Search code examples
rsslapache2.4opencpu

Combine r-handler and tls

Is it possible to provide the Apache R-mod via TLS directly? Without the need to set up a reverse proxy?

I'm trying to set up an OpenCPU instance without the typical reverse proxy configuration. It should be accessible via HTTPS and HTTPS only.

Whenever I try to enable the TLS/SSL engine, Apache ignores that and on port 443 I'll get a header missmatch as HTTP is delivered over port 443.

<IfModule mod_ssl.c>
SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
<IfModule mod_R.c>

    RSourceOnStartup "/usr/lib/opencpu/rapache/onstartup.R"

    <Location /ocpu>
        SSLEngine on
        SSLUseStapling on
        SSLCertificateFile  /etc/ssl/xxx.pem
        SSLCertificateKeyFile /etc/ssl/private/xxx.key
        SSLCertificateChainFile /etc/ssl/certs/chain.pem

        SetHandler r-handler
        RHandler opencpu:::rapachehandler
        SetOutputFilter DEFLATE
        SetInputFilter DEFLATE
    </Location>

    Alias /favicon.ico /usr/lib/opencpu/rapache/favicon.ico
    Alias /robots.txt /usr/lib/opencpu/rapache/robots.txt

    # Increase prefork defaults
    <IfVersion >= 2.4>
        #StartServers 10
        MaxConnectionsPerChild 200
        <Directory /usr/lib/opencpu/rapache>
            Require all granted
        </Directory>
    </IfVersion>

</IfModule>

Solution

  • It seems that the Location /ocpu is valid for both VirtualHosts, the one for HTTP and HTTPS.

    So it suffices to redirect HTTP to HTTPS in 000-default.conf and to correctly set up TLS in the default-ssl.conf.

    <VirtualHost *:80>
    ServerName xxx
    ServerAdmin xxx

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    Redirect / https://xxx/

</VirtualHost>

    And

    # cat default-ssl.conf 
<IfModule mod_ssl.c>
    SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
    LogLevel Debug
    <VirtualHost *:443>
        ServerName xxx
        ServerAdmin xxx

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on
        SSLUseStapling on

        SSLCertificateFile  /etc/ssl/certs/xxx.pem
        SSLCertificateKeyFile /etc/ssl/private/xxx.key
        SSLCertificateChainFile /etc/ssl/certs/xxx.pem

        DocumentRoot /var/www/html

    </VirtualHost>
</IfModule>

    No need to change anything in the opencpu.conf.