Ofimática en la nube

Proxy reverso - Apache

Contents

Configurar un proxy reverso

Dependiendo de la infraestructura disponible puede ser necesario configurar un proxy reverso. Para ello se puede utilizar Apache o Nginx.

Con SSL o sin SSL

La regla del punto de conexión se puede resumir como

  • wss se conecta sólo en https
  • ws se conecta en http

y viceversa:

  • https sólo acepta wss
  • http sólo acepta ws

Apache

Para poder procesar el tráfico, es necesario habilitar los siguientes módulos: proxy, proxy_wstunnel, proxy_http. Para ello

a2enmod proxy proxy_wstunnel proxy_http

Crearemos un host virtual y, dependiendo de la necesidad, utilizaremos una de las siguientes configuraciones de ejemplo. Existen tres posibilidades:

nano /etc/apache2/sites-available/oxool.conf

Sustituiremos el nombre de dominio que utilizamos para OxOffice Online. No debes olvidar crear un registro A para este subdominio en el DNS.

1. SSL en ambos extremos:

La config correspondiente en /etc/oxool/oxool.xml es:

<ssl desc="SSL settings">
        <enable type="bool">true</enable>
</ssl>
<VirtualHost *:443>
  ServerName oficina.dominio.edu.ar:443
  Options -Indexes
  # Encoded slashes need to be allowed
  AllowEncodedSlashes NoDecode
  # Container uses a unique non-signed certificate
  SSLProxyEngine On
  SSLProxyVerify None
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off
  # keep the host
  ProxyPreserveHost On
  # static html, js, images, etc. served from loolwsd
  # loleaflet is the client part of OxOffice Online
  ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
  ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet
  # WOPI discovery URL
  ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
  ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery
  # Capabilities
  ProxyPass           /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities retry=0
  ProxyPassReverse    /hosting/capabilities https://127.0.0.1:9980/hosting/capabilities
  # Main websocket
  ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon
  # Admin Console websocket
  ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws
  # Download as, Fullscreen presentation and Image upload operations
  ProxyPass           /lool https://127.0.0.1:9980/lool
  ProxyPassReverse    /lool https://127.0.0.1:9980/lool
</VirtualHost>

2. SSL termina en el proxy:

La config correspondiente en /etc/oxool/oxool.xml es:

<ssl desc="SSL settings">
        <enable type="bool">false</enable>
        <termination>true</termination>
</ssl>
<VirtualHost *:443>
  ServerName oficina.dominio.edu.ar:443
  Options -Indexes
  # Encoded slashes need to be allowed
  AllowEncodedSlashes NoDecode
  # Container uses a unique non-signed certificate
  SSLProxyEngine On
  SSLProxyVerify None
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerName Off
  # keep the host
  ProxyPreserveHost On
  # static html, js, images, etc. served from loolwsd
  # loleaflet is the client part of OxOffice Online
  ProxyPass           /loleaflet http://127.0.0.1:9980/loleaflet retry=0
  ProxyPassReverse    /loleaflet http://127.0.0.1:9980/loleaflet
  # WOPI discovery URL
  ProxyPass           /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
  ProxyPassReverse    /hosting/discovery http://127.0.0.1:9980/hosting/discovery
  # Capabilities
  ProxyPass           /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
  ProxyPassReverse    /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities
  # Main websocket
  ProxyPassMatch "/lool/(.*)/ws$" ws://127.0.0.1:9980/lool/$1/ws nocanon
  # Admin Console websocket
  ProxyPass   /lool/adminws ws://127.0.0.1:9980/lool/adminws
  # Download as, Fullscreen presentation and Image upload operations
  ProxyPass           /lool http://127.0.0.1:9980/lool
  ProxyPassReverse    /lool http://127.0.0.1:9980/lool
</VirtualHost>

3. HTTP plano:

La config correspondiente en /etc/oxool/oxool.xml es:

<ssl desc="SSL settings">
        <enable type="bool">false</enable>
        <termination type="bool">false</termination>
</ssl>
<VirtualHost *:80>
  ServerName oficina.dominio.edu.ar
  Options -Indexes
  # Encoded slashes need to be allowed
  AllowEncodedSlashes NoDecode
  # keep the host
  ProxyPreserveHost On
  # static html, js, images, etc. served from loolwsd
  # loleaflet is the client part of OxOffice Online
  ProxyPass           /loleaflet http://127.0.0.1:9980/loleaflet retry=0
  ProxyPassReverse    /loleaflet http://127.0.0.1:9980/loleaflet
  # WOPI discovery URL
  ProxyPass           /hosting/discovery http://127.0.0.1:9980/hosting/discovery retry=0
  ProxyPassReverse    /hosting/discovery http://127.0.0.1:9980/hosting/discovery
  # Capabilities
  ProxyPass           /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities retry=0
  ProxyPassReverse    /hosting/capabilities http://127.0.0.1:9980/hosting/capabilities
  # Main websocket
  ProxyPassMatch "/lool/(.*)/ws$" ws://127.0.0.1:9980/lool/$1/ws nocanon
  # Admin Console websocket
  ProxyPass   /lool/adminws ws://127.0.0.1:9980/lool/adminws
  # Download as, Fullscreen presentation and Image upload operations
  ProxyPass           /lool http://127.0.0.1:9980/lool
  ProxyPassReverse    /lool http://127.0.0.1:9980/lool
</VirtualHost>

Cerramos y guardamos el archivo.
Habilitamos este host virtual con el siguiente comando:

sudo a2ensite oxool.conf

Luego recargamos la configuración de Apache.

systemctl restart apache2

Obtener e instalar certificados TLS

Dado que en otro artículo se explica cómo instalar, configurar y poner en marcha Apache con el módulo mod_md no vamos a ahondar sobre el tema en esta oportunidad.