Apache
You can set up any Web server on top of Ravada. In this doc we show how to run Apache as a proxy. Settings another tool like Nginx should be similar.
Upgrading
Even if you had Apache proxy already set up you must add some configuration options. Check Hypnotoad, modules and configuration and make sure it is exactly like this.
Configure Hypnotoad proxy
Hypnotoad is the engine that runs the web Ravada frontend. First of all you need to tell hypnotoad we are behind a proxy. This allows Mojolicious to automatically pick up the X-Forwarded-For and X-Forwarded-Proto headers.
Edit the file /etc/rvd_front.conf and make sure there is a line with proxy => 1 inside hypnotoad.
Also we set 10 workers by default. Under heavy server stress the proxy may timeout, increase the number of workers if you notice this.
hypnotoad => {
pid_file => '/var/run/ravada/rvd_front.pid'
,listen => ['http://*:8081']
,proxy => 1
,workers => 10
}
Restart the front server to reload this configuration:
sudo systemctl restart rvd_front
Install Apache
apt-get install apache2
Enable apache modules
Enable these modules.
Tip
Do it even it is not the first time you set up Apache. We added some modules in the latest release.
a2enmod ssl proxy proxy_http proxy_connect proxy_wstunnel headers
In this example we are using self signed certificate that comes with Apache SSL. You can request a real certificate from any vendor like LetsEncrpt.
Apache Proxy Configuration
Link the https configuration and add the proxy lines.
a2ensite default-ssl
Edit /etc/apache2/sites-enabled/default-ssl.conf.
Tip
Do not forget new ProxyPass and RequestHeader lines added in the last release.
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ProxyRequests Off
ProxyPreserveHost On
DocumentRoot /usr/share/ravada/public
# Uncomment these for custom error messages #######
#ProxyPass /error !
#Alias "/error" "/var/www/html/error"
#
###################################################
# static files no need to be served by app server
ProxyPass /css !
ProxyPass /fallback !
ProxyPass /fonts !
ProxyPass /img !
ProxyPass /js !
# App server
ProxyPass /ws/ ws://localhost:8081/ws/ keepalive=On
ProxyPass / http://localhost:8081/ keepalive=On
ProxyPassReverse / http://localhost:8081/
RequestHeader set X-Forwarded-Proto "https"
Tip
Check there are no more DocumentRoot entries configured in the default-ssl.conf file.
More information about SSL configuration from Mozilla and Letsencrypt non profit CA.
Apache redirect to https
Redirect all the connections to https.
Edit /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
ServerName hostname.domainname
Redirect / https://hostname.domainname/
</virtualhost>
Apache Security
Enable apache security configuration and set it to do not disclose internal information
a2enconf security
Edit the security settings in /etc/apache2/conf-enabled/security.conf , search for these options and set it this way:
ServerTokens Prod
ServerSignature Off
Restrict access
Follow this guide to restrict access to your Ravada Server by IP: Apache restriction
Tip
Remember restart Apache2 service, with systemctl restart apache2 or services apache2 restart.