Skip to content

How to put Etherpad Lite behind a reverse Proxy

Jump to bottom Edit New page
Wikinaut edited this page Oct 30, 2011 · 29 revisions

Feel free to add your own config examples. We recommend using Nginx, cause it can handle multiple connections much better than Apache

Apache

With SSL enabled, requiring authentication and allowing nice urls

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin [email protected]
        ServerName etherpad.example.org
        ServerSignature Off
        CustomLog /var/log/apache2/etherpad_access.log combined
        ErrorLog /var/log/apache2/etherpad_error.log
        ErrorLog syslog:local2

        <Location />
            AuthType Basic
            AuthName "Welcome to the example.org Etherpad"
            AuthUserFile /path/to/svn.passwd
            AuthGroupFile /path/to/svn.group
            Require group etherpad
        </Location>

        <IfModule mod_proxy.c>
            # the following allows "nice" urls such as https://etherpad.example.org/padname
	    RewriteEngine On
	    RewriteRule /p/*$ https://etherpad.example.org/ [NC,L]
	    RewriteCond %{REQUEST_URI} !^/p/
	    RewriteCond %{REQUEST_URI} !^/static/
	    RewriteCond %{REQUEST_URI} !^/socket.io/
	    RewriteCond %{REQUEST_URI} !^/ep/
	    RewriteCond %{REQUEST_URI} !^/minified/
	    RewriteCond %{REQUEST_URI} !^/api/
	    RewriteCond %{REQUEST_URI} !^/ro/
	    RewriteCond %{REQUEST_URI} !^/error/
	    RewriteRule ^/+(.+)$ https://etherpad.example.org/p/$1 [L]

            ProxyVia On
            ProxyRequests Off
            ProxyPass / http://etherpad.internal.example.org:9001/
            ProxyPassReverse / http://etherpad.internal.example.org:9001/
            ProxyPreserveHost on
            <Proxy *>
                Options FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
            </Proxy>
        </IfModule>
    </VirtualHost>
</IfModule>

Mac OS-X Lion Server webapp

/etc/apache2/webapps/org.etherpad.etherpad-lite.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<!-- See man pages for webapp.plist(5) and webappctl(8) for information about this example webapp.plist -->

<plist version="1.0">
<dict> 
	<key>includeFiles</key>
	<array>		<!-- Include files are activated in virtual host when webapp is started -->
		<string>/etc/apache2/httpd_etherpad.conf</string>
	</array>
	<key>launchKeys</key>
	<array>		<!-- Launchd plists in /System/Library/LaunchDaemons are loaded when webapp is started -->
<!--		<string>com.example.mywebapp</string> -->
	</array>
	<key>name</key>
	<string>org.etherpad.etherpad-lite</string>
	<key>proxies</key>		<!-- ProxyPass/ProxyPassReverse directives are activated when webapp is started -->
	<dict>
		<key>/etherpad</key>		<!-- Sets up a reverse proxy -->
		<dict>
			<key>path</key>
			<string>/etherpad</string>
			<key>urls</key>		<!-- URLs comprise a proxy_balancer group -->
			<array>
				<string>http://localhost:9001</string>
			</array>
		</dict>
	</dict>
	<key>requiredModuleNames</key>
	<array>		<!-- Apache plugin modules are enabled when webapp is started -->
		<string>proxy_module</string>
	</array>
        <key>requiredWebAppNames</key>
        <array>         <!-- Required web apps are started when this webapp is started -->
<!--                <string>com.example.webapp.myotherwebapp</string> -->
        </array>

	<key>sslPolicy</key>	<!-- Determines webapp SSL behavior -->
	<integer>0</integer>	<!-- 0: default, UseSSLWhenEnabled -->
			<!-- 1:	UseSSLAlways -->
			<!-- 2:	UseSSLOnlyWhenCertificateIsTrustable -->
			<!-- 3:	UseSSLNever -->
			<!-- 4:	UseSSLAndNonSSL -->
</dict>
</plist>

To restrict access only to a specific usergroup save the next listing to /etc/apache2/httpd_etherpad.conf

<Location "/etherpad">
	AuthType Digest
	AuthName "Access Etherpad-Lite"
	Require group etherpad_users
</Location>

If you don't want to restrict access to specific group delete

	<string>/etc/apache2/httpd_etherpad.conf</string>

from /etc/apache2/webapps/org.etherpad.etherpad-lite.plist

Lighttpd

We know that there is a problem with Lighttpd and socket.io. At the moment it doesn't work with lighttpd :/, see this bug https://github.com/Pita/etherpad-lite/issues/28

Simple Reverse Proxy

$HTTP["host"] =~ "^example.com$" {
  proxy.balance = "hash"
  proxy.server  = ( "" => ( (
                              "host" => "127.0.0.1",
                              "port" => 9001
                            ) )
                  )
}

If you use more than one server behind lighty (you can add more server - look at the lighty docs linked above) you have to use the hash balancer. So for any request the same server will be used. But remember: If you restart lighty this probably does not work anymore. (TODO: add synchronization in etherpad-lite)

Additional information: http://redmine.lighttpd.net/wiki/lighttpd/Docs:ModProxy

Nginx

Https only

server {
        listen       443;
        server_name  pad.example.com;

        access_log  /var/log/nginx/eplite.access.log;
        error_log   /var/log/nginx/eplite.error.log;

        ssl                  on;
        ssl_certificate      /etc/nginx/ssl/eplite.crt;
        ssl_certificate_key  /etc/nginx/ssl/eplite.key;

        ssl_session_timeout  5m;

        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;

        location / {
            proxy_pass             http://localhost:9001/;
            proxy_set_header       Host $host;
            proxy_buffering off;
        }
}

server {
    listen      80;
    server_name pad.example.com;
    rewrite     ^(.*)   https://$server_name$1 permanent;
}

from subdirectory URL

    location /pad {        
        rewrite                /pad/(.*) /$1 break;
        proxy_pass             http://localhost:9001/;
        proxy_set_header       Host $host;
        proxy_buffering off;
    }

IIS 7.0

You need to install the Application Request Routing module to IIS first, using the Web platform installer. This is fairly straightforward to do: Open the Webplattform-Installer, e.g. by clicking your server in the server management console under Roles / Webserver (IIS) / Internet Information Services (I got this in German, so don't get confused when the terms are a little different on your installation - I'm trying to translate this back to English; if you follow these instructions on an English installation it would be nice if you could correct any wrong terms). It's in the Management section (probably the lowest entry in the list).

Here you will find "Application Request Routing" (currently 2.5). Click "Add" and then "Install". Wait.

Once the installation is complete, you'll find "Serverfarms" below "Sites" in your server. Add one with the name of your EtherPad Lite installation. Make sure to enter the correct ports under "Extended Settings" (I'm using 9001 for both httpPort and httpsPort).

Now be careful to not have the console create any default routing settings (that might route any request to any of the sites hosted on your machine to EtherPad Lite). Double click your newly created server farm, then double click "Routing Rules". Under "Advanced Routing", click "URL Rewrite..."

Make sure there are no rules (if any were created, delete them). Create a new empty rule.

You can almost follow the instructions from here:

http://blogs.iis.net/wonyoo/archive/2008/07/09/application-request-routing-arr-as-a-reverse-proxy.aspx

BUT: If you have multiple sites hosted on that IIS, make sure to add conditions to check against the hostname. Use {HTTP_HOST} as "entry", "matches pattern" and your full domain for EtherPad Lite as pattern.

Finally, in action, I used "forward to server farm" with schema "http://", Serverfarm "the one I created before" and Path "/{R:0}". That's it.

For me, this worked both with HTTP and HTTPS.

Add a custom footer
Add a custom sidebar
Clone this wiki locally