mirror of
https://github.com/overleaf/toolkit.git
synced 2025-04-19 07:18:06 +02:00
Merge 1682e40f8c into 895fe73941
This commit is contained in:
storca
GitHub
commit
e5f6d3bdcb
2 changed files with 158 additions and 0 deletions
103
doc/tls-proxy-apache.md
Normal file
103
doc/tls-proxy-apache.md
Normal file
|
|
@ -0,0 +1,103 @@
|
|||
## Apache TLS Proxy for Overleaf
|
||||
If you intent to run Overleaf behind the host's let's encrypt TLS apache proxy, you're in the right place!
|
||||
|
||||
If you are not using Let's Encrypt but still want to run your Overleaf instance behind apache, have a look at the appendix (bottom of this file).
|
||||
|
||||
### Overleaf setup
|
||||
In this guide, we assume that overleaf is already running on your host in HTTP, without the included NGINX TLS proxy.
|
||||
|
||||
Since we will be running overleaf behind a proxy, we have to change a couple of options in our configuration files.
|
||||
|
||||
In your ```config/variables.env```, please ensure that the options are set as below.
|
||||
Make sure to change overleaf.example.com to your domain.
|
||||
```env
|
||||
OVERLEAF_BEHIND_PROXY=true
|
||||
OVERLEAF_SECURE_COOKIE=true
|
||||
|
||||
OVERLEAF_SITE_URL=https://overleaf.example.com
|
||||
```
|
||||
|
||||
In your ```config/overleaf.rc```, make sure that the options are set as below :
|
||||
```env
|
||||
OVERLEAF_LISTEN_IP=127.0.0.1
|
||||
OVERLEAF_LISTEN_PORT=8080
|
||||
NGINX_ENABLED=false
|
||||
```
|
||||
Note that the listen port can be changed, but will have to be changed in the apache configuration file.
|
||||
|
||||
|
||||
If needed, reinitialize your docker containers with the commands below.
|
||||
**WARNING : this will remove your tex libraries in the sharelatex container.**
|
||||
|
||||
Refer to [this page](https://github.com/storca/toolkit/blob/master/doc/ce-upgrading-texlive.md#saving-your-changes) if you want to save your TeX install. Redis, mongo data and your documents will still be here.
|
||||
|
||||
```sh
|
||||
bin/docker-compose down
|
||||
bin/up
|
||||
```
|
||||
|
||||
### Apache setup
|
||||
For the apache setup, we assume that you already obtained a valid certificate from Let's Encrypt for your domain.
|
||||
|
||||
The apache configuration file is based on a VirtualHost. This file can be found in ```lib/config-seed/apache-le-ssl.conf```.
|
||||
|
||||
**Make sure to change :**
|
||||
|
||||
* the ```ServerName``` to your domain name
|
||||
* the **port** if you changed it
|
||||
* the **path to your TLS private key and certificate.**
|
||||
|
||||
The following modules are required :
|
||||
```
|
||||
mod_ssl
|
||||
mod_rewrite
|
||||
mod_proxy
|
||||
```
|
||||
|
||||
#### Redirecting HTTP to HTTPS
|
||||
If needed, you can use the following configuration for your HTTP virtual host. Make sure to change your domain name and the port that you've set in your ```config/overleaf.rc```.
|
||||
```conf
|
||||
# HTTP to HTTPS redirection
|
||||
<VirtualHost *:80>
|
||||
ServerName overleaf.example.com
|
||||
RewriteEngine On
|
||||
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
|
||||
RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L]
|
||||
</VirtualHost>
|
||||
```
|
||||
|
||||
Run ```systemctl reload apache2``` and you should be good to go!
|
||||
|
||||
## Appendix
|
||||
### TLDR - just give me the options that work for websockets and secure cookies
|
||||
```conf
|
||||
RewriteEngine On
|
||||
RewriteCond %{HTTP:Upgrade} =websocket [NC]
|
||||
RewriteRule /(.*) ws://127.0.0.1:8080/$1 [P,L]
|
||||
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
|
||||
RewriteRule /(.*) http://127.0.0.1:8080/$1 [P,L]
|
||||
|
||||
<IfModule mod_proxy.c>
|
||||
ProxyRequests Off
|
||||
# There is no ProxyPass directive ! It is handled by the second RewriteCond
|
||||
ProxyPassReverse / http://127.0.0.1:8080/
|
||||
</IfModule>
|
||||
|
||||
<Location />
|
||||
ProxyAddHeaders On
|
||||
RequestHeader set X-Forwarded-Proto "https"
|
||||
RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
|
||||
RequestHeader set Host "%{HTTP_HOST}e"
|
||||
</Location>
|
||||
|
||||
# To avoid SSL stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
|
||||
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
|
||||
|
||||
#ServerTokens Prod
|
||||
LimitRequestBody 52428800
|
||||
```
|
||||
|
||||
### For a TLS configuration not using Let's Encrypt
|
||||
If you are not using Let's Encrpyt but you already have certificates, you can get a TLS configuration for apache from [Mozilla](https://ssl-config.mozilla.org/). Let's Encrypt configurations are based on those.
|
||||
|
||||
Depending on your setup (single host or multi-host) derive the configuration you need from Mozilla's website and **add the configuration in the TLDR statement above** to forward websockets and make secure cookies work.
|
||||
55
lib/config-seed/apache-le-ssl.conf
Normal file
55
lib/config-seed/apache-le-ssl.conf
Normal file
|
|
@ -0,0 +1,55 @@
|
|||
# Overleaf let's encrypt reverse proxy configuration file for apache2 webserver
|
||||
|
||||
<VirtualHost *:443>
|
||||
# The ServerName directive sets the request scheme, hostname and port that
|
||||
# the server uses to identify itself. This is used when creating
|
||||
# redirection URLs. In the context of virtual hosts, the ServerName
|
||||
# specifies what hostname must appear in the request's Host: header to
|
||||
# match this virtual host. For the default virtual host (this file) this
|
||||
# value is not decisive as it is used as a last resort host regardless.
|
||||
# However, you must set it for any further virtual host explicitly.
|
||||
ServerName overleaf.example.com
|
||||
|
||||
ServerAdmin sysadmin@example.com
|
||||
DocumentRoot /var/www/html
|
||||
|
||||
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
|
||||
# error, crit, alert, emerg.
|
||||
# It is also possible to configure the loglevel for particular
|
||||
# modules, e.g.
|
||||
#LogLevel info ssl:warn
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/error-overleaf.log
|
||||
CustomLog ${APACHE_LOG_DIR}/access-overleaf.log combined
|
||||
|
||||
RewriteEngine On
|
||||
RewriteCond %{HTTP:Upgrade} =websocket [NC]
|
||||
RewriteRule /(.*) ws://127.0.0.1:8080/$1 [P,L]
|
||||
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
|
||||
RewriteRule /(.*) http://127.0.0.1:8080/$1 [P,L]
|
||||
|
||||
<IfModule mod_proxy.c>
|
||||
ProxyRequests Off
|
||||
ProxyPassReverse / http://127.0.0.1:8080/
|
||||
</IfModule>
|
||||
|
||||
<IfModule mod_ssl.c>
|
||||
SSLCertificateFile /etc/letsencrypt/live/overleaf.example.com/fullchain.pem
|
||||
SSLCertificateKeyFile /etc/letsencrypt/live/overleaf.example.com/privkey.pem
|
||||
Include /etc/letsencrypt/options-ssl-apache.conf
|
||||
</IfModule>
|
||||
|
||||
|
||||
# To avoid SSL stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
|
||||
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
|
||||
|
||||
#ServerTokens Prod
|
||||
LimitRequestBody 52428800
|
||||
|
||||
<Location />
|
||||
ProxyAddHeaders On
|
||||
RequestHeader set X-Forwarded-Proto "https"
|
||||
RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
|
||||
RequestHeader set Host "%{HTTP_HOST}e"
|
||||
</Location>
|
||||
</VirtualHost>
|
||||
Loading…
Add table
Add a link
Reference in a new issue