Apache listen only on internal interface

UCS - Univention Corporate Server
#1

Hi Folks,

following the documentation of coTURN it is advised that coTURN shall listen on port 443.

As we would like to install coTURN on one of our UCS Member servers this conflicts with the UCS Management Webserver.

Could someone advise where to tell apache only to listen on the internal interface or better - how to change ssl port for the management interface?

Additional to that: is it possible to use UCS Let’sEncrypt App? Most coTURN howtos describe to use certbot in --standalone mode…

Any advise on this?

best,

Mat

#2

I remember having a similar setup – no UCS but an https proxy conflicting with this requirement.

As I use nginx I can’t tell if it’s possible with your setup. Basically, I had to configure my local services to listen on a different port than 443. Then, I had to configure a stream block which filters the packets according to their protocol and proxies them to either coturn or the alternative https port.

If Apache does not provide such features you’re still not out of luck if you can change the https port of Apache in the UCR or UMC somewhere. All you need is to change this port and install nginx. Then, you can configure nginx to do the protocol splitting.

Sorry for not being more precise.

#3 
# this is jitsi-meet nginx module configuration
# this forward all http traffic to the nginx virtual host port
# and the rest to the turn server

stream {
    upstream web {
        server 127.0.0.1:4443;
    }
    upstream turn {
        server jitsi:4445;
    }
    # since 1.13.10
    map $ssl_preread_alpn_protocols $upstream {
        "h2"            web;
        "http/1.1"      web;
        "h2,http/1.1"   web;
        default		web;
#        default         turn;
    }

    log_format	myformat '$remote_addr [$time_local] '
	'$protocol ($ssl_preread_alpn_protocols->$upstream): $status';
    server {
#	access_log	/var/log/nginx/stream.log myformat;

        listen 443;

        # since 1.11.5
        ssl_preread on;
        proxy_pass $upstream;
        proxy_ssl_verify off;

        # Increase buffer to serve video
        proxy_buffer_size 10m;
    }
}

This is part of my config for Jitsi Meet. The upstream web is just for proxying to port 4443, the upstream turn forwards to the host providing turn services (which, in my case, was the container running jitsi meet).

As I later stopped using the builtin turn service and setup my own coturn for use by different WebRTC services, I commented out the default line for turn in the mapping.

#4

Hi,
thanx for the feedback. Using nginx or plain vanilla apache is easy. I was looking for how to tweak this slightly complicated UCS template stuff…

However - as I was looking for a solution that also works as UCS member I just deactivated the apache. So no port conflicts any more :slight_smile:

#5

A little bit harsh but effective, I guess :smiley:

I just had to work on samba logging. During this, I had the idea that you could introduce a new UCR variable like apache2/ssl/listenport and set it to something you want. Then you could have edited the template in /etc/univention/templates/files/etc/apache2/sites-available/ssl.d/00start:

@%@UCRWARNING=# @%@

<IfModule mod_ssl.c>
@!@
print('<VirtualHost *:%s>' % configRegistry.get('apache2/ssl/listenport', 443))
@!@
	IncludeOptional /etc/apache2/ucs-sites.conf.d/*.conf
	SSLEngine on
	SSLProxyEngine on
	SSLProxyCheckPeerCN off
	SSLProxyCheckPeerName off
	SSLProxyCheckPeerExpire off
@!@
if configRegistry.get('apache2/ssl/certificate'):
	print('	SSLCertificateFile %s' % configRegistry.get('apache2/ssl/certificate'))
else:
	print('	SSLCertificateFile /etc/univention/ssl/%s.%s/cert.pem' % (configRegistry.get('hostname'), configRegistry.get('domainname')))
if configRegistry.get('apache2/ssl/key'):
	print('	SSLCertificateKeyFile %s' % configRegistry.get('apache2/ssl/key'))
else:
	print('	SSLCertificateKeyFile /etc/univention/ssl/%s.%s/private.key' % (configRegistry.get('hostname'), configRegistry.get('domainname')))
if configRegistry.get('apache2/ssl/ca'):
	print('	SSLCACertificateFile %s' % configRegistry.get('apache2/ssl/ca'))
else:
	print('	SSLCACertificateFile /etc/univention/ssl/ucsCA/CAcert.pem')
if configRegistry.get('apache2/ssl/certificatechain'):
	print('	SSLCertificateChainFile %s' % configRegistry.get('apache2/ssl/certificatechain'))
@!@
	#SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

	### To enable special log format for HTTPS-access
	# LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %p" combinedssl
	# CustomLog /var/log/apache2/access.log combinedssl	## with port number

Of course, there might be other templates to consider. Generally, I’m cautious to edit the templates. I’d prefer Univention to include such variables.

Mastodon