Mattermost, Inc.

[SOLVED] Mattermost Apache Configuration

Hi guys,

I’m trying to set up Mattermost to work with Apache and I’m having a bit of trouble. Hoping someone has a solution for me…

We’re installing Mattermost on a server that has other services running that require Apache and I don’t want to install Nginx if I don’t have to. I’m hoping Apache can work just as well with the right configuration.

Amongst other things, I have the following 3 lines in my 000-default.conf (VirtualHost for port 80):

**<**VirtualHost :80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.
) https://%{HTTP_HOST}%{REQUEST_URI}
**<**VirtualHost>

We have done this so that any requests coming into port 80 automatically get converted to https (Port 443). We have the appropriate SSL keys in place and everything is working well.

What I want to configure:
I would like that any request coming in for Mattermost should be redirected to the appropriate port required for Mattermost (Port 8065) using SSL so that we have secure Mattermost communication.

Challenges:
I don’t want my users to type the :8065 in the URL. That’s not really user friendly so on the main landing page at https:// www .mywebsite.com/ I can create a link that the user can click which will have the port 8065 in it - so something like this https:// www .mywebsite.com:8065/ would connect them to Mattermost. Or even better if they did something like this https:// www .mywebsite.com/mattermost and that would redirect them to the Mattermost chat and appropriate port over SSL.

Here is what I have attempted so far. I followed the configuration guide which I found here:
https:// github.com/mattermost/docs/pull/25/files

When I try to connect to the server using https:// www .mywebsite.com:8065/, the browser returns an error:
Firefox: SSL received a record that exceeded the maximum permissible length. Error code:

Firefox: SSL_ERROR_RX_RECORD_TOO_LONG
Chrome: ERR_SSL_PROTOCOL_ERROR

Record too long. Protocol Error. Hmm how do I make it shorter? And how long is too long? What’s up with the protocol! Someone tell the IETF! Ok, after pulling out some hair, I’m calm.

So I look into it and I find that it is a reported error with Certificate providers like Komodo (which is where I bought the SSL we’re using):
http:// ssl_error_rx_record_too_long

So it’s recommended to use LetsEncrypt. Ok, so I installed Let’s Encrypt and I see that the browser is now using the Let’s Encrypt certificate but when I go to https:// www .mywebsite.com:8065/ I get the same SSL_ERROR_RX_RECORD_TOO_LONG.

But when I go to http:// www .mywebsite.com:8065 (i.e. without SSL) I’m able to get the Mattermost login page fine.

I just want the SSL. I don’t want to forward ports or anything. How can I configure Apache to serve SSL on port 8065?

Dumped cookies and everything. Still the same result.

How can I achieve these objectives? I hope what I’m asking is not an impossible situation.

Thanks!

I have commented the [quote=“Bluebeep, post:1, topic:1455”]
http://forum.mattermost.org/t/ssl-error-rx-record-too-long/1419
[/quote]
you cited - look there for details.

You can’t have two server apps on the same port. Mattermost is already using 8065. You’ll need to change this or use another port externally.
You need to have a virtual host config file for the mattermost server access, use <VirtualHost *:8065> there if you want mattermost be accessible there.
Change the mattermost port in config.json to something different from 8065 and the address from 0.0.0.0 to 127.0.0.1 to prevent non ssl-access.

Thanks for jumping in.

I changed the port for apache to 8080 in my VirtualHost. It now looks like this in my 000-default.conf:

**<**VirtualHost :80>
ServerName my.coolhost.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/my.coolhost.com.error.log
CustomLog ${APACHE_LOG_DIR}/my.coolhost.com.access.log combined
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.
) https://%{SERVER_NAME}:8080/
</VirtualHost>

and in the default-ssl.conf it looks like this:

**<**VirtualHost default:8080>
ServerName my.coolhost.com
DocumentRoot /var/www/html

  ErrorLog ${APACHE_LOG_DIR}/my.coolhost.com.error.log
  CustomLog ${APACHE_LOG_DIR}/my.coolhost.com.access.log combined
  SSLEngine on
  SSLCertificateFile	/very/secret/directory/my.crt
  SSLCertificateKeyFile /very/secret/directory/my.key
  SSLCertificateChainFile /very/secret/directory/my.bundle

<FilesMatch “.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars

<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars

BrowserMatch “MSIE [2-6]”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0

MSIE 7 and newer should be able to use keepalive

  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

I changed the port in the config.json to 8080 and I don’t see anything in the config.json that has a 0.0.0.0 for me to change so I didn’t attempt anything with that. I then forwarded the port 8080 from the router to the server. Same result - SSL_ERROR_RX_RECORD_TOO_LONG.

I’m not sure if this is what you want me to do. Honestly I don’t even know if approaching this correctly. Without SSL I see the Signup page fine for Mattermost with these settings.

Hi Bluebeep, I have the exact same issue and I am struggling to get Mattermost running on https. I see the SSL_ERROR_RX_RECORD_TOO_LONG error with Firefox when I try to access https. Without https Mattermost works fine.
I was thus wondering if oyu managed to solve this issue, I would be very happy to hear about it.
Merci

Hi @Bluebeep and @ademcan. Would you mind posting your complete configuration file? I’d be happy to replicate your settings and see what I can come up with…

Hi guys,

Thanks shieldsjared. I ended up going with Nginx. Didn’t want to lost any more hair :wink:

1 Like

Hi @shieldsjared, here is the complete piece of code to make mattermost properly run under Apache.
The easiest solution is to add the following code directly into the /etc/apache2/apache2.conf file.
For this configuration to work, you need to create a subdomain and make sure that it points to the correct IP address. You usually do this easily under the settings of your domain name registrar.
Let’s say you want Mattermost to run under https://mattermost.domain.com

<VirtualHost *:80>
    ServerName mattermost.domain.com
    Redirect / https://mattermost.domain.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName mattermost.domain.com
    SSLEngine on
    SSLCertificateKeyFile  pathto/mattermost.key
    SSLCertificateFile pathto/mattermost.crt

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyPass / http://127.0.0.1:8065/
    ProxyPassReverse / http://127.0.0.1:8065/

    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/api/v1/websocket [NC,OR]
    RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
    RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
    RewriteRule .* ws://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]
    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
    RewriteRule .* http://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]

    <Location /api/v1/websocket>
        Require all granted
        ProxyPassReverse http://127.0.0.1:8065
        ProxyPassReverseCookieDomain 127.0.0.1 mattermost.domain.com
    </Location>
    <Location />
        Require all granted
        ProxyPassReverse http://127.0.0.1:8065
        ProxyPassReverseCookieDomain 127.0.0.1 mattermost.domain.com
    </Location>
    ErrorLog ${APACHE_LOG_DIR}/error_mattermost.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access_mattermost.log combine
</VirtualHost>

With this example, the user is automatically redirect to https.
I hope that helps. I am not an expert so if anybody sees something weird somewhere, please let me know :slight_smile:
Don’t forget to restart apache.
Enjoy.

1 Like

Great, @ademcan. From your initial post it sounded as though you were running into some problems. Sounds like you’re all squared away?

Yes, I was definitely running into problems :slight_smile:
I struggled a bit until I got it working (a few days ago). I had to combine different solutions I found around.
I completely forgot about this thread, otherwise I would have posted the solution earlier.

Edit: small corrections

1 Like

Glad you got it figured out! And thanks for posting your solution… It will help others out if they run into a similar issue.

If you do want to try it again with apache, or if someone else needs help, this is the important parts of my config. I am using a virtual hosting setup, and so I use /etc/apache2/sites-available/domain.conf and /etc/apache2/sites-available/sub.domain.conf, but if you are hosting one domain then /etc/apache2/apache2.conf will also work. Also, because of the vhost setup, all my domains are in the /home/domain folder instead of /var/www/ so you will have to modify my stuff as needed… Note, the suexecusergroup is the cooldomain uid:guid as that is the owner of /home/cooldomain, so make sure yours matches with the owner of your directory structure (possibly www-data) or leave it out entirely if you are using the default apache configs and location. You will see that this essentially repeats what was mentioned in an earlier post, hopefully it helps. My server is also sitting behind a firewall with access to only 80 and 443.

Most importantly, config.json has nothing to do with this other than setting port 8065, so no other changes are necessary there - everything else is for mattermost, not apache…

<VirtualHost *:80>
SuexecUserGroup "#1040" "#1013"
ServerName my.cooldomain.com
ServerAlias www.my.cooldomain.com
RewriteEngine on
# Enforce HTTPS:
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://my.cooldomain.com/$1 [R,L]
</VirtualHost>
<VirtualHost 192.168.2.198:443>
SuexecUserGroup "#1040" "#1013"
ServerName my.cooldomain.com
ServerAlias www.my.cooldomain.com
DocumentRoot /home/cooldomain/domains/my.cooldomain.com/public_html
ErrorLog /var/log/virtualmin/my.cooldomain.com_error_log
CustomLog /var/log/virtualmin/my.cooldomain.com_access_log combined
ScriptAlias /cgi-bin/ /home/cooldomain/domains/my.cooldomain.com/cgi-bin/
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/cooldomain/domains/my.cooldomain.com/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
FCGIWrapper /home/cooldomain/domains/my.cooldomain.com/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/cooldomain/domains/my.cooldomain.com/fcgi-bin/php5.fcgi .php5
</Directory>
<Directory /home/cooldomain/domains/my.cooldomain.com/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
</Directory>
RewriteEngine on
# **Begin Mattermost specific code**
RewriteCond %{REQUEST_URI} ^/api/v1/websocket [NC,OR]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* ws://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule .* http://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]
RequestHeader set X-Forwarded-Proto "https"

RequestHeader unset If-Modified-Since
RequestHeader unset If-None-Match

<Location /api/v1/websocket>
Require all granted
ProxyPassReverse ws://127.0.0.1:8065/api/v1/websocket
ProxyPassReverseCookieDomain 127.0.0.1 my.cooldomain.com
</Location>
<Location />
Require all granted
ProxyPassReverse http://127.0.0.1:8065/
ProxyPassReverseCookieDomain 127.0.0.1 my.cooldomain.com
</Location>

ProxyPreserveHost On
ProxyRequests Off
# **End Mattermost specific code**

RemoveHandler .php
RemoveHandler .php5
php_admin_value engine Off
FcgidMaxRequestLen 1073741824
SSLEngine on
SSLCertificateFile /home/cooldomain/domains/my.cooldomain.com/ssl.cert
SSLCertificateKeyFile /home/cooldomain/domains/my.cooldomain.com/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCACertificateFile /home/cooldomain/domains/my.cooldomain.com/ssl.ca
</VirtualHost>
1 Like