Webapp with SSL?

I know this topic has been done to death already, but the more I read, the more confused I become.
I am running my own home Ubuntu 20.04 server with Apache2 and SSL. SSL is required for things besides my webapp. I am behind my ISP-issued home router. Ports 80, 8080 and 443 are forwarded to the server and ufw access rules are in place.
SSL has been correctly installed with certbot & Let’s Encrypt, and I get an A+ rating from SSL Server Test (Powered by Qualys SSL Labs).
I have created the .crt file as instructed, and placed it alongside my app.
Firefox fails to connect to the app, so I set up a virtual host pointing to the app. Best I can get is a directory list.
Is a virtual host the right way to go, and if so, rather than use Apache’s SSL in the virtual host, should I have it pointing to my .crt file?
I am well beyond baffled at this point, so any/all help would be greatly appreciated. I’ve done the best I can, but now I’m just shooting in the dark.

Ok, using https and port 8080, I’m now getting a message from the app itself:
“Connection Problem
We are having trouble communicating with the server. Please wait a moment while we attempt to reconnect.”
The connection times out.

As you use Apache you may need to configure also Apache reverse proxy with SSL support to handle a Xojo web app. This way you don’t need to make your Xojo web app point to the certificate and Apache and certbot/let’s encrypt will handle the certificate.

1 Like

you have this options
user->browser->apache
user->browser->apache->xojo
user->browser->xojo

From what I’m reading, it seems I need 2 servers for reverse proxy with SSL.
Only have access to my own. Thoughts?

user->browser->apache
→ meaning no xojo app?

user->browser->apache->xojo
→ trying to accomplish this

user->browser->xojo
→ immediately after installing SSL, this broke

To get user - browser - Apache - Xojo
You should;

Setup a virtual host to reverse proxy to the http Xojo app (you’ll need the certificate etc in here too):

ServerName app.example.com
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/

Then run the Xojo web app without SSL on port 8080.

Get the user to point the browser to https://app.example.com .

That should work.

Thanks, Adam. I’ll give that a try and post back.

When you say I’ll need the certificate etc in here too, do you mean:

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/my_domain.com.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my_domain.com/privkey.pem

App still never loads.

Yes, that’s the etc I was referring to.

Just for troubleshooting - If you compile the web app to run on another free port and allow that port through the ufw firewall , eg 8088 (without SSL) does it work?

Doesn’t work either, but there’s some strange behavior.
If I use 127.0.0.1 in the proxypass stuff, I get no connection at all (Firefox message Unable to connect).
If I use the server’s LAN IP, it doesn’t show the app, but I get the app’s own Connection Problem message.
Does that mean anything to you?
Also, I’m assuming you want me to leave the .crt file next to my app?

BTW, I appreciate your help with this SO much!

Did you “Enable the mod_proxy and mod_http modules in Apache’s httpd.conf file” (copied from a blog post talking about installing Apache reverse proxy)

Yes I did. Just re-verified to be sure. In Ubuntu 20.04, there is no httpd.conf file though. You use a2enmod to enable the modules.

As this is a home server, I will start by:

  • running a Xojo web app (without SSL) in port 8081 and make sure that I forward the port and the app works
  • then when previous works, I would run the same web app and add a secure port in 8082, maybe this is enough for me if not, then
  • make sure Apache reverse proxy works (following one of the guides on the internet), then configure the Xojo web app as reverse proxy virtual host

I’m sorry I can’t help you more, it is a long time since I used Apache. My personal web servers now use Nginx and for work, we use Lifeboat on clean Ubuntu servers to handle all the configuration, certificates, virtual hosts, etc.

Point 1: did that initially, everything was fine.
Point 2: did that too, failed. (this was immediately after activating SSL)
Point 3: don’t know for sure if reverse proxy is working, but it’s set up and Adam has been helping me with configuring that.

I do appreciate ALL your input, Alberto! I may end up, at some point, going with Nginx but I’ve already got countless hours of work in my server, and it’s doing so much more than serve web sites. I confess that I’m loathing the thought of going back to square one. Mr. Parnell informed me that running apache2 and Nginx together isn’t a good idea (I’m paraphrasing).

Just a silly question, but is the web app actually running? If you open the app port in the firewall can you see it running?

I think you can follow almost every step in this tutorial, but using Apache instead of Nginx:

Do you have any log you can check?

Thanks, Ricardo. I’ll go through that in fine detail, but it looks like the only detail I missed is putting the app in /var/XojoApps/. Will look closer.

You can also make Apache serve the Xojo app from a simple path, instead of a sub-domain.

<VirtualHost *:443>
    ServerName mydomain.com

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf


    <Location /xojo-app>
        ProxyPreserveHost On
        ProxyPass http://localhost:8080
        ProxyPassReverse http://localhost:8080
        Order allow,deny
        Allow from all
    </Location>

</VirtualHost>

Serving the app from a path like above, you won’t need to issue a ssl cert for a subdomain and you can use the same one you use on the main domain.

1 Like

Thanks, Gabriel. I’ll give that whirl as soon as I recover from shoveling a path to the BBQ. Yeah, old cripples like me are just stupid enough to do that sort of thing. :wink: Winter in Canada sux.