Q: Web apps, reverse proxy, FileMaker Server and Kerio Connect

Hi Alex

Thank you for taking time to do this, I found an apple script for configuring Kerio which I believe is based on your tutorial

https://github.com/kai-h/Kerio-Connect-Webapp-Configurator/blob/master/Kerio%20C onnect%20Webapp%20Configurator.applescri…

And it does create the webapps correctly, and they appear in the Advanced Setting section of the server app

but when I remove the old reverse proxy setting from the virtual host conf file then it no longer resolves to the correct address and just goes to the standard server website. Is there anything else I need to do after enabling the webapp, should I be deleting the website entry completely from the server app and setting up from scratch?

I will offer this as an alternative.

If you are using Server 5.0.4, I agree, Apple's claim to the web ports is a little aggressive.  If you are not using Profile Manager and you are not concerned about the web services, you can overcome this by disabling the ports in the service proxy config.  You have two options here.

If Apple’s web interface is not needed and you are not using Profile Manager, reclaim those ports by editing the following file:

     /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf 

Comment or remove the following lines:

     listen 80

     listen 443

To comment, simply add a # in front of each line.  Commenting out the lines is a better plan than deleting.  At least if you need to revert, you can simply remove the # character.  Reboot the server and now your 3rd party tools have access to the standard web ports.

An alternative option is to multihome the Ethernet connection.  This way you can leave the primary interface attached to Apple’s services and run your third party tools on the secondary IP address.  If you do this, you will still need to edit the VirtualHost directives in the apache_serviceproxy.conf file.  Apple configured the service to listen on all interfaces.  You will find the following in the file by default:

     <VirtualHost *:80>

     <VirtualHost *:443>

Change the * to the primary IP address of your server.  This will ensure that Apple’s services only listen on that IP address.  For example, let's say your server is currently at address 192.168.0.15. You can give it a second IP address by creating another Ethernet port in System Preferences.  In this example, 192.16.0.16.  Now the server will respond to both IP addresses.  Edit the service proxy file and set the VHost lines to:

      <VirtualHost 192.168.0.15:80>

     <VirtualHost 192.168.0.15:443>

Once again reboot.  When you do, Apple's service proxy will only listen on address 192.168.0.15, allowing ports 80 and 443 to be used on the secondary address 192.168.0.16.  Now, you may have some DNS and port forwarding rules to modify but this will allow Apple's services (including Profile Manager) to run without surgery.

Hope this helps.

Reid

Apple Consultants Network

Author "El Capitan Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author of Yosemite Server and Mavericks Server books

Thanks so much!  I cover the service proxy in there.  Two more to go! 

Hi Alex, your tutorials really helped me get Kerio and rumpus working perfectly on 5.0.4 ( on Yosemite )

i have a possiby related issue that I can't fix, I have an open source DAM called ResourceSpace on the sever,it works fine with server 4.1.13 but Has issues with 5.0.4

i can visit the site, but after a while it starts displaying http headers in several places and the site slows to a crawl, refreshing will display the html/php instead of the rendered site, a second refresh will bring the site back, this keeps repeating.

I did a fresh install of resourcespace with a new database and it still has the issue.

Wonder if you have any suggestions?

I'm with Alex on this one. Great update to this thread and I too just grabbed your book. I look forward to your new work as well. Thanks for sharing the knowledge!

Kevin Allen

Awesome!  Thanks for the encouragement.  Book 2 is almost done and 3 is coming shortly after.  Its funny.  There is a way to post them for pre-order but I have this never ending debate in my head that I must finish it first.

Glad this is helping.

Keep those servers running!

This solution helped me.  I would add one extra point.  You need to edit the httpd_server_app.conf and add in a Listen.  In the example this would be

Listen 192.168.0.16:80

Folks, I hope I can sort of just jump into this conversation and get some help from you. After upgrading to El Capitan I encountered similar problems with my websites. Everything related to SSL logic is going haywire, including phpMyAdmin and Laravel. After a couple of hours of searching I found our that the problem is in the reverse proxy that Apple forced on us.

I read the readme.txt inside the apache folder and found that the TCP traffic between the reverse proxy and apache is not encrypted. I guess that makes sense, but now apache doesn't get the correct headers and ports. So PHP has no idea what the inital requests port was.

I'd love to just turn off the reverse proxy for ports 80 and 443 and be done with it, but after tweaking /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf I realised that the Server app is now building virtual hosts for ports 34580 and 34543. So basically, nothing added through the server app user interface is listening to ports 80 and 443. That would require further handcoding, and at that point I might as well disable websites and install linux in a virtualbox.

Am I looking at a full rollback to OS X Yosemite, or can this be solved in a reasonable manner?

Hi Alex, your solution has been working well, until I had to renew my certificates through the server app, after that within a few days all the web services reverted to showing the default server webpage. After a bit of fiddling I tried unlocking all of the site files and adding the new certificates, they instantly started working again, what did surprise me though is that the non SSL sites also failed but then started working as soon as they were unlocked, not sure how that would happen but just thought I'd put it out there in case anyone else has the same issue