OTOBO ssl Apache configuration, others sites return 404

[Romain THERVILLE]

Hello Otobo community,

I’ve migrated an OTRS 6.0.29 to OTOBO 10.1.6 with the migration manual, everything worked fine.

(The machine is a Rocky Linux release 8.7, with apache and postgres, without docker and nginx)

 

The site has been running with http, using the default conf here : /opt/otobo/scripts/apache2-httpd-cgi.include.conf

The other websites on the same machine have been accessible, ex : http://<my.domain>/phpPgAdmin/

 

Now I am trying to run OTOBO exclusively using https, and every website on the machine is unreachable :

https://<my.domain>/phpPgAdmin/ -> 404 Not found

https://<my.domain>/otobo/ -> OK

I’ve used the following configurations : /opt/otobo/scripts/apache2-httpd-vhost-443.include.conf , /opt/otobo/scripts/apache2-httpd-vhost-80.include.conf

 

I’ve been fiddling with the apache conf to make sure every website is accessible on the machine using https, without sucess :(.

Here is what my apache conf looks like right now :

 

<VirtualHost *:80>
Header always set Referrer-Policy "unsafe-url"
Header set Access-Control-Allow-Origin "*"
ServerName <my.domain>

[...]
Redirect permanent /otobo https://esitoul-rocky-dev.toulouse.inra.fr/otobo/index.pl
</VirtualHost>

<VirtualHost *:443>
TraceEnable off
RewriteEngine On
RewriteCond %{HTTP_HOST} !^<my.domain>$ [NC,OR]
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) <my.domain>/$1 [NC,L]
ProxyPass /e-SIToul_WS_interface http://<my.domain>:8080/[REDACTED]
ProxyPassReverse /e-SIToul_WS_interface http://<my.domain>:8080/[REDACTED]
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Headers "Origin,Content-Type,X-Requested-With,Accept,Authorization"
Header set Access-Control-Allow-Methods "GET, POST, DELETE, PUT, OPTIONS"
Header always set Strict-Transport-Security "max-age=63072000"
SSLEngine On
Protocols h2 h2c http/1.1

SSLUseStapling on
SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off

DocumentRoot [REDACTED]
ServerName <my.domain>

ErrorLog logs/error_log
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/SSL-access_log common

PerlModule ModPerl::Registry
PerlRequire /[REDACTED]/authPerl/startup.pl
PerlWarn On
PerlSetVar DBhost localhost
PerlSetVar DBport 5432
PerlSetVar DBname [REDACTED]
PerlSetVar DBuser [REDACTED]
PerlSetVar groupFile [REDACTED]
PerlSetVar DBpwd [REDACTED]
LimitRequestLine 65536
Timeout 600

# Preload otobo.psgi so that that the app doesn't have to be loaded again for every process.
# This also sets @INC.
PerlPostConfigRequire /opt/otobo/scripts/apache2-perl-preload_otobo_psgi.pl

# RT : OTOBO conf, first part

ScriptAlias /otobo/ "/opt/otobo/bin/cgi-bin/"
Alias /otobo-web/ "/opt/otobo/var/httpd/htdocs/"

<IfModule mod_perl.c>
#ScriptAlias /otobo/ "/opt/otobo/bin/cgi-bin/"
#Alias /otobo-web/ "/opt/otobo/var/httpd/htdocs/"

<IfModule mpm_event_module>
Error "The Multi-Processing Module mpm_event is active but it isn' supported by OTOBO. Please switch to mpm_prefork."
</IfModule>

<IfModule mpm_worker_module>
Error "The Multi-Processing Module mpm_worker is active but it isn't supported by OTOBO. Please switch to mpm_prefork."
</IfModule>
# Use a dedicated Perl interpreter for the current virtual host, in this case the virtual host serving port 443
PerlOptions +Parent

# Preload otobo.psgi so that that the app doesn't have to be loaded again for every process.
# This also sets @INC.
#PerlPostConfigRequire /opt/otobo/scripts/apache2-perl-preload_otobo_psgi.pl

# everything is handled by the PSGI app
#<Location /otobo>
<Location />

#ErrorDocument 403 /otobo/index.pl
#ErrorDocument 404 /otobo/index.pl

# handle all requests, including the static content, with otobo.psgi
SetHandler perl-script
PerlResponseHandler Plack::Handler::Apache2
PerlSetVar psgi_app /opt/otobo/bin/psgi-bin/otobo.psgi

# Require is supported starting with Apache 2.4.
# No authentication and all requests are allowed.
Require all granted

</Location>
</IfModule>

# RT : OTOBO conf, second part

<Directory "/opt/otobo/bin/cgi-bin/">
AllowOverride None
Options +ExecCGI -Includes

# Require supported starting with Apache 2.4
# No authentication and all requests are allowed.
Require all granted

<IfModule mod_filter.c>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
</IfModule>
</IfModule>

</Directory>

<Directory "/opt/otobo/var/httpd/htdocs/">
AllowOverride None

# Require supported starting with Apache 2.4
# No authentication and all requests are allowed.
Require all granted

<IfModule mod_filter.c>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/javascript application/javascript text/css text/xml application/json text/json
</IfModule>
</IfModule>

# Make sure CSS and JS files are read as UTF8 by the browsers.
AddCharset UTF-8 .css
AddCharset UTF-8 .js

# Set explicit mime type for woff fonts since it is relatively new and apache may not know about it.
AddType application/font-woff .woff

</Directory>

<IfModule mod_headers.c>
# Cache css-cache for 30 days
<Directory "/opt/otobo/var/httpd/htdocs/skins/*/*/css-cache">
<FilesMatch "\.(css|CSS)$">
Header set Cache-Control "max-age=2592000 must-revalidate"
</FilesMatch>
</Directory>

# Cache css thirdparty for 4 hours, including icon fonts
<Directory "/opt/otobo/var/httpd/htdocs/skins/*/*/css/thirdparty">
<FilesMatch "\.(css|CSS|woff|svg)$">
Header set Cache-Control "max-age=14400 must-revalidate"
</FilesMatch>
</Directory>

# Cache js-cache for 30 days
<Directory "/opt/otobo/var/httpd/htdocs/js/js-cache">
<FilesMatch "\.(js|JS)$">
Header set Cache-Control "max-age=2592000 must-revalidate"
</FilesMatch>
</Directory>

# Cache js thirdparty for 4 hours
<Directory "/opt/otobo/var/httpd/htdocs/js/thirdparty/">
<FilesMatch "\.(js|JS)$">
Header set Cache-Control "max-age=14400 must-revalidate"
</FilesMatch>
</Directory>
</IfModule>

# RT : End OTOBO conf

[...]

ScriptAlias /otobo/ "/opt/otobo/bin/cgi-bin/"
Alias /otobo-web/ "/opt/otobo/var/httpd/htdocs/"

Alias /Mantis /[REDACTED]/src/mantis
Alias /GIMACO /[REDACTED]/src/GIMACO

[...]
</VirtualHost>

 

Has anyone managed to run OTOBO on https with other websites ? Do you know what is wrong with my configuration?

Thanks in advance!

 

Romther

[B O]

Hi Romain,

first of otobo runs via perl so that means you have to https://<my.domain>/otobo/index.pl

and as your question in regards of ssl , why do you want to create <VirtualHost *:80>?

 

Br,

BQ

 

• This reply was modified 6 months, 4 weeks ago by B O.

[Romain THERVILLE]

Hi BQ,

Thanks for taking time to answer.

The machine we are setting up is going to host several websites, some accessed via the HTTPS protocol, and some without.

<VirtualHost *:80> is going to handle http requests.

 

Best regards,

Romain

[B O]

Hi Romain,

now I understand what you’re trying to achive :)  can you try this config, have you tried to generate open ssl certificate and add it to your apache config file if not you can do it very easily via https://certbot.eff.org/ for free and after that just upload the certificate and change the path

of course don’t forget to restart the httpd ☺

<VirtualHost *:443>
ServerName example.com
ServerAlias http://www.example.com
DocumentRoot /var/www/html

SSLEngine on
SSLCertificateFile /path/to/cert.pem
SSLCertificateKeyFile /path/to/key.pem
SSLCertificateChainFile /path/to/chain.pem

<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

[Author]

Posts