Configurar un proxy reverso
Dependiendo de la infraestructura disponible puede ser necesario configurar un proxy reverso. Para ello se puede utilizar Apache o Nginx.
Con SSL o sin SSL
La regla del punto de conexión se puede resumir como
- wss se conecta sólo en https
- ws se conecta en http
y viceversa:
- https sólo acepta wss
- http sólo acepta ws
Apache
Para poder procesar el tráfico, es necesario habilitar los siguientes módulos: proxy, proxy_connect, proxy_http, proxy_wstunnel. Para ello
a2enmod proxy proxy_connect proxy_http proxy_wstunnel
Crearemos un host virtual y, dependiendo de la necesidad, utilizaremos una de las siguientes configuraciones de ejemplo:
nano /etc/apache2/sites-available/oxool.conf
Sustituiremos el nombre de dominio que utilizamos para OxOffice Online. No debes olvidar crear un registro A para este subdominio en el DNS.
1. SSL en ambos extremos:
La config correspondiente en /etc/oxool/oxoolwsd.xml es:
<ssl desc="SSL settings">
<enable type="bool">true</enable>
</ssl>
<VirtualHost *:443> ServerName odfweb.dominio.edu.ar:443 Options -Indexes # Encoded slashes need to be allowed AllowEncodedSlashes NoDecode SSLProxyEngine On ProxyPreserveHost On
# cert is issued for collaboraonline.example.com and we proxy to localhost SSLProxyVerify None SSLProxyCheckPeerCN Off SSLProxyCheckPeerName Off
oxool_communitty = «oxoolhost»:9980
# static html, js, images, etc. served from oxoolwsd
# browser is the client part of Collabora Online
ProxyPass /browser https://${oxool_communitty}/browser retry=0
ProxyPassReverse /browser https://${oxool_communitty}/browser
# WOPI discovery URL
ProxyPass /hosting/discovery https://${oxool_communitty}/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery https://${oxool_communitty}/hosting/discovery
# Capabilities
ProxyPass /hosting/capabilities https://${oxool_communitty}/hosting/capabilities retry=0
ProxyPassReverse /hosting/capabilities https://${oxool_communitty}/hosting/capabilities
# Main websocket
ProxyPassMatch "/(c|ox)ool/(.*)/ws$" wss://${oxool_communitty}/oxool/$1/ws nocanon
# Admin Console websocket
ProxyPass /(c|l)ool/adminws wss://${oxool_communitty}/oxool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /(c|ox)ool https://${oxool_communitty}/oxool
ProxyPassReverse /(c|ox)ool https://${oxool_communitty}/oxool
# Compatibility with integrations that use the /lool/convert-to endpoint
ProxyPass /lool https://${oxool_communitty}/oxool
ProxyPassReverse /lool https://${oxool_communitty}/oxool
</VirtualHost>
2. SSL termina en el proxy:
La config correspondiente en /etc/oxool/oxoolwsd.xml es:
<ssl desc="SSL settings">
<enable type="bool">false</enable>
<termination>true</termination>
</ssl>
<VirtualHost *:443> ServerName odfweb.dominio.edu.ar:443 Options -Indexes # Encoded slashes need to be allowed AllowEncodedSlashes NoDecode ProxyPreserveHost On
# static html, js, images, etc. served from oxoolwsd
# browser is the client part of Collabora Online
ProxyPass /browser http://${oxool_communitty}/browser retry=0
ProxyPassReverse /browser http://${oxool_communitty}/browser
# WOPI discovery URL
ProxyPass /hosting/discovery http://${oxool_communitty}/hosting/discovery retry=0
ProxyPassReverse /hosting/discovery http://${oxool_communitty}/hosting/discovery
# Capabilities
ProxyPass /hosting/capabilities http://${oxool_communitty}/hosting/capabilities retry=0
ProxyPassReverse /hosting/capabilities http://${oxool_communitty}/hosting/capabilities
# Main websocket
ProxyPassMatch "/(c|ox)ool/(.*)/ws$" ws://${oxool_communitty}/oxool/$1/ws nocanon
# Admin Console websocket
ProxyPass /(c|l)ool/adminws ws://${oxool_communitty}/oxool/adminws
# Download as, Fullscreen presentation and Image upload operations
ProxyPass /(c|ox)ool http://${oxool_communitty}/oxool
ProxyPassReverse /(c|ox)ool http://${oxool_communitty}/oxool
# Compatibility with integrations that use the /lool/convert-to endpoint
ProxyPass /lool http://${oxool_communitty}/oxool
ProxyPassReverse /lool http://${oxool_communitty}/oxool
</VirtualHost>
Cerramos y guardamos el archivo.
Habilitamos este host virtual con el siguiente comando:
sudo a2ensite oxool.conf
Luego recargamos la configuración de Apache.
systemctl restart apache2
Obtener e instalar certificados TLS
Dado que en otro artículo se explica cómo instalar, configurar y poner en marcha Apache con el módulo mod_md no vamos a ahondar sobre el tema en esta oportunidad.
Nginx
Crearemos un host virtual y, dependiendo de la necesidad, utilizaremos una de las siguientes configuraciones de ejemplo:
nano /etc/nginx/sites-available/oxool.conf
Sustituiremos el nombre de dominio que utilizamos para OxOffice Online. No debes olvidar crear un registro A para este subdominio en el DNS.
1. SSL en ambos extremos:
La config correspondiente en /etc/oxool/oxoolwsd.xml es:
<ssl desc="SSL settings">
<enable type="bool">true</enable>
</ssl>
upstream oxool-community {
server «oxoolhost»:9980;
keepalive 32;
}
# static files
location ^~ /browser {
proxy_pass https://oxool-community;
proxy_set_header Host $host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass https://oxool-community;
proxy_set_header Host $host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass https://oxool-community;
proxy_set_header Host $host;
}
# main websocket
location ~ ^/(c|ox)ool/(.*)/ws$ {
proxy_pass https://oxool-community;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass https://oxool-community;
proxy_set_header Host $host;
}
# Admin Console websocket
location ^~ /(c|ox)ool/adminws {
proxy_pass https://oxool-community;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
}
2. SSL termina en el proxy:
La config correspondiente en /etc/oxool/oxool.xml es:
<ssl desc="SSL settings">
<enable type="bool">false</enable>
<termination>true</termination>
</ssl>
upstream oxool-community {
server «oxoolhost»:9980;
keepalive 32;
}
server {
listen 443 ssl;
server_name odfweb.dominio.edu.ar;
ssl_certificate /ruta/a/certificado_ssl;
ssl_certificate_key /ruta/a/llave_certificado_ssl;
# static files
location ^~ /browser {
proxy_pass http://oxool-community;
proxy_set_header Host $host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://${oxool_communitty};
proxy_set_header Host $host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://${oxool_communitty};
proxy_set_header Host $host;
}
# main websocket
location ~ ^/(c|ox)ool/(.*)/ws$ {
proxy_pass http://${oxool_communitty};
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://${oxool_communitty};
proxy_set_header Host $host;
}
# Admin Console websocket
location ^~ /(c|ox)ool/adminws {
proxy_pass http://${oxool_communitty};
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
}
Cerramos y guardamos el archivo. Luego probamos la configuración de Nginx.
nginx -t
Si la prueba es exitosa, recargamos Nginx.
systemctl reload nginx