4.4 KiB

Raw Blame History

How to use Apache as a reverse-proxy with LetsEncrypt

Requirements

Start a Coder deployment and be sure to set the following configuration values:
```
CODER_HTTP_ADDRESS=127.0.0.1:3000
CODER_ACCESS_URL=https://coder.example.com
CODER_WILDCARD_ACCESS_URL=*coder.example.com
```
Throughout the guide, be sure to replace coder.example.com with the domain you intend to use with Coder.
Configure your DNS provider to point your coder.example.com and *.coder.example.com to your server's public IP address.

For example, to use coder.example.com as your subdomain, configure coder.example.com and *.coder.example.com to point to your server's public ip. This can be done by adding A records in your DNS provider's dashboard.
Install Apache (assuming you're on Debian/Ubuntu):
```
sudo apt install apache2
```

Enable the following Apache modules:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod ssl
sudo a2enmod rewrite

Stop Apache service and disable default site:

sudo a2dissite 000-default.conf
sudo systemctl stop apache2

Install and configure LetsEncrypt Certbot

Install LetsEncrypt Certbot: Refer to the CertBot documentation. Be sure to pick the wildcard tab and select your DNS provider for instructions to install the necessary DNS plugin.

Create DNS provider credentials

This example assumes you're using CloudFlare as your DNS provider. For other providers, refer to the CertBot documentation.

Create an API token for the DNS provider you're using: e.g. CloudFlare with the following permissions:
- Zone - DNS - Edit

Create a file in .secrets/certbot/cloudflare.ini with the following content:

dns_cloudflare_api_token = YOUR_API_TOKEN

mkdir -p ~/.secrets/certbot
touch ~/.secrets/certbot/cloudflare.ini
nano ~/.secrets/certbot/cloudflare.ini

Set the correct permissions:

sudo chmod 600 ~/.secrets/certbot/cloudflare.ini

Create the certificate

Create the wildcard certificate:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini -d coder.example.com -d *.coder.example.com

Configure Apache

This example assumes Coder is running locally on 127.0.0.1:3000 and that you're using coder.example.com as your subdomain.

Create Apache configuration for Coder:

sudo nano /etc/apache2/sites-available/coder.conf

Add the following content:

 # Redirect HTTP to HTTPS
 <VirtualHost *:80>
     ServerName coder.example.com
     ServerAlias *.coder.example.com
     Redirect permanent / https://coder.example.com/
 </VirtualHost>

 <VirtualHost *:443>
     ServerName coder.example.com
     ServerAlias *.coder.example.com
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

     ProxyPass / http://127.0.0.1:3000/ upgrade=any # required for websockets
     ProxyPassReverse / http://127.0.0.1:3000/
     ProxyRequests Off
     ProxyPreserveHost On

     RewriteEngine On
     # Websockets are required for workspace connectivity
     RewriteCond %{HTTP:Connection} Upgrade [NC]
     RewriteCond %{HTTP:Upgrade} websocket [NC]
     RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L]

     SSLCertificateFile /etc/letsencrypt/live/coder.example.com/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/coder.example.com/privkey.pem
 </VirtualHost>

Don't forget to change: coder.example.com by your (sub)domain

Enable the site:
```
sudo a2ensite coder.conf
```
Restart Apache:
```
sudo systemctl restart apache2
```

Refresh certificates automatically

Create a new file in /etc/cron.weekly:
```
sudo touch /etc/cron.weekly/certbot
```
Make it executable:
```
sudo chmod +x /etc/cron.weekly/certbot
```
And add this code:
```
#!/bin/sh
sudo certbot renew -q
```

And that's it, you should now be able to access Coder at your sub(domain) e.g. https://coder.example.com.

4.4 KiB Raw Blame History