Ansicht von 3 Antwort-Themen
  • Autor
    Beiträge
    • #14706
      Romain THERVILLE
      Teilnehmer

        Hello Otobo community,

        I’ve migrated an OTRS 6.0.29 to OTOBO 10.1.6 with the migration manual, everything worked fine.

        (The machine is a Rocky Linux release 8.7, with apache and postgres, without docker and nginx)

         

        The site has been running with http, using the default conf here : /opt/otobo/scripts/apache2-httpd-cgi.include.conf

        The other websites on the same machine have been accessible, ex : http://<my.domain>/phpPgAdmin/

         

        Now I am trying to run OTOBO exclusively using https, and every website on the machine is unreachable :

        https://<my.domain>/phpPgAdmin/ -> 404 Not found

        https://<my.domain>/otobo/ -> OK

        I’ve used the following configurations : /opt/otobo/scripts/apache2-httpd-vhost-443.include.conf , /opt/otobo/scripts/apache2-httpd-vhost-80.include.conf

         

        I’ve been fiddling with the apache conf to make sure every website is accessible on the machine using https, without sucess :(.

        Here is what my apache conf looks like right now :

         

        <VirtualHost *:80>
        Header always set Referrer-Policy "unsafe-url"
        Header set Access-Control-Allow-Origin "*"
        ServerName <my.domain>

        [...]
        Redirect permanent /otobo https://esitoul-rocky-dev.toulouse.inra.fr/otobo/index.pl
        </VirtualHost>

        <VirtualHost *:443>
        TraceEnable off
        RewriteEngine On
        RewriteCond %{HTTP_HOST} !^<my.domain>$ [NC,OR]
        ReWriteCond %{SERVER_PORT} !^443$
        RewriteRule ^/(.*) <my.domain>/$1 [NC,L]
        ProxyPass /e-SIToul_WS_interface http://<my.domain>:8080/[REDACTED]
        ProxyPassReverse /e-SIToul_WS_interface http://<my.domain>:8080/[REDACTED]
        Header set Access-Control-Allow-Origin "*"
        Header set Access-Control-Allow-Headers "Origin,Content-Type,X-Requested-With,Accept,Authorization"
        Header set Access-Control-Allow-Methods "GET, POST, DELETE, PUT, OPTIONS"
        Header always set Strict-Transport-Security "max-age=63072000"
        SSLEngine On
        Protocols h2 h2c http/1.1

        SSLUseStapling on
        SSLCertificateFile /etc/pki/tls/certs/httpd.crt
        SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
        SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
        SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        SSLHonorCipherOrder off

        DocumentRoot [REDACTED]
        ServerName <my.domain>

        ErrorLog logs/error_log
        LogFormat "%h %l %u %t \"%r\" %>s %b" common
        CustomLog logs/SSL-access_log common

        PerlModule ModPerl::Registry
        PerlRequire /[REDACTED]/authPerl/startup.pl
        PerlWarn On
        PerlSetVar DBhost localhost
        PerlSetVar DBport 5432
        PerlSetVar DBname [REDACTED]
        PerlSetVar DBuser [REDACTED]
        PerlSetVar groupFile [REDACTED]
        PerlSetVar DBpwd [REDACTED]
        LimitRequestLine 65536
        Timeout 600

        # Preload otobo.psgi so that that the app doesn't have to be loaded again for every process.
        # This also sets @INC.
        PerlPostConfigRequire /opt/otobo/scripts/apache2-perl-preload_otobo_psgi.pl

        # RT : OTOBO conf, first part

        ScriptAlias /otobo/ "/opt/otobo/bin/cgi-bin/"
        Alias /otobo-web/ "/opt/otobo/var/httpd/htdocs/"

        <IfModule mod_perl.c>
        #ScriptAlias /otobo/ "/opt/otobo/bin/cgi-bin/"
        #Alias /otobo-web/ "/opt/otobo/var/httpd/htdocs/"

        <IfModule mpm_event_module>
        Error "The Multi-Processing Module mpm_event is active but it isn' supported by OTOBO. Please switch to mpm_prefork."
        </IfModule>

        <IfModule mpm_worker_module>
        Error "The Multi-Processing Module mpm_worker is active but it isn't supported by OTOBO. Please switch to mpm_prefork."
        </IfModule>
        # Use a dedicated Perl interpreter for the current virtual host, in this case the virtual host serving port 443
        PerlOptions +Parent

        # Preload otobo.psgi so that that the app doesn't have to be loaded again for every process.
        # This also sets @INC.
        #PerlPostConfigRequire /opt/otobo/scripts/apache2-perl-preload_otobo_psgi.pl

        # everything is handled by the PSGI app
        #<Location /otobo>
        <Location />

        #ErrorDocument 403 /otobo/index.pl
        #ErrorDocument 404 /otobo/index.pl

        # handle all requests, including the static content, with otobo.psgi
        SetHandler perl-script
        PerlResponseHandler Plack::Handler::Apache2
        PerlSetVar psgi_app /opt/otobo/bin/psgi-bin/otobo.psgi

        # Require is supported starting with Apache 2.4.
        # No authentication and all requests are allowed.
        Require all granted

        </Location>
        </IfModule>

        # RT : OTOBO conf, second part

        <Directory "/opt/otobo/bin/cgi-bin/">
        AllowOverride None
        Options +ExecCGI -Includes

        # Require supported starting with Apache 2.4
        # No authentication and all requests are allowed.
        Require all granted

        <IfModule mod_filter.c>
        <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
        </IfModule>
        </IfModule>

        </Directory>

        <Directory "/opt/otobo/var/httpd/htdocs/">
        AllowOverride None

        # Require supported starting with Apache 2.4
        # No authentication and all requests are allowed.
        Require all granted

        <IfModule mod_filter.c>
        <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
        </IfModule>
        </IfModule>

        # Make sure CSS and JS files are read as UTF8 by the browsers.
        AddCharset UTF-8 .css
        AddCharset UTF-8 .js

        # Set explicit mime type for woff fonts since it is relatively new and apache may not know about it.
        AddType application/font-woff .woff

        </Directory>

        <IfModule mod_headers.c>
        # Cache css-cache for 30 days
        <Directory "/opt/otobo/var/httpd/htdocs/skins/*/*/css-cache">
        <FilesMatch "\.(css|CSS)$">
        Header set Cache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
        </Directory>

        # Cache css thirdparty for 4 hours, including icon fonts
        <Directory "/opt/otobo/var/httpd/htdocs/skins/*/*/css/thirdparty">
        <FilesMatch "\.(css|CSS|woff|svg)$">
        Header set Cache-Control "max-age=14400 must-revalidate"
        </FilesMatch>
        </Directory>

        # Cache js-cache for 30 days
        <Directory "/opt/otobo/var/httpd/htdocs/js/js-cache">
        <FilesMatch "\.(js|JS)$">
        Header set Cache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
        </Directory>

        # Cache js thirdparty for 4 hours
        <Directory "/opt/otobo/var/httpd/htdocs/js/thirdparty/">
        <FilesMatch "\.(js|JS)$">
        Header set Cache-Control "max-age=14400 must-revalidate"
        </FilesMatch>
        </Directory>
        </IfModule>

        # RT : End OTOBO conf

        [...]

        ScriptAlias /otobo/ "/opt/otobo/bin/cgi-bin/"
        Alias /otobo-web/ "/opt/otobo/var/httpd/htdocs/"

        Alias /Mantis /[REDACTED]/src/mantis
        Alias /GIMACO /[REDACTED]/src/GIMACO

        [...]
        </VirtualHost>

         

        Has anyone managed to run OTOBO on https with other websites ? Do you know what is wrong with my configuration?

        Thanks in advance!

         

        Romther

      • #14797
        B O
        Teilnehmer

          Hi Romain,

          first of otobo runs via perl so that means you have to https://<my.domain>/otobo/index.pl

          and as your question in regards of ssl , why do you want to create <VirtualHost *:80>?

           

          Br,

          BQ

           

          • Diese Antwort wurde geändert vor 2 Wochen, 2 Tage von Marc Nilius.
        • #14814
          Romain THERVILLE
          Teilnehmer

            Hi BQ,

            Thanks for taking time to answer.

            The machine we are setting up is going to host several websites, some accessed via the HTTPS protocol, and some without.

            <VirtualHost *:80> is going to handle http requests.

             

            Best regards,

            Romain

          • #14832
            B O
            Teilnehmer

              Hi Romain,

              now I understand what you’re trying to achive :)  can you try this config, have you tried to generate open ssl certificate and add it to your apache config file if not you can do it very easily via https://certbot.eff.org/ for free and after that just upload the certificate and change the path

              of course don’t forget to restart the httpd ☺

              <VirtualHost *:443>
              ServerName example.com
              ServerAlias http://www.example.com
              DocumentRoot /var/www/html

              SSLEngine on
              SSLCertificateFile /path/to/cert.pem
              SSLCertificateKeyFile /path/to/key.pem
              SSLCertificateChainFile /path/to/chain.pem

              <Directory /var/www/html>
              Options Indexes FollowSymLinks MultiViews
              AllowOverride All
              Require all granted
              </Directory>

              ErrorLog ${APACHE_LOG_DIR}/error.log
              CustomLog ${APACHE_LOG_DIR}/access.log combined
              </VirtualHost>

          Ansicht von 3 Antwort-Themen
          • Du musst angemeldet sein, um auf dieses Thema antworten zu können.