semaphoreui
Doc request: Reverse proxy settings for Semaphore
Hi Folks,
We're getting websocket errors when reverse proxying using Apache. I dug around on the internet a bit and think we may need to play with ws:// paths in the Apache config, but it brought to mind that it would be useful for the installation documentation to provide guidance or configuration examples for RP via Apache and NGINX.
The docs for Gotify could maybe be a starting point:
https://gotify.net/docs/apache#proxy-requests-with-sub-path
https://gotify.net/docs/nginx
Here is a sample of the Nginx configuration I use ansible.conf
You can obviously change whatever is needed but it works great in a docker stack with Semaphore and Nginx. Just replace {your-host-here} with your hostname, as indicated.
server {
listen 443 ssl;
allow 192.168.10.0/24; # Optional
allow 192.168.12.0/22; # Optional
allow 10.6.0.0/24; # Optional
deny all; # Optional
server_name ansible.home.lan; # <- Your domain, just what I'm using
# add Strict-Transport-Security to prevent man in the middle attacks
add_header Strict-Transport-Security "max-age=31536000" always;
# Recommendations from
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_certificate /etc/nginx/certs/ansible.home.lan.crt;
ssl_certificate_key /etc/nginx/certs/ansible.home.lan.key;
location / {
proxy_pass http://{your-host-here}:3000;
}
location /api/ws {
proxy_pass http://{your-host-here}:3000/api/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Origin "";
}
}
Just to mention it: there is documentation for Nginx => https://docs.ansible-semaphore.com/administration-guide/security#ssl
Hi, the documentation seems to already include an Nginx example with proxied WS (docs). But as @kfiresmith tried to use Apcache instead (so didn't look at this Nginx conf), that could explain why he didn't notice that it needs to be done.
I guess what we could do is mention this in a general statement on this page like:
"Please make sure to also forward websocket connections on the /api/ws route".
An example config with Apache would be nice too. If @kfiresmith can share with us the config file he made, that would be nice.
@Caesarovich I've added a docs PR that adds this general information about the reverse proxy configuration. @kfiresmith If you have a working Apache2 proxy-config it would be nice if you would share it (:
With very limited experience and a lot of help from google I've put together this apache2 site.conf that seems to work fine at the moment (I so far only tried logging in and running already existing tasks). Don't expect it to be correct at all and adjust it to your liking. Note that I run ansible semaphore on an internal network only, your environment might require more options too (like HSTS and such).
<VirtualHost *:80>
ServerName as.foo.bar.de:80
ServerAdmin [email protected]
DocumentRoot /var/www/html/as.foo.bar.de
Redirect temp / "https://as.foo.bar.de:443"
</VirtualHost>
<VirtualHost *:443>
ServerName as.foo.bar.de:443
ServerAdmin [email protected]
# SSL
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/fullchain.pem
SSLCertificateKeyFile /etc/apache2/ssl/private/privatekey_no_passphrase.pem
<Location />
ProxyPass http://127.0.0.1:3000/
ProxyPassReverse http://127.0.0.1:3000/
</Location>
<Location /api/ws>
ProxyPass ws://127.0.0.1:3000/api/ws/
</Location>
ProxyPreserveHost off
ProxyRequests off
RemoteIPHeader X-Forwarded-For
<Proxy *>
Require all granted
</Proxy>
</VirtualHost>
# modern configuration, taken from https://ssl-config.mozilla.org/
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
