Apache Frontend

You should have already done these steps:

1. Check Hardware provisioning
2. Check pre-requisites
3. Installation
4. Start Asqatasun

(Ever need help ? Go to Asqatasun Forum.)

Pre-requisites for Apache Frontend

• Apache2
• Apache2 modules: headers, proxy, proxy_http
• Certbot 1.25+

sudo apt-get --no-install-recommends install \
    apache2
sudo a2enmod headers proxy proxy_http

Install Certbot following instructions from https://certbot.eff.org/

Configure Apache Virtual Host

Let say we want to have Asqatasun webapp reachable through asqatasun.example.org.

To please Apache and be able to make some debug, we create a DocumentRoot and a single file:

sudo mkdir -p /var/www-vhosts/asqatasun.example.org
echo "Hello asqatasun.example.org" >/var/www-vhosts/asqatasun.example.org/index.html

Create the file /etc/apache2/sites-available/asqatasun.example.org.conf and add the following content:

<VirtualHost *:80>
    ServerName asqatasun.example.org
    ServerAdmin webmaster@example.org
    DocumentRoot /var/www-vhosts/asqatasun.example.org
    ServerSignature Off

    LogLevel warn
    ErrorLog ${APACHE_LOG_DIR}/asqatasun.example.org_error.log
    CustomLog ${APACHE_LOG_DIR}/asqatasun.example.org_access.log combined

    <Location />
        Require all granted
    </Location>
</VirtualHost>

Activate virtual host and reload Apache:

sudo a2ensite asqatasun.example.org
sudo systemctl reload apache2

Generate HTTPS certificates

sudo certbot --apache -d asqatasun.example.org

Bridge Apache virtual host and Asqatasun

Certbot created a file /etc/apache2/sites-available/asqatasun.example.org-le-ssl.conf. Edit this file, and just before the closing tag </VirtualHost>, add the following content:

    ## SSL directives
    SSLCertificateChainFile "/etc/letsencrypt/live/asqatasun.example.org/fullchain.pem"

    # SSL Proxy directives
    SSLProxyEngine On
    SSLProxyVerify none

    ## Request header rules
    ## as per http://httpd.apache.org/docs/2.2/mod/mod_headers.html#requestheader
    RequestHeader     set X-Forwarded-Proto https
    RequestHeader     set X-Forwarded-Port  443

    ## Proxy rules
    ProxyRequests     Off
    ProxyPreserveHost on
    ProxyPass                   /   http://127.0.0.1:8080/ Keepalive=On timeout=120
    ProxyPassReverse            /   http://127.0.0.1:8080/
    ProxyPassReverseCookiePath  /   /

    ## Security headers (enhancements from https://observatory.mozilla.org/)
    Header set X-Frame-Options DENY
    Header set X-Content-Type-Options "nosniff"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Strict-Transport-Security "max-age=63072000;"

    # BUG --> don't use "form-action" directive (bug in Chrome)
    #         see: https://gitlab.com/asqatasun/Asqatasun/-/issues/562
    Header set Content-Security-Policy "default-src 'none'; base-uri 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://matomo.example.org/matomo.js ; connect-src https://matomo.example.org/matomo.php ; img-src * ; font-src 'self';  manifest-src 'self';  report-uri https://123456.report-uri-provider.com/r/d/csp/enforce ;"

Caution: do not forget to:

• replace asqatasun.example.org by your own domain name, especially on the last line
• replace the report-uri value endpoint with the one provided by favorite report-uri provider

sudo systemctl reload apache2

Use Asqatasun

Connect to your Asqatasun instance with the following credentials:

• URL: https://asqatasun.example.org/
• login: admin@asqatasun.org
• password: myAsqaPassword

This account is an administrator and has the ability to create other accounts.