blog.crox.net | Entries tagged as apache

Nextcloud behind reverse proxy - WOPI URL changed from https to http

Posted by crox on Wednesday, March 5. 2025

I'm trying out the "Nextcloud Office" app together with "Collabora Online - Built-in CODE Server". That Nextcloud instance is behind a reverse proxy.

The problem I encountered was that regardless of the 'overwritehost' and 'overwriteprotocol' settings, the WOPI URL kept being automatically changed from https to http.

From other posts regarding similar issues I figured out that the WOPI URL is obtained by querying https://[yourinstance]/apps/richdocumentscode/proxy.php?req=/hosting/discovery

Looking at the proxy.php source code, I found the reason for the issue:

// URL into this server of the proxy script.
if ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off')
        || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https' )
        || (isset($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] === 'on')
) { 
    $proxyURL = "https://";
} else {
    $proxyURL = "http://";
}

I then modified my reverse proxy (Apache) config to add the missing header:

RequestHeader set X-Forwarded-Proto "https"

Now everything works as expected

Grafana auto login

Posted by crox on Tuesday, December 26. 2017

The solution described here works for me.

I did the following on the internal host where Grafana is installed:

Configured Apache (on port 80) as reverse proxy to Grafana (on port 3000)
Setup the virtualhost to add/set the required headers to login automatically as user admin

Relevant section from /etc/grafana/grafana.ini:

[auth.proxy]
enabled = true
;header_name = X-WEBAUTH-USER
;header_property = username
auto_sign_up = false

Apache config extract (you will need to enable mod_proxy, mod_proxy_http and mod_headers for this to work):

<VirtualHost *:80>
        ProxyPreserveHost On
        ProxyRequests Off
        ProxyPass / http://localhost:3000/
        ProxyPassReverse / http://localhost:3000/
        RequestHeader set "X-WEBAUTH-USER" "admin"
</VirtualHost>

On a separate Apache instance exposed to more networks I did the following:

Configured Apache as reverse proxy to the internal instance
Restricted access from specific IP addresses
Setup a rule to redirect requests to the root of the website (and only those) to a specific dashboard

This is how the Apache config looks like (requires mod_proxy, mod_proxy_http and mod_alias; IP addresses, host names etc. changed)

<VirtualHost *:80>
        ServerName sub.example.org
        ServerAlias www.sub.example.org
        <Location />
            Require ip 192.0.2.0/24
            Require ip 203.0.113.0/24
            Require ip 2001:0db8:85a4::/64
            Require ip 2001:0db8:85a5::/64
            RedirectMatch ^/$ /dashboard/db/mydashboard
        </Location>
        ProxyPreserveHost On
        ProxyRequests Off
        ProxyPass / http://[2001:0db8:85a3::aaaa:8a2e:0370:7334]/
        ProxyPassReverse / http://[2001:0db8:85a3::aaaa:8a2e:0370:7334]/
</VirtualHost>

Using a public IPv6 address on the internal host allows the whole thing to work with just a few firewall rules, without the need to mess with NAT or a VPN.