logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Debian VPS with reverse proxy and SSL for Owncast stream.
Author
pastlife



Joined: 13 Apr 2022
Posts: 2
Location: USA, Stockton, California

PostPosted: Thu 14 Apr '22 4:12    Post subject: Debian VPS with reverse proxy and SSL for Owncast stream. Reply with quote

I am new to learning web-development and Linux system administration. I have only been on Linux for about 2.5 years. I decided to use apache in debian stable to build my static websites that I'm working on.

Recently I discovered this self-hosted live streaming platform called Owncast. Their project is on github here: https://github.com/owncast/owncast

I came across some big problems, mostly due to my lack of understanding of reverse proxy, SSL, a lot of what is actually happening to make my server work.

I have a Linode running Debian 10 with 3 virtual hosts, all with the same IP, and serving sites I built myself from scratch. They all have SSL certificates installed with certbot by letsencrypt. I installed Owncast on the server from their latest release, and all went well. I then setup a subdomain using an A Record (not sure if that's correct way). I can access the live stream GUI by typing in the following: http://live.pastlife.works:8080

My issue is that I want to make that a secure page and be able to embed the stream into my sites. I want users to be able to can access my livestream by going to https://live.pastlife.works (SSL and without typing in port number)

According to the documentation at Owncast, the service cannot be embedded into a webpage that is using SSL, unless the Owncast server software is secured with SSL itself (and their only way of doing this is through reverse proxy)

The documentation on it can be found here:
https://owncast.online/docs/sslproxies/apache/

I have tried to get some help from the github but so far no one has responded with anything useful. You can view that here:
https://github.com/owncast/owncast/discussions/1824

I am not sure how to go about this. I dont know what .conf files to edit to do this. I have 6 .conf files in [/etc/apache2/sites-enabled] because there is one for http version and one that letsencrypt made, for each virtual host.

Can anyone help me accomplish this task?

My sites .conf file look like this:

Code:

<VirtualHost *:80>

        ServerAdmin email
        ServerName pastlife.works
        ServerAlias www.pastlife.works
       
        DocumentRoot /var/www/pastlife.works   
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

   RewriteEngine on
   RewriteCond %{SERVER_NAME} =pastlife.works [OR]
   RewriteCond %{SERVER_NAME} =www.pastlife.works
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet



The le-ssl.conf looks like this:
Code:

<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerAdmin email
        ServerName pastlife.works
        ServerAlias www.pastlife.works
        DocumentRoot /var/www/pastlife.works

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

   SSLCertificateFile /etc/letsencrypt/live/pastlife.works/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/pastlife.works/privkey.pem
   Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>
</IfModule>


All three website's .conf files look the same. I dont care if they can access the stream with the other 2 domain names I have. I only care about pastlife.works at this point.

Thank you so much for your time and efforts.
Back to top
pastlife



Joined: 13 Apr 2022
Posts: 2
Location: USA, Stockton, California

PostPosted: Sat 16 Apr '22 23:23    Post subject: Reply with quote

Much thanks to the Let's Encrypt community, It's fixed.
I had to run this command for it to work:
`sudo a2enmod headers`

The steps taken were as follows:

1.) create an HTTP site for "live.example.com" in /etc/apache2/sites-available/

2.) get a certbot certificate for "live.example.com"

3.) create an HTTPS websitesite for "live.example.com" [simple "hello world" page] - may not be needed

4.) proxy https://live.example.com to local system and port (see below for config)

Here is the way I configured the le-ssl.conf for apache:

Quote:
<IfModule mod_ssl.c>
<VirtualHost *:443>

ServerName live.pastlife.works
ServerAdmin email
ServerAlias live.pastlife.works
DocumentRoot /var/www/live.pastlife.works

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode

<Proxy *>
Order deny,allow
Allow from all
</Proxy>
## order matters here, RequestHeader Flags before ProxyPass flags ##
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"

ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

## order matters here, Include first ##
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/live.pastlife.works/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/live.pastlife.works/privkey.pem

</VirtualHost>
</IfModule>


You can see the entire process of assistance here:
https://community.letsencrypt.org/t/help-with-apache-reverse-proxy-to-get-ssl-for-my-owncast-stream-server/175942/12

Hope this helps someone. Take Care, Apache peeps
Back to top


Reply to topic   Topic: Debian VPS with reverse proxy and SSL for Owncast stream. View previous topic :: View next topic
Post new topic   Forum Index -> Apache