0

I would like to install Mattermost on my server also running ISPConfig hosting software. ISPConfig has a mechanism to automatically obtain and install Letsencrypt certificates based on the hostname. For this, Letsencrypt needs access to the /.well-known directory (I guess) to check for some verification string.

My Mattermost system is running on port 8065 and uses my ISPConfig hosting environment running on the same server as Reverse Proxy for SSL offloading.

I was following the instructions on https://docs.mattermost.com/configure/config-proxy-apache2.html which is working fine for unencrypted connections.

But as soon as I try to obtain a SSL certificate, this does not work anymore. I am not fully sure what's going on, but I guess that above mentioned code is proxying ALL the traffic to my mattermost system, while it should NOT proxy requests to the directory ./well-known which is needed for the letsencrypt stuff.

Does that sound reasonable? If so, how can I exempt the ./well-known directory from the proxying function?

(Maybe this is fairly easy for an expert, but I do not really know where to start - maybe because I do not fully understand how this reverse proxying works and what all the apache directives mean exactly...)

Here's a snippet of my current modifications to the standard apache vhost configuration:

ServerAdmin my.address@mydomain.com
ProxyPreserveHost On
RewriteEngine On

RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* ws://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]

ProxyPass /.well-known/ !  # <-- I inserted this line, but this does not seem to work...

<Location />
      Require all granted
      ProxyPass http://127.0.0.1:8065/
      ProxyPassReverse http://127.0.0.1:8065/
      ProxyPassReverseCookieDomain 127.0.0.1 mattermost.mydomain.com
</Location>

(I've stolen the above modification from https://stackoverflow.com/questions/44651809/no-lets-encrypt-renewal-with-reverse-proxy-in-ispconfig3, but that does not seem to work. Maybe because of the <Location /> statement? But how to specify the whole directory / without /well-known in my <Location> statement?)

Any ideas on how to solve my issue?

TomS
  • 175
  • 1
  • 1
  • 9

1 Answers1

0

Maybe I was giving up too early. I think I found out how to solve the problem. In addition to <Location>, there's also a <LocationMatch> which works with regular expressions. I am not an expert with regular expressions, but after some fiddling around, I found that the following directive did the trick:

<LocationMatch "^(?:(?!\/\.well-known).)*$">

If my understanding is correct, this matches all directories not beginning with /.well-known.

TomS
  • 175
  • 1
  • 1
  • 9