How to get Mattermost running on a different server (to prepare UCS upgrade to 5.x)

Hallo - I’m still in preparation to get UCS on version 5.x

One last mile stone is Mattermost. With version 5.x my understanding is, that Mattermost is no longer supported - so I have to build it on a different server.

The good news is - Mattermost itself is running (as a fresh version) on a fresh Ubuntu 20.04. I can access it via http and configure it as I want.

Nearly - because I’m unable to get a secure connetion working - with a trusted certificate.

My current setup is as follow:

  • Ubuntu1 server is taking all the http and https requests from the internet (e.g. for Kopano or UCS management)
  • Ubuntu1 has some trusted certificates - based on Let’s encrypt
  • Ubuntu1 is operation as a revers proxy based on Apache2
  • Ubuntu2 is an application server with Mattermost (as before on Univention)

As mentioned I can access Mattermost via http within the local network on Ubuntu2

I copied the Mattermost .conf file from the current UCS Mattermost setup (where https is working):

##########

Copy from Univention mattermost setup

############

Listen 8123
Listen 8234

<VirtualHost *:8123>
ServerName Ubuntu2.PRIVAT.local
ServerAdmin mattermost-support@MY_DOMAIN.de

   ErrorLog ${APACHE_LOG_DIR}/mattermost-error.log
   CustomLog ${APACHE_LOG_DIR}/mattermost-access.log combined

   # Enforce HTTPS:
   RewriteEngine On
   RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
   RewriteCond %{HTTPS} !=on
   RewriteRule ^/?(.*) https://Ubuntu2.PRIVAT.local:8234/$1 [R,L]

<//VirtualHost> (please remove one of the “/”)

<VirtualHost *:8234>
SSLEngine on
ServerName Ubuntu2.PRIVAT.local
ServerAdmin mattermost-support@MY_DOMAIN.de

   SSLCertificateFile /etc/ssl/certs/Ubuntu2.PRIVAT.local-self.crt
   SSLCertificateKeyFile /etc/ssl/private/Ubuntu2.PRIVAT.local-self.key

   ErrorLog ${APACHE_LOG_DIR}/mattermost-error.log
   CustomLog ${APACHE_LOG_DIR}/mattermost-access.log combined

   RewriteEngine On
   RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC,OR]
   RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
   RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
   RewriteRule .* ws://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]

   RequestHeader set X-Forwarded-Proto "https"

   RequestHeader unset If-Modified-Since
   RequestHeader unset If-None-Match

   <LocationMatch "/api/v(?<apiversion>[0-9]+)/(?<apiusers>users/)?websocket">
           Require all granted
           ProxyPass ws://127.0.0.1:8065/api/v%{env:MATCH_APIVERSION}%env:MATCH_APIUSERS}websocket
           ProxyPassReverse ws://127.0.0.1:8065/api/v%{env:MATCH_APIVERSION}/%{env:MATCH_APIUSERS}websocket
           ProxyPassReverseCookieDomain 127.0.0.1 Ubuntu2.PRIVAT.local
   </LocationMatch>

   <Location />
           Require all granted
           ProxyPass http://127.0.0.1:8065/
           ProxyPassReverse http://127.0.0.1:8065/
           ProxyPassReverseCookieDomain 127.0.0.1 Ubuntu2.PRIVAT.local
   </Location>

   ProxyPreserveHost On
   ProxyRequests Off

<//VirtualHost> (please remove one of the “/”)

If I try to open https://Ubuntu2.PRIVAT.local:8234 I’m getting an error message → Internal Server Error

The Mattermost error log looks like:

[Tue Jul 19 16:17:24.811098 2022] [ssl:warn] [pid 7617:tid 139632452033600] AH01906: Ubuntu2.PRIVAT.local:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jul 19 16:17:24.831212 2022] [ssl:warn] [pid 7622:tid 139632452033600] AH01906: Ubuntu2.PRIVAT.local:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jul 19 16:19:08.469416 2022] [proxy:warn] [pid 7624:tid 139632331187968] [client 192.168.56.40:52034] AH01144: No protocol handler was valid for the URL / (scheme ‘http’). If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.
[Tue Jul 19 16:19:08.528629 2022] [proxy:warn] [pid 7623:tid 139632431867648] [client 192.168.56.40:52035] AH01144: No protocol handler was valid for the URL /favicon.ico (scheme ‘http’). If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule., referer: https://Ubuntu2.PRIVAT.local:8234/

Is the issue based on the self created certificat or does Ubuntu2 needs more Apache2 mods?

FYI - currently used Apache 2 mods:
Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
filter_module (shared)
headers_module (shared)
mime_module (shared)
mpm_event_module (shared)
negotiation_module (shared)
proxy_module (shared)
reqtimeout_module (shared)
request_module (shared)
rewrite_module (shared)
setenvif_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
status_module (shared)

Thank you in advance

Pepe

Update - I compared the Apache2 modules running on the UCS server and added the 3 following once:

sudo a2enmod proxy_wstunnel
sudo a2enmod proxy_http
sudo a2enmod proxy_connect

And looks like - we are a big step further :wink:

Means - ERROR message is gone - lnading page of Mattermost is avalible.

Let’s check out if some errors will come up - hope not.

PS: Tomorrow I will try to get the server page avalible form the internet (via Ubuntu1) and see if I can get Let’s Encrypt working as well. Not sure yet if I have to install it on Ubuntu1 or Ubuntu2. If on Ubunto2 - how to manage Let’s Encryp will work behind Ubuntu1. So many question :wink:

Kind regards

Hi - I moved today (for me) a big step further.

I installed the same Apche2 config for Mattermost also on the proxy server (Ubuntu2) - with the following modifications:

Change → ServerName Ubuntu2.PRIVAT.local
Into → ServerName Mattermost.PUBLIC.de

Change → RewriteRule .* ws://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]
Into → RewriteRule .* ws://Ubuntu2.PRIVATE.local:8065%{REQUEST_URI} [P,QSA,L]

Change → ProxyPass ws://127.0.0.1:8065/api/v%{env:MATCH_APIVERSION}/%{env:MATCH_APIUSERS}websocket
Into → ProxyPass ws://vmmm-rd1.dreger-net.local:8065/api/v%{env:MATCH_APIVERSION}/%{env:MATCH_APIUSERS}websocket
Change → ProxyPassReverse ws://127.0.0.1:8065/api/v%{env:MATCH_APIVERSION}/%{env:MATCH_APIUSERS}websocket
Into → ProxyPassReverse ws://vmmm-rd1.dreger-net.local:8065/api/v%{env:MATCH_APIVERSION}/%{env:MATCH_APIUSERS}websocket

If I open https://Mattermost.PUBLIC.de:8234 my proxy server will take aktion and brings up the needed Mattermost page.

In addition I remove the following area - http access is already blocked on the proxy server - so I assume I don’t need it:

<VirtualHost *:8123>
ServerName Ubuntu2.PRIVAT.local
ServerAdmin mattermost-support@MY_DOMAIN.de

   ErrorLog ${APACHE_LOG_DIR}/mattermost-error.log
   CustomLog ${APACHE_LOG_DIR}/mattermost-access.log combined

   # Enforce HTTPS:
   RewriteEngine On
   RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/
   RewriteCond %{HTTPS} !=on
   RewriteRule ^/?(.*) https://Ubuntu2.PRIVAT.local:8234/$1 [R,L]

<//VirtualHost> (please remove one of the “/”)

I will do some more testing - but untill now - all OK :wink:

Question (1):

There is two times a section in the original UCS mattermost config file:

ProxyPassReverseCookieDomain 127.0.0.1 Ubuntu2.PRIVATE.local

Do I have to change there anything? Please keep in mind - I’m asking for the config on the proxy server.

Kind regards

Question (2):

How to get the the current data from one Mattermost server to the new one (I’m just interested in the conversations and pictures).

Kind regards

Hi - today I found out that Mattermost is doing a daily SQL dump:

/var/lib/univention-appcenter/apps/mattermost/data/backup

I found also the posted files:

/var/lib/univention-appcenter/apps/mattermost/data/files

Does anyone know if there is an easy way to get the files and SQL (conversations) into the new server?

Or do I have to do a lot by hand?

Please keep in mind - current Mattermost DB is mySQL - new one is PostgreSQL.

Any feedback is more than welcome.

I understand that Mattermost is mainly out-off scope for the UCS team.

I’m working hard to get Mattermost also isolated on a different server - but will need some help.

I found my documentation from Mattermost itself - but all based on the Mattermost default installation - not on the UCS docker one.

As metioned abouve - I found the DB dump - as well as the database itself and the stored files. Mattermost has an “easy” process to “extract” all information (including files) and to import them into the new system. But the UCS version is on a lower version level - so would to do an upgrade first. But upgrade on UCS → to many questionmarks for me.

Any help would make me smile

Thank you in advance