macOS Server acting as proxy fronted for glpi

You are hosting a glpi service on your Intranet and want it to be accessible from the Internet.

You have a macOS Server for other services (mail, calendar, contacts) accessible from Internet

 

How to configure macOS Server to act as a proxy to glpi internal service

It’s really easy, you just have to define a ProxyPass / ProxyPass/Reverse directive.

What’s not clearly documented is that as of El Capitan, le ProxyPreserveHost is no more ‘on’ by default.

Let’s say that your macOS Server is running on IP 192.168.1.250 and your glpi server on 192.168.1.100

Create a config file with :

ProxyPreserveHost on
ProxyPass /glpi http://192.168.1.100/glpi
ProxyPassReverse /glpi http://192.168.1.100/glpi

Include the new file in the default HTTP or HTTPS site config file or in the general config file :

 

0000_127.0.0.1_34543_.conf 0000_127.0.0.1_34580_.conf 0000_any_443_.conf.default 0000_any_80_.conf.default virtual_host_global.conf

How to give ability to use Server.app to activate or not the glpi proxy pass

Webapps can be activated using the Server.app web section for a specific website.

  • webapps config files stands in : /Library/Server/Web/Config/apache2/webapps
  • apache2 specific configuration files in : /Library/Server/Web/Config/apache2

Create a plist file to define the needed webapp. The minimum keys are :

  • unique name (prefer the reverse spelled domain name (ex: fr.dscl.glpi)
  • display name : the name that will appear in Server.app (ex: DSCL glpi proxy)
  • sslPolicy :
    <integer>0</integer>    <!-- 0: default, UseSSLWhenEnabled -->
                            <!-- 1: UseSSLAlways -->
                            <!-- 2: UseSSLOnlyWhenCertificateIsTrustable -->
                            <!-- 3: UseSSLNever -->
                            <!-- 4: UseSSLAndNonSSL -->

Add a key for the included configuration file :

<key>includeFiles</key>
<array>
<string>/Library/Server/Web/Config/apache2/httpd_glpi.conf</string>
</array>

Add a restriction to enable only if the config file exists :

<key>installationIndicatorFilePath</key>
<string>/Library/Server/Web/Config/apache2/httpd_glpi.conf</string>

Your plist file should be like :

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict> 
<key>includeFiles</key>
<array>
<string>/Library/Server/Web/Config/apache2/httpd_glpi.conf</string>
</array>
<key>name</key>
<string>fr.dscl.glpi</string>
<key>displayName</key>
<string>DSCL - glpi proxy</string>
<key>installationIndicatorFilePath</key>
<string>/Library/Server/Web/Config/apache2/httpd_glpi.conf</string>
<key>sslPolicy</key><!-- Determines webapp SSL behavior -->
<integer>0</integer><!-- 0: default, UseSSLWhenEnabled -->
<!-- 1:UseSSLAlways -->
<!-- 2:UseSSLOnlyWhenCertificateIsTrustable -->
<!-- 3:UseSSLNever -->
<!-- 4:UseSSLAndNonSSL -->
</dict>
</plist>

Your http specific config file should contain :

ProxyPreserveHost on
ProxyPass /glpi http://192.168.1.100/glpi
ProxyPassReverse /glpi http://192.168.1.100/glpi

capture-decran-2016-11-10-a-19-16-14 capture-decran-2016-11-10-a-19-16-21 capture-decran-2016-11-10-a-19-16-01

 

Posted in Web services.

Leave a Reply

Your email address will not be published. Required fields are marked *