Does Anubis implementation in Apache really need 3 virtual hosts?

[GingkoFr]

Hello.

I'm trying to make an Anubis configuration on a Linux Debian + Apache server that fits my requirements.
That is, I want especially to be able to switch Anubis on and off for each virtual hosts very quickly, and have as few changes as possible from my previous configuration.

In the documentation, there is a page about Apache configuration:
https://anubis.techaro.lol/docs/admin/environments/apache

In that page, I note that a 3rd virtual host, dedicated to port 3001, was added to the two previous one.
As I don't like that, I made some tests about how to do it while keeping only two.

I think that I found a way, by:

1. Defining the first virtual host with <VirtualHost *:80 *:3001> rather than <VirtualHost *:80>.
2. Adding a condition to the RewriteRule of that host, that causes the rule to not be triggered if the remote host is equal to ::1.

That makes the rewrite sequence looking like this :

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REMOTE_ADDR} !^::1$
RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]

About switching on and off, I just added the proxy directives like this:

<IfFile /etc/anubis/mysite.env>
	Include /etc/apache2/anubis_proxy.conf
</IfFile>

… with /etc/apache2/anubis_proxy.conf containing the standard directives:

# These headers need to be set or else Anubis will
# throw an "admin misconfiguration" error.
RequestHeader set "X-Real-Ip" expr=%{REMOTE_ADDR}
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set "X-Http-Version" "%{SERVER_PROTOCOL}s"

ProxyPreserveHost On

ProxyRequests Off
ProxyVia Off

ProxyPass / http://[::1]:8923/
ProxyPassReverse / http://[::1]:8923/

That way, I can switch Anubis on or off by just adding, renaming or deleting the /etc/anubis/mysite.env file (it could even be just a symlink to a common file if all configurations are common).

Apparently, it works.

Moving forward, I was even wondering:
Is it really necessary to use port 3001, as there is a rule condition, now, for discriminating?

I decided to try to not use it, and defined the TARGET value as TARGET=http://localhost:80 rather than TARGET=http://localhost:3001.
And I reverted to just <VirtualHost *:80>.

Apparently, it still works, at least on my test server.

Is there any reason why I shouldn't validate this, and avoid copying what seems to work on my test server to my production server?

Regards,
Gingko

[damienvancouver]

Hello @GingkoFr ,

Yes you are correct, it's possible to skip the :3001 VirtualHost and use the :80 :VirtualHost instead.

But here is the tricky part: In real production sites, that :80 virtualhost is actually being used live for HTTP -> HTTPS redirects. If a web visitor comes along to the site at http://example.com, we want them redirected to https://example.com . But if Anubis comes along and asks for http://example.com, it needs to not redirect, AND it also needs to output HTML that has "https://" in all the links (like CSS files, JS files, and other statics).

With Apache modules mod_rewrite, and mod_setenvif , this is easy to do. Here is how I accomplish this:

Apache modules: enable rewrite, setenvif

Apache Port 80 configuration:

<VirtualHost *:80>
ServerName example.com
Serveralias www.example.com

RewriteEngine On 
# forward all HTTP traffic except LetsEncrypt to HTTPS with same URL
RewriteCond %{REQUEST_URI} !^/.well-known [NC]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
####/CTAR002 force SSL

# Otherwise, If this is a proxied request from Anubis, set HTTPS=on so we get HTTP links output:
SetEnvIf X-Forwarded-Proto https HTTPS=on

#  ... rest of VirtualHost configuration goes here, including logging, PHP setup etc.  Just like you do normally on *:443!

</VirtualHost>

apache port 443 configuration:

<Virtualhost *:443>
  ServerName example.com
  Serveralias www.example.com

    # Proxy via anubis at 127.0.0.1:8923
       RequestHeader set "X-Real-Ip" expr=%{REMOTE_ADDR}
       RequestHeader set "X-Forwarded-For" expr=%{REMOTE_ADDR}
       RequestHeader set X-Forwarded-Proto "https"
       RequestHeader set "X-Http-Version" "%{SERVER_PROTOCOL}s"
       ProxyPreserveHost On
       ProxyRequests Off
       ProxyVia Off
       ProxyPass / http://127.0.0.1:8923/  nocanon
       ProxyPassReverse / http://127.0.0.1:8923/  nocanon

So port 80 vhost is doing one of two things:

• If it doesn't see X-Forwarded-Proto=https and it's not LetsEncrypt, then it forwards all traffic to SSL
• Otherwise, it sets HTTPS=on and serves the site over the http://localhost:80 port

The port 443 vhost is just proxying everything to Anubis. If you remove the anbuis config then it will revert to serving the site directly.

The only bad thing with this setup is, it's easy to get a 301 redirect loop if you have anything configured wrong. The :3001 arrangment can be easier to setup, but I prefer having just the two virtualhosts.

[GingkoFr]

But here is the tricky part: In real production sites, that :80 virtualhost is actually being used live for HTTP -> HTTPS redirects. If a web visitor comes along to the site at http://example.com/, we want them redirected to https://example.com/ . But if Anubis comes along and asks for http://example.com/, it needs to not redirect, AND it also needs to output HTML that has "https://" in all the links (like CSS files, JS files, and other statics).

That's why I don't make conditional on RewriteCond %{HTTP:X-Forwarded-Proto} !https.
I use RewriteCond %{REMOTE_ADDR} !^::1$.

It is very unlikely that an original query would be made from the ::1 address, and even if this happens, it will likely not really need to be redirected to https nor to Anubis.

[damienvancouver]

Yes that should work just fine! Anything that can tell Anubis apart from real/external port 80 traffic will work. No external traffic can come from localhost.

But that leaves the part where you need to set HTTPS=on if the request is coming from Anubis. So you probably still need at least a SetEnv HTTPS=on in your :80 virtualhost. You probably don't need SetEnvIf like I had since you are RewriteRule'ing all non-anubis traffic.