Reverse Proxy Setup Guide


It is possible to run PowerFolder Server behind a third party web server. There are several reasons, why you might want to use such a setup:

  • Privileged Ports on Linux - Most Linux systems doesn't allow normal users to run services, which bind to a port below the port number 1024. To have your PowerFolder Server web be reachable on the standard web ports 80 or 443 you need a web server with proxy support. 
  • Simple Proxying - You have an existing website and want to integrate PowerFolder Server in your virtual host (e.g. http://www.example.com/powerfolder) 
  • SSL-encrypted HTTP sessions - Sessions to the web interface are by default not encrypted. PowerFolder Server supports SSL-encrypted web access internally, however you might want to get this done by a third party web server like Apache or Nginx

We provide several guides here to integrate PowerFolder Server with third party web servers:

Apache Proxy and PowerFolder Server for SSL Encryption

In this article we are showing a configuration example for running using PowerFolder Server with an Apache Proxy for a SSL-encrypted web interface sessions.

Requirements

The requirements below are necessary for the setup:

  • Apache 2.2 and higher with mod_proxy,mod_rewrite and mod_ssl enabled.
  • A valid, officially signed SSL certificate. (Warnung) PowerFolder Clients will NOT work with invalid or self-signed certificates.


Using Windows OS

Users installing Apache on Windows, might want to download the Apache Binaries from Apache Lounge. The installation is easy:

  1. Place the Apache24 directory, extracted from the .zip file, at C:\Apache24.
  2. To install it as a service, go to C:\Apache24\bin and execute the following command: httpd.exe -k install
  3. Uncomment (remove the # in front) the following lines in the C:\Apache24\conf\httpd.conf file:

    LoadModule proxy_module modules/mod_proxy.so
    LoadModule rewrite_module modules/mod_rewrite.so
    LoadModule ssl_module modules/mod_ssl.so
    Include conf/extra/httpd-vhosts.conf
  4. Modify the C:\Apache24\conf\extra\httpd-vhosts.conf file as described later in this article. Make sure you modify the right paths to your certificate files, hostnames and the IP address of your local network interface (where the actual PowerFolder Server web interface is listening).
  5. Restart the Apache Windows service.

For troubleshooting you can also use the following command to start the Apache Windows service manually: C:\Apache24\bin\httpd.exe -k start


In the below configuration example for Apache, we use several placeholders which need to be changed to match your installation:

PowerFolder Server Web Configuration

For this scenario we need to change settings in the server preferences:

  • Set the Web Base URL under Preferences > Network > Server URLs:

    https://powerfolder.example.com
  • Set the Web Tunnel URL under Preferences > Network > Server URLs:

    http://powerfolder.example.com/rpc

    (Warnung) Please note that the URL must use HTTP not HTTPS, since the traffic posted against that URL will be encrypted by the PowerFolder internal protocol.


  • Set the HTTPS/SSL port under Preferences > Network > Hostname and Ports:

    -1

(Haken) After changing those settings, please restart PowerFolder Server.

Apache Configuration

IMPORTANT: On some systems the configuration entry ProxyRequests is set to On by default. Please check the Apache configuration file /etc/apache2/mods-available/proxy.conf and change ProxyRequests On to ProxyRequests Off. Otherwise the Apache server can be used as open proxy by others.

More information: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxyrequests

Configure a virtual host within Apache, which responds to requests to http://powerfolder.example.com and https://powerfolder.example.com and forwards the requests to the web port of PowerFolder Server:

<VirtualHost *:80>
       ServerAdmin hostmaster@example.com
       ServerName powerfolder.example.com

       RewriteEngine on
       RewriteCond             %{SERVER_PORT}  !=443
       RewriteCond             %{REQUEST_URI}  !^/rpc
       RewriteRule             ^.*$            https://%{SERVER_NAME}%{REQUEST_URI} [NC,R=301,L]

       ProxyPass               /rpc                    http://10.0.0.1:8080/rpc     nocanon
       ProxyPassReverse        /rpc                    http://10.0.0.1:8080/rpc
</VirtualHost>


Listen 10.0.0.1:443
<VirtualHost 10.0.0.1:443>
       ServerAdmin hostmaster@example.com
       ServerName powerfolder.example.com

       SSLEngine  On
       SSLCACertificateFile   /etc/apache2/ssl/powerfolder.example.com.ca-bundle.crt
       SSLCertificateFile     /etc/apache2/ssl/powerfolder.example.com.crt
       SSLCertificateKeyFile  /etc/apache2/ssl/powerfolder.example.com.key
       SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

       ProxyPass               /rpc                    http://10.0.0.1:8080/rpc     nocanon
       ProxyPassReverse        /rpc                    http://10.0.0.1:8080/rpc
       ProxyPass               /rpc                    !

       ProxyPass               /                       http://10.0.0.1:8080/        nocanon
       ProxyPassReverse        /                       http://10.0.0.1:8080/
</VirtualHost>

(Info) We exclude the /rpc URL part from the SSL-encryption, because this URL is used for the PowerFolder Clients to tunnel their traffic by using the HTTP POST method, in case they are behind a firewall and can't establish a direct connection to PowerFolder Server. Since the PowerFolder data traffic is encrypted anyway by a PowerFolder internal protocol, we don't need encryption here. It would just slow down the connection.

(Warnung) Please note: When it is required by the SSL certificate authority to use an intermediate certificate, it has to be loaded with the SSLCACertificateFile configuration entry. If such an intermediate certificate is NOT required, you can simply drop that line.


Setting up Nginx as SSL proxy

In this article we are showing a configuration example for running using PowerFolder Server with a Nginx Proxy for a SSL-encrypted web interface sessions.

Requirements

The requirements below are necessary for the setup:

  • Nginx 1.1 and higher.
  • A valid, officially signed SSL certificate. (warning) PowerFolder Clients will NOT work with invalid or self-signed certificates.


In the below configuration example for Nginx, we use several placeholders which need to be changed to match your installation:

PowerFolder Server Web Configuration

For this scenario we need to change settings in the server preferences:

  • Set the Web Base URL under Preferences > Network > Server URLs:

    https://powerfolder.example.com
  • Set the Web Tunnel URL under Preferences > Network > Server URLs:

    http://powerfolder.example.com/rpc

    (warning) Please note that the URL should not use HTTP not HTTPS, since the traffic posted against that URL will be encrypted by the PowerFolder internal protocol.


  • Set the HTTPS/SSL port under Preferences > Network > Hostname and Ports:

    '-1'

    PF server restart is required.

nginx Configuration

Configure a virtual host within Nginx, which responds to requests to http://powerfolder.example.com and https://powerfolder.example.com and forwards the requests to the web port of PowerFolder Server:

server {
        listen 80;
        server_name powerfolder.example.com;
                          
        location / {  
        		rewrite ^ https://$server_name$request_uri? permanent;
        }
     
        location /rpc {
	            proxy_pass http://127.0.0.1:8080/rpc;
        		proxy_set_header X-Forwarded-Host $host;
				proxy_set_header X-Forwarded-For $remote_addr;
        }
}

server {
		listen 443 ssl;
		server_name powerfolder.example.com;
		client_max_body_size 100G;

		ssl on;
		ssl_certificate /etc/nginx/ssl/powerfolder.example.com.chained.crt;
		ssl_certificate_key /etc/nginx/ssl/powerfolder.example.com.key;

		location / {
				proxy_pass http://127.0.0.1:8080;
				proxy_set_header X-Forwarded-Host $host;
				proxy_set_header X-Forwarded-For $remote_addr;
		}

		location /websocket {
				proxy_http_version 1.1;
				proxy_pass http://127.0.0.1:8080/websocket;
        		proxy_set_header X-Forwarded-Host $host;
				proxy_set_header X-Forwarded-For $remote_addr;
				proxy_set_header Upgrade $http_upgrade;
				proxy_set_header Connection "Upgrade";
		}

		location /websocket_client {
				proxy_http_version 1.1;
				proxy_pass http://127.0.0.1:8080/websocket_client;
       		    proxy_set_header X-Forwarded-Host $host;
				proxy_set_header X-Forwarded-For $remote_addr;
				proxy_set_header Upgrade $http_upgrade;
				proxy_set_header Connection "Upgrade";
		}
}

(info) We exclude the /rpc URL part from the SSL-encryption, because this URL is used for the PowerFolder Clients to tunnel their traffic by using the HTTP POST method, in case they are behind a firewall and can't establish a direct connection to PowerFolder Server. Since the PowerFolder data traffic is encrypted anyway by a PowerFolder internal protocol, we don't need encryption here. It would just slow down the connection.

(lightbulb) Please note: When it is required by the SSL certificate authority to use an intermediate certificate, a chained certificate has to be created. Simply create a new text file, copy & paste the intermediate certificate into it and right after it the actual certificate for your domain. In our example we called the file powerfolder.example.com.chained.crt.

Overview: