Automatic redirect to https, see https://wiki.apache.org/httpd/RedirectSSL
    Redirect / https://www.example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com

    SSLEngine on

    # Proxy to Heimdall
    ProxyPass / http://127.0.0.1:10080/ retry=0 timeout=5
    ProxyPassReverse / http://127.0.0.1:10080/

    ProxyPreserveHost On
    ProxyRequests Off

    # Fix cookie & path issues
    ProxyPassReverseCookieDomain 127.0.0.1 www.example.com
    ProxyPassReverseCookiePath / /

    # Critical: make Heimdall aware of HTTPS
    RequestHeader set X-Forwarded-Proto "https"

    # Optional security headers
    Header always set X-Frame-Options SAMEORIGIN
    Header always set X-Content-Type-Options nosniff
    Header always set Referrer-Policy strict-origin-when-cross-origin

    # SSL certificate from Let's Encrypt
    SSLCertificateFile  /etc/ssl/_wildcard.example.com/cert.pem
    SSLCertificateKeyFile /etc/ssl/_wildcard.example.com/privkey.pem

    #   Server Certificate Chain:
    #   Point SSLCertificateChainFile at a file containing the
    #   concatenation of PEM encoded CA certificates which form the
    #   certificate chain for the server certificate. Alternatively
    #   the referenced file can be the same as SSLCertificateFile
    #   when the CA certificates are directly appended to the server
    #   certificate for convinience.
    SSLCertificateChainFile /etc/ssl/_wildcard.example.com/fullchain.pem

</VirtualHost>

tkedwards avatar Oct 20 '25 04:10 tkedwards

This issue has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

LinuxServer-CI avatar Nov 19 '25 15:11 LinuxServer-CI