Alex Narvey

Q: Web apps, reverse proxy, FileMaker Server and Kerio Connect

Before the days of Server.app it was fairly easy to run FileMaker Server and Kerio Connect in tandem on a Mac OS X Server.

 

It is clearly no longer "best practices" to do so but there are times when it is handy.

 

I have created a tutorial on how to use OS X Server.app's Web Services Advanced "Web App" feature to apply reverse proxy rules so that you can install and use FileMaker Server 13.05, Kerio Connect 8.4, and Rumpus 8 all on a Yosemite or Mavericks server while still allowing Server.app to provide normal Web, Wiki, and Profile Management services.

 

The tutorial is available in the Tutorials section of the RAIS page at: http://rais.precursor.ca

 

Needless to say, "use at your own risk".

 

Comments are welcome.

Posted on Jan 1, 2015 7:47 AM

Close

Q: Web apps, reverse proxy, FileMaker Server and Kerio Connect

  • All replies
  • Helpful answers

  • by Alex Narvey,

    Alex Narvey Alex Narvey Oct 1, 2015 7:04 PM in response to Alex Narvey
    Level 1 (8 points)
    Servers Enterprise
    Oct 1, 2015 7:04 PM in response to Alex Narvey

    I was able to get these reverse proxy web apps going with the newly released OS X Server 5.04. The revised Reverse Proxy tutorial (version 1.08) now covers Kerio Connect 8.5.2, FileMAekr Server 14 and Rumpus 8 and is available at the RAIS page: http://rais.precursor.ca

  • by Kevin Neal,

    Kevin Neal Kevin Neal Oct 2, 2015 1:17 AM in response to Alex Narvey
    Level 3 (513 points)
    Servers Enterprise
    Oct 2, 2015 1:17 AM in response to Alex Narvey

    Hi Alex

     

    Thank you for taking time to do this, I found an apple script for configuring Kerio which I believe is based on your tutorial

    https://github.com/kai-h/Kerio-Connect-Webapp-Configurator/blob/master/Kerio%20C onnect%20Webapp%20Configurator.applescri…

    And it does create the webapps correctly, and they appear in the Advanced Setting section of the server app

    but when I remove the old reverse proxy setting from the virtual host conf file then it no longer resolves to the correct address and just goes to the standard server website. Is there anything else I need to do after enabling the webapp, should I be deleting the website entry completely from the server app and setting up from scratch?

  • by Alex Narvey,

    Alex Narvey Alex Narvey Oct 2, 2015 4:23 AM in response to Kevin Neal
    Level 1 (8 points)
    Servers Enterprise
    Oct 2, 2015 4:23 AM in response to Kevin Neal

    I have heard of that AppleScript on github but i have not tested or even read it so I can't comment properly on it.

    I have always done all this manually.

    Some things to watch for:

    - make sure that you give your web app plist and conf files the correct (root) permission as detailed in the Tutorial.

    - If you are using the new Server v.5.0.4 then read the new Appendix C very carefully.

    - if you are suing Kerio Connect and Server 5 then I would advise no longer using Kerio's port 8800 and 8843 as I sued to and switch them to 8003 and 8013 as I describe in the newly edited tutorial (v.1.08)

  • by Strontium90,

    Strontium90 Strontium90 Oct 2, 2015 4:53 AM in response to Alex Narvey
    Level 5 (4,077 points)
    Servers Enterprise
    Oct 2, 2015 4:53 AM in response to Alex Narvey

    I will offer this as an alternative.

     

    If you are using Server 5.0.4, I agree, Apple's claim to the web ports is a little aggressive.  If you are not using Profile Manager and you are not concerned about the web services, you can overcome this by disabling the ports in the service proxy config.  You have two options here.

     

    If Apple’s web interface is not needed and you are not using Profile Manager, reclaim those ports by editing the following file:

       

         /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf 

     

    Comment or remove the following lines:

     

         listen 80

         listen 443

     

    To comment, simply add a # in front of each line.  Commenting out the lines is a better plan than deleting.  At least if you need to revert, you can simply remove the # character.  Reboot the server and now your 3rd party tools have access to the standard web ports.

     

    An alternative option is to multihome the Ethernet connection.  This way you can leave the primary interface attached to Apple’s services and run your third party tools on the secondary IP address.  If you do this, you will still need to edit the VirtualHost directives in the apache_serviceproxy.conf file.  Apple configured the service to listen on all interfaces.  You will find the following in the file by default:

     

         <VirtualHost *:80>

         <VirtualHost *:443>

     

    Change the * to the primary IP address of your server.  This will ensure that Apple’s services only listen on that IP address.  For example, let's say your server is currently at address 192.168.0.15. You can give it a second IP address by creating another Ethernet port in System Preferences.  In this example, 192.16.0.16.  Now the server will respond to both IP addresses.  Edit the service proxy file and set the VHost lines to:

     

          <VirtualHost 192.168.0.15:80>

         <VirtualHost 192.168.0.15:443>

     

    Once again reboot.  When you do, Apple's service proxy will only listen on address 192.168.0.15, allowing ports 80 and 443 to be used on the secondary address 192.168.0.16.  Now, you may have some DNS and port forwarding rules to modify but this will allow Apple's services (including Profile Manager) to run without surgery.

     

    Hope this helps.

     

    Reid

    Apple Consultants Network

    Author "El Capitan Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

    Author of Yosemite Server and Mavericks Server books

  • by Alex Narvey,

    Alex Narvey Alex Narvey Oct 2, 2015 5:04 AM in response to Strontium90
    Level 1 (8 points)
    Servers Enterprise
    Oct 2, 2015 5:04 AM in response to Strontium90

    Congratulations on the publication of your iBook "El Capitan Server – Foundation Services" Reid.

     

    I just bought a copy!

     

    Alex

  • by Strontium90,

    Strontium90 Strontium90 Oct 2, 2015 9:14 AM in response to Alex Narvey
    Level 5 (4,077 points)
    Servers Enterprise
    Oct 2, 2015 9:14 AM in response to Alex Narvey

    Thanks so much!  I cover the service proxy in there.  Two more to go! 

  • by Kevin Neal,Solvedanswer

    Kevin Neal Kevin Neal Oct 17, 2015 4:32 AM in response to Alex Narvey
    Level 3 (513 points)
    Servers Enterprise
    Oct 17, 2015 4:32 AM in response to Alex Narvey

    Hi Alex, your tutorials really helped me get Kerio and rumpus working perfectly on 5.0.4 ( on Yosemite )

     

    i have a possiby related issue that I can't fix, I have an open source DAM called ResourceSpace on the sever,it works fine with server 4.1.13 but Has issues with 5.0.4

     

    i can visit the site, but after a while it starts displaying http headers in several places and the site slows to a crawl, refreshing will display the html/php instead of the rendered site, a second refresh will bring the site back, this keeps repeating.

     

    I did a fresh install of resourcespace with a new database and it still has the issue.

     

    Wonder if you have any suggestions?

  • by Morphire,

    Morphire Morphire Oct 17, 2015 9:52 AM in response to Strontium90
    Level 1 (20 points)
    Oct 17, 2015 9:52 AM in response to Strontium90

    I'm with Alex on this one. Great update to this thread and I too just grabbed your book. I look forward to your new work as well. Thanks for sharing the knowledge!

     

    Kevin Allen

  • by Strontium90,

    Strontium90 Strontium90 Oct 17, 2015 6:43 PM in response to Morphire
    Level 5 (4,077 points)
    Servers Enterprise
    Oct 17, 2015 6:43 PM in response to Morphire

    Awesome!  Thanks for the encouragement.  Book 2 is almost done and 3 is coming shortly after.  Its funny.  There is a way to post them for pre-order but I have this never ending debate in my head that I must finish it first.

     

    Glad this is helping.

     

    Keep those servers running!

  • by Alex Narvey,

    Alex Narvey Alex Narvey Oct 18, 2015 7:38 PM in response to Kevin Neal
    Level 1 (8 points)
    Servers Enterprise
    Oct 18, 2015 7:38 PM in response to Kevin Neal

    Kevin,

     

    I don't have any experience with that DAM. So I am afraid I can't help at this point.

    Best advice is to read the logs and see if you can glean anything from that.

  • by Richard Williams2,

    Richard Williams2 Richard Williams2 Oct 28, 2015 7:53 AM in response to Strontium90
    Level 1 (34 points)
    Mac OS X
    Oct 28, 2015 7:53 AM in response to Strontium90

    This solution helped me.  I would add one extra point.  You need to edit the httpd_server_app.conf and add in a Listen.  In the example this would be

    Listen 192.168.0.16:80

  • by Bunnyfu,

    Bunnyfu Bunnyfu Dec 14, 2015 9:55 AM in response to Strontium90
    Level 1 (0 points)
    Dec 14, 2015 9:55 AM in response to Strontium90

    Folks, I hope I can sort of just jump into this conversation and get some help from you. After upgrading to El Capitan I encountered similar problems with my websites. Everything related to SSL logic is going haywire, including phpMyAdmin and Laravel. After a couple of hours of searching I found our that the problem is in the reverse proxy that Apple forced on us.

     

    I read the readme.txt inside the apache folder and found that the TCP traffic between the reverse proxy and apache is not encrypted. I guess that makes sense, but now apache doesn't get the correct headers and ports. So PHP has no idea what the inital requests port was.

     

    I'd love to just turn off the reverse proxy for ports 80 and 443 and be done with it, but after tweaking /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf I realised that the Server app is now building virtual hosts for ports 34580 and 34543. So basically, nothing added through the server app user interface is listening to ports 80 and 443. That would require further handcoding, and at that point I might as well disable websites and install linux in a virtualbox.

     

    Am I looking at a full rollback to OS X Yosemite, or can this be solved in a reasonable manner?

  • by Alex Narvey,

    Alex Narvey Alex Narvey Dec 16, 2015 4:58 AM in response to Bunnyfu
    Level 1 (8 points)
    Servers Enterprise
    Dec 16, 2015 4:58 AM in response to Bunnyfu

    Make sure you have Server 5.1.5 and not the older 5.0.4. Apple did a lot of work to correct proxy issues in 5.1.5.

  • by Kevin Neal,

    Kevin Neal Kevin Neal Dec 22, 2015 11:28 AM in response to Alex Narvey
    Level 3 (513 points)
    Servers Enterprise
    Dec 22, 2015 11:28 AM in response to Alex Narvey

    Hi Alex, your solution has been working well, until I had to renew my certificates through the server app, after that within a few days all the web services reverted to showing the default server webpage. After a bit of fiddling I tried unlocking all of the site files and adding the new certificates, they instantly started working again, what did surprise me though is that the non SSL sites also failed but then started working as soon as they were unlocked, not sure how that would happen but just thought I'd put it out there in case anyone else has the same issue