These are some notes on setting up OpenProject on a backend server (let’s call it
backsrv.example.com), and accessing it via a front-end system (
frontsrv.example.com). Normally we’d do the SSL termination at the reverse proxy, and there is some documentation on this. In this case I wanted to do things properly, and protect the login credentials all the way. This means using an https connection between the reverse proxy and the back end server.
Firstly, the reverse proxy has to trust the SSL certificate that the back end uses. There are several ways to go about this. I chose to set up a local certificate authority using the
easy-rsa scripts (using another small virtual machine set up only for this purpose). For one connection this is probably overkill, but for multiple backends in the future it will make the administration a lot easier.
- Set up CA
- Debian 10, install
easy-rsa package, do required setup.
- Copy CA root certificate to
- For Debian systems, copy to
/usr/local/share/ca-certificates/ and run
- Create CSR on
backsrv, copy it to CA, sign it and copy resulting certificate to
backsrv. Put cert and key in sensible places (
/etc/ssl/private/ and /
etc/ssl/local-certs/). Make sure permissions are correct.
- Configure Apache on
backsrv and check cert works (for OpenProject edit
/etc/openproject/installer.dat to put in the correct certificate paths and run
openproject configure to update the config).
Set up Apache to do proxy stuff on
frontsrv. Here’s the beginning fragment of
default-ssl.conf that should work:
RequestHeader edit Destination ^https http early
# To openproject server on backserv
ProxyPass /openproject https://backsrv.example.com/openproject
ProxyPassReverse /openproject https://backsrv.example.com/openproject
Require all granted
You also need to go to the OpenProject web interface admin area, go to System Settings – General and change the
Host name to the reverse proxy, and set protocol to https. It will complain if there’s a hostname mismatch (case sensitive, even!). You may also want to go to Email – Email notifications and change the
Emission email address to be consistent.
Don’t forget, need
For OpenProject the subdirectory locations on the front and back ends do need to match.
ProxyPreserveHost On is required per the OpenProject documentation. Unfortunately, that means it tries to match the name
frontsrv.example.com to the back end cert, and the SSL handshake fails. This is the reason for the
SSLProxyCheckPeerName off directive – it disables checking the certificate CN or Subject Alternative Names.
SSLProxyCheckPeerName off can go in a
<Proxy>...</Proxy> matching block with Apache 2.4.30 or newer, which would be nice. As it is this will turn it off for the whole vhost, which is a small lessening of security.
I suppose in principle we could create the certificate for the back end with the name of the front end, or add it to the SANs. I haven’t tried this and it seems like it could be a recipe for confusion and subtle bugs.