Configuring Apache2 with SSL and HTTP/2

Unofficial Product Documentation
#1

Important: This unofficial guide is maintained by the Mattermost community and this deployment configuration is not yet officially supported by Mattermost, Inc. Community testing, feedback and improvements are welcome and greatly appreciated.

In order to use Apache as a reverse proxy for the Mattermost Server, you need to install and enable the following apache modules: mod_rewrite , mod_proxy, mod_proxy_http, mod_headers, and mod_proxy_wstunnel. Follow the installation instructions for your Linux distribution.

Once you’ve configured Apache2 as a proxy for your Mattermost Server, the easiest way to enable SSL on Apache2 is via Let’s Encrypt and Certbot.

Note:
If Let’s Encrypt is enabled, forward port 80 through a firewall, with Forward80To443 config.json setting set to true to complete the Let’s Encrypt certification.

Once installed, run $ certbot --apache and follow the guide. Afterwards you should find a new configuration file in /etc/apache2/sites-available which should follow the format mysubdomain.mydomain.com-le-ssl.conf.

When opened, edit it to look something like the following:

	<IfModule mod_ssl.c>
	<VirtualHost *:443>
		ServerName mysubdomain.mydomain.com
		ServerAdmin hostmaster@mydomain.com
		ProxyPreserveHost On
		RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
		RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}
		
		RewriteEngine On
		RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC,OR]
		RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
		RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
		RewriteRule .* ws://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]

		<Location />
			Require all granted
			ProxyPass http://127.0.0.1:8065/
			ProxyPassReverse http://127.0.0.1:8065/
			ProxyPassReverseCookieDomain 127.0.0.1 mysubdomain.mydomain.com
		</Location>

		# Generated by Certbot
		SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
		Include /etc/letsencrypt/options-ssl-apache.conf
	</VirtualHost>
	</IfModule>

  1. Restart Apache2

    • On Ubuntu 14.04 and RHEL 6: sudo service apache2 restart
    • On Ubuntu 16.04 and RHEL 7: sudo systemctl restart apache2

  2. Test that the site is working, that WebSockets are working, and if you enabled HTTP redirect to HTTPS during Certbot installation that the redirect is working.

  3. Lastly, test your SSL configuration with SSL Server Test (Powered by Qualys SSL Labs).

Using Certbot means that you shouldn’t have to do anything in the configuration of Mattermost.