any success running outside of docker with Apache?

[davidroberthoare]

Hello! I love this project, and totally want to try using it with my students this year...
I've tried several methods of installing so far. The local docker demo worked fine on my laptop. I've now tried to install it onto a scratch VPS I own already, but I'm having difficulty. Unless I misunderstood, the docker image isn't really setup for production due to the container resetting user-accounts if it gets restarted (might be wrong?) so I'm trying to do a full install. It's ubuntu 22, with a couple other vhosts running other experiments that I don't want to mess with, so I'd like to use the Apache server already running instead of trying to have nginx compete. But I'm having a heck of a time trying to convert the sample nginx config to a working apache one.

I've now got almost everything working, I think, except the user-login aspect. HtAdmin is working well, and modifying the appropriate .htpasswd files, so that part's ok, and I get the user-login-prompts that either allow or disallow me into the site.
But the Clapshot homepage appears to not be getting the X-Remote-User-Id, name or is_admin env variables.
I've tried every combination of SetEnvIf and RequestHeader I can find reference to, but still no joy.

Can anyone with a better working knowledge of the two servers maybe lend some advice? Or has anyone ever got it working on Apache?

I've attached the picture of the symptom on the homepage, and also my current vhost config (that works all except for the remote_user part, but there might be other things wrong with it I don't see yet...). Also, a pic of out put from a test.php script that just spits out the request headers after logging in as 'admin' to the htpasswd prompt...

Thanks!
David

<VirtualHost *:443>
    ServerName clapshot.______.net
    DocumentRoot "/var/www/clapshot-client"

    <Directory "/var/www/clapshot-client">
        Options FollowSymlinks Indexes
        AllowOverride None
        Require all granted
    </Directory>

    <Location "/">
        AuthType Basic 
        AuthName "Clapshot login" 
        AuthUserFile /var/www/.htpasswd 
        Require valid-user

        # Set custom headers
        SetEnv is_admin 0
        SetEnvIf X-Remote-User "admin" is_admin=1
        RequestHeader set X-Remote-User-Id %{REMOTE_USER}s 
        RequestHeader set X-Remote-User-Name %{REMOTE_USER}s 
        RequestHeader set X-Remote-User-Is-Admin %{is_admin}e
    </Location>

    Alias "/videos" "/mnt/clapshot-data/data/videos"
    <Directory "/mnt/clapshot-data/data/videos">
        Require all granted
    </Directory>

    ProxyPass "/api" "http://127.0.0.1:8095/api"
    ProxyPassReverse "/api" "http://127.0.0.1:8095/api"

    ProxyPass "/api/ws" "ws://127.0.0.1:8095/api"
    ProxyPassReverse "/api/ws" "ws://127.0.0.1:8095/api"

    <Location "/api">
        ProxyPass "http://127.0.0.1:8095/api"
        ProxyPassReverse "http://127.0.0.1:8095/api"

        ProxyPass "ws://127.0.0.1:8095/api"
        ProxyPassReverse "ws://127.0.0.1:8095/api"

        ProxyPreserveHost On
        RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
        RequestHeader set X-Remote-User-Id "%{HTTP_X_AUTHN_USER}s"
        RequestHeader set X-Remote-User-Name "%{HTTP_DISPLAY_NAME}s"
    </Location>

    # Custom settings for the /logout location 
    <Location "/logout"> 
        Header always set Clear-Site-Data "*" 
        Header always set Cache-Control "no-cache, no-store, must-revalidate" 
        Header always set Pragma "no-cache" 
        Header always set Expires "0" 
        ErrorDocument 401 "Unauthorized" 
        RedirectMatch 401 "^/logout" 
    </Location>

    Alias "/htadmin" "/var/www/htadmin"
    # Directory configuration for /htadmin
    <Directory "/var/www/htadmin">
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

    # Deny access to /htadmin/config 
    <Directory "/var/www/htadmin/config"> 
        Require all denied 
    </Directory>

    SSLCertificateFile /etc/letsencrypt/___/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/___/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

[elonen]

If I'm reading this right, there seems to be an unnecessary attempt at indirection in setting the headers.
In <Location "/api">, you could/should probably just use REMOTE_USER and not trying to route it through HTTP_X_AUTHN_USER (which is a header, not an internal variable). Actually, I'm not sure if /api inherits the basic auth and the headers from / in Apache -- if that's the case, you could just remove the set commands from /api location.

[davidroberthoare]

oh my goodness - thank you!
You were right: the /api stuff was overwriting and messing up the '/' deifnitions.

Also, I managed to sort out the is_admin issue, using a rewritecond instead of SetEnvIf (which I could not get no matter what I tried!)

Here now is my working (at this point) apache config for anyone else who might need it. (there may still be some redundancy or missing bits. I'll update if I find anything else...)
Thanks!

<IfModule mod_ssl.c>
<VirtualHost *:443>

ServerName ___
DocumentRoot "/var/www/clapshot-client"

# FollowSymlinks to handle the symlink
<Directory "/var/www/clapshot-client">
    Options FollowSymlinks Indexes
    AllowOverride None
    Require all granted
</Directory>


<Location "/">
    AuthType Basic 
    AuthName "Clapshot login" 
    AuthUserFile /var/www/.htpasswd 
    Require valid-user

    #this sets the 'is_admin' env var based on the remote_user
    RewriteEngine On 
    RewriteCond %{LA-U:REMOTE_USER} =admin
    RewriteRule ^ - [E=is_admin:1]

    RequestHeader set X-Remote-User-Id %{REMOTE_USER}s 
    RequestHeader set X-Remote-User-Name %{REMOTE_USER}s 
    RequestHeader set X-Remote-User-Is-Admin %{is_admin}e
</Location>


<FilesMatch "\.(html|json|conf|js|css)$">
    Header set Cache-Control "public, no-transform"
    ExpiresActive On
    ExpiresDefault "access plus 4 hours"
</FilesMatch>

Alias "/videos" "/mnt/clapshot-data/data/videos"
<Directory "/mnt/clapshot-data/data/videos">
    Require all granted
</Directory>

ProxyPass "/api" "http://127.0.0.1:8095/api"
ProxyPassReverse "/api" "http://127.0.0.1:8095/api"

ProxyPass "/api/ws" "ws://127.0.0.1:8095/api"
ProxyPassReverse "/api/ws" "ws://127.0.0.1:8095/api"

<Location "/api">
    ProxyPass "http://127.0.0.1:8095/api"
    ProxyPassReverse "http://127.0.0.1:8095/api"

    ProxyPass "ws://127.0.0.1:8095/api"
    ProxyPassReverse "ws://127.0.0.1:8095/api"

    ProxyPreserveHost On
    RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
</Location>

# Custom settings for the /logout location 
<Location "/logout"> 
    Header always set Clear-Site-Data "*" 
    Header always set Cache-Control "no-cache, no-store, must-revalidate" 
    Header always set Pragma "no-cache" 
    Header always set Expires "0" 
    # Return 401 Unauthorized 
    ErrorDocument 401 "Unauthorized" 
    RedirectMatch 401 "^/logout" 
</Location>

Alias "/htadmin" "/var/www/htadmin"
# Directory configuration for /htadmin
<Directory "/var/www/htadmin">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>


# Deny access to /htadmin/config 
<Directory "/var/www/htadmin/config"> 
    Require all denied 
</Directory>


SSLCertificateFile /etc/letsencrypt/live/____/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/____/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>