Help with apache reverse proxy to get SSL for my Owncast stream server

I understand if I cant get any assistance on this subject, as it is not about certbot directly, however it has to do with my SSL certificate somewhat, and my failed attempts at fixing this have resulted in being unable to connect to any of my sites.

Recently I discovered this self-hosted live streaming platform called Owncast. Their project is on github here: Owncast on Github

I have a Linode running Debian 10 with 3 virtual hosts, all with the same IP, and they all have SSL certificates installed with certbot. I installed Owncast software on the server from their latest release, and all went well. I then setup a subdomain using an A Record (not sure if that's correct way). I can access the live stream GUI by typing in the following: http://live.pastlife.works:8080

My issue is that I want to make that a secure page and be able to embed the stream into my sites. I want users to be able to access my livestream by going to https://live.pastlife.works (SSL and without typing in port number)

According to the documentation at Owncast, the service cannot be embedded into a webpage that is using SSL, unless the Owncast server software is secured with SSL itself (and their only way of doing this is through reverse proxy)

The documentation on it can be found here:

I have tried to get some help from the github but so far no one has responded with anything useful. You can view that here:

I am not sure how to go about this. I dont know what .conf files to edit to do this. I have 6 .conf files in /etc/apache2/sites-enabled because there is one for http version and one that letsencrypt made, for each virtual host.

Can anyone help me accomplish this task?

My sites .conf file look like this:

http.conf

<VirtualHost *:80>

        ServerAdmin email
        ServerName pastlife.works
        ServerAlias www.pastlife.works
       
        DocumentRoot /var/www/pastlife.works   
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

   RewriteEngine on
   RewriteCond %{SERVER_NAME} =pastlife.works [OR]
   RewriteCond %{SERVER_NAME} =www.pastlife.works
   RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

https.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerAdmin email
        ServerName pastlife.works
        ServerAlias www.pastlife.works
        DocumentRoot /var/www/pastlife.works

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

   SSLCertificateFile /etc/letsencrypt/live/pastlife.works/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/pastlife.works/privkey.pem
   Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>
</IfModule>

domain is: pastlife.works

web server is: Apache 2.4.53-1~deb11u1: amd64

The operating system:
Debian 10 stable - kernel 4.19.0-20-amd64

hosting provider: Linode.com

I can login to a root shell
Not using a control panel

The version of my client: certbot 0.31.0

Thank you for reading all of this :slight_smile:

3 Likes

I can't guarantee this will work, but these are the steps I would take:

    1. create an HTTP site for "live.pastlife.works"
    1. get a certificate for "live.pastlife.works"
    1. create an HTTPS site for "live.pastlife.works" [simple "hello world" page]
    1. proxy https://live.pastlife.works to local system and port
      [proxy to http://127.0.0.1:8080 or something like that]
5 Likes

I succeeded on steps 1-3
https://live.pastlife.works/ is up with a simple page

I'm not sure how to edit the example from Owncast's docs

le-ssl.conf for my subdomain looks like this:

<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerName live.pastlife.works
	ServerAdmin email
        ServerAlias live.pastlife.works	
	DocumentRoot /var/www/live.pastlife.works
		
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

##//Owncast config//##
       ProxyRequests       Off
       ProxyPreserveHost   On
       AllowEncodedSlashes NoDecode

       <Proxy *>
       Order deny,allow
       Allow from all
       </Proxy>

       ProxyPass        / http://localhost:8080/
       ProxyPassReverse / http://localhost:8080/

       RequestHeader    set X-Forwarded-Proto "https"
       RequestHeader    set X-Forwarded-Port "443"

       # setup the proxy to forward websocket requests properly
       # (note: this proxy automatically converts the secure websocket (wss)
       # to a normal websocket and vice versa.

       RewriteEngine On
       RewriteCond %{HTTP:UPGRADE} ^WebSocket$           [NC,OR]
       RewriteCond %{HTTP:CONNECTION} ^Upgrade$          [NC]
       RewriteRule .* ws://127.0.0.1:8080%{REQUEST_URI}  [P,QSA,L]
##//Owncast config//##

SSLCertificateFile /etc/letsencrypt/live/live.pastlife.works/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/live.pastlife.works/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

If I omit everything inside what I marked ##//Owncast config//## I can visit the subdomain, if I include it, it breaks apache completely and I cant visit any domain on the server.

Probably because I didnt understand the lines that Owncast wrote

I dont get what this is asking me to do:

setup the proxy to forward websocket requests properly
(note: this proxy automatically converts the secure websocket (wss)
to a normal websocket and vice versa.

Thank you so much for your help

2 Likes

What's the error Apache is complaining about?

(Check /var/log/apache2/error.log)

3 Likes

This is the error I think:

[ssl:error] [pid 1103:tid 140404248024832] [client 162.142.125.8:41958] AH02032: Hostname live.pastlife.works provided via SNI and hostname IPADDRESS provided via HTTP have no compatible SSL setup

1 Like

The whole rewrite section seems unnecessary, and that IP isn't to be sent to the client.
Nor can port 8080 be directly accessed (securely).

It seems that even if you "fix" the IP, that code would circumvent the secure proxy and bring you right back to where you started - with an insecure direct access to Owncast.

3 Likes

I commented out the entire ReWrite section and it also broke Apache sites. Tried to put localhost:8080 in the line you commented above, same result. I'm lost.

I have an old book on Apache but it doesn't mention much on this. It's focused on PHP MySQL and Apache, it doesn't even mention reverse proxy in the index. The docs here at Apache are like trying to decipher Egyptian hieroglyphs to me.

1 Like

Please show the updated file.
And explain which sites "broke".

3 Likes

The domains are lexrex.xyz, pastlife.works, starseedgrowers.org, (old project)
I know my websites probably look like Homer Simpson wrote them.
I'm just learning and throwing my ideas out there. :sweat_smile:

When using this config, all the domains on the server do not load:

<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerName live.pastlife.works
        ServerAdmin email
        ServerAlias live.pastlife.works
        DocumentRoot /var/www/live.pastlife.works

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
#Owncast config
       ProxyRequests       Off
        ProxyPreserveHost   On
        AllowEncodedSlashes NoDecode

        <Proxy *>
          Order deny,allow
          Allow from all
        </Proxy>

        ProxyPass        / http://localhost:8080/
        ProxyPassReverse / http://localhost:8080/

        RequestHeader    set X-Forwarded-Proto "https"
        RequestHeader    set X-Forwarded-Port "443"

        # setup the proxy to forward websocket requests properly
        # (note: this proxy automatically converts the secure websocket (wss)
        # to a normal websocket and vice versa.
#        RewriteEngine On
#        RewriteCond %{HTTP:UPGRADE} ^WebSocket$           [NC,OR]
#        RewriteCond %{HTTP:CONNECTION} ^Upgrade$          [NC]
#        RewriteRule .* ws://localhost:8080%{REQUEST_URI}  [P,QSA,L]
#Owncast config

Include /etc/letsencrypt/options-ssl-apache.conf

SSLCertificateFile /etc/letsencrypt/live/live.pastlife.works/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/live.pastlife.works/privkey.pem

</VirtualHost>
</IfModule>

Browser shows: basic " This site can’t be reached ERR_CONNECTION_REFUSED" with this config.

1 Like

There must be more to it than that.

Please show the output of:
apachectl -t -D DUMP_VHOSTS

4 Likes

AH00526: Syntax error on line 24 of /etc/apache2/sites-enabled/live.pastlife.works-le-ssl.conf:
Invalid command 'RequestHeader', perhaps misspelled or defined by a module not included in the server configuration
Action '-t -D DUMP_VHOSTS' failed.
The Apache error log may have more information.

Line 24 is this RequestHeader set X-Forwarded-Proto "https"

Last error I see in the log was a long time ago:

[Sat Apr 16 03:11:05.452912 2022] [core:error] [pid 532:tid 139928281278208] [client 45.155.204.146:56544] AH00126: Invalid URI in request POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1

1 Like

try running sudo a2enmod headers

or maybe move those two lines above the ProxyPass ones.

3 Likes

God Bless you!! (any God or even divine universal mathematical expressions)
That was a success. It works!
@9peppe and @rg305 Y'all are geniuses!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.