Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Debian VPS with reverse proxy and SSL for Owncast stream. |
|
| Author |
|
pastlife
Joined: 13 Apr 2022
Posts: 2
Location: USA, Stockton, California
|
 Posted: Thu 14 Apr '22 4:12 Post subject: Debian VPS with reverse proxy and SSL for Owncast stream. |
 |
|
I am new to learning web-development and Linux system administration. I have only been on Linux for about 2.5 years. I decided to use apache in debian stable to build my static websites that I'm working on.
Recently I discovered this self-hosted live streaming platform called Owncast. Their project is on github here: https://github.com/owncast/owncast
I came across some big problems, mostly due to my lack of understanding of reverse proxy, SSL, a lot of what is actually happening to make my server work.
I have a Linode running Debian 10 with 3 virtual hosts, all with the same IP, and serving sites I built myself from scratch. They all have SSL certificates installed with certbot by letsencrypt. I installed Owncast on the server from their latest release, and all went well. I then setup a subdomain using an A Record (not sure if that's correct way). I can access the live stream GUI by typing in the following: http://live.pastlife.works:8080
My issue is that I want to make that a secure page and be able to embed the stream into my sites. I want users to be able to can access my livestream by going to https://live.pastlife.works (SSL and without typing in port number)
According to the documentation at Owncast, the service cannot be embedded into a webpage that is using SSL, unless the Owncast server software is secured with SSL itself (and their only way of doing this is through reverse proxy)
The documentation on it can be found here:
https://owncast.online/docs/sslproxies/apache/
I have tried to get some help from the github but so far no one has responded with anything useful. You can view that here:
https://github.com/owncast/owncast/discussions/1824
I am not sure how to go about this. I dont know what .conf files to edit to do this. I have 6 .conf files in [/etc/apache2/sites-enabled] because there is one for http version and one that letsencrypt made, for each virtual host.
Can anyone help me accomplish this task?
My sites .conf file look like this:
| Code: |
<VirtualHost *:80>
ServerAdmin email
ServerName pastlife.works
ServerAlias www.pastlife.works
DocumentRoot /var/www/pastlife.works
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =pastlife.works [OR]
RewriteCond %{SERVER_NAME} =www.pastlife.works
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
|
The le-ssl.conf looks like this:
| Code: |
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin email
ServerName pastlife.works
ServerAlias www.pastlife.works
DocumentRoot /var/www/pastlife.works
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/pastlife.works/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/pastlife.works/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
|
All three website's .conf files look the same. I dont care if they can access the stream with the other 2 domain names I have. I only care about pastlife.works at this point.
Thank you so much for your time and efforts. |
|
| Back to top |
|
pastlife
Joined: 13 Apr 2022
Posts: 2
Location: USA, Stockton, California
|
| Posted: Sat 16 Apr '22 23:23 Post subject: |
|
|
Much thanks to the Let's Encrypt community, It's fixed.
I had to run this command for it to work:
`sudo a2enmod headers`
The steps taken were as follows:
1.) create an HTTP site for "live.example.com" in /etc/apache2/sites-available/
2.) get a certbot certificate for "live.example.com"
3.) create an HTTPS websitesite for "live.example.com" [simple "hello world" page] - may not be needed
4.) proxy https://live.example.com to local system and port (see below for config)
Here is the way I configured the le-ssl.conf for apache:
| Quote: | <IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName live.pastlife.works
ServerAdmin email
ServerAlias live.pastlife.works
DocumentRoot /var/www/live.pastlife.works
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
## order matters here, RequestHeader Flags before ProxyPass flags ##
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
## order matters here, Include first ##
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/live.pastlife.works/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/live.pastlife.works/privkey.pem
</VirtualHost>
</IfModule> |
You can see the entire process of assistance here:
https://community.letsencrypt.org/t/help-with-apache-reverse-proxy-to-get-ssl-for-my-owncast-stream-server/175942/12
Hope this helps someone. Take Care, Apache peeps |
|
| Back to top |
|
|
|
|
|
|
