Newbie trying to configure OpenLiteSpeed as Reverse Proxy. Any help appreciated!

#1
My current server configuration (for a Wordpress site) is Cloudflare + Apache. I want to include OpenLiteSpeed (configured as a reverse proxy) as additional cache optimization to the Apache server (Cloudflare -> OLS -> Apache).

I've already installed OpenLiteSpeed in my VPS server, but my knowledge as sysadmin is very limited, so that I cannot follow the tutorial from the documentation on this link: https://openlitespeed.org/kb/reverse-proxy-basics/

My questions are:

1. The server frontend shall still listen on ports 80 and 443. How do I configure this for the OLS proxy web server? The screenshots in the referred tutorial only show how to define the backend port (in my case, the port where Apache server will listen - which I will configure to be 8080).

2. I assume I should configure SSL cert on the reverse proxy (or am I wrong)? If yes, I could not find any instructions on how to do this in a reverse proxy configuration.

Any help would be greatly appreciated!
 
#3
Hi @lsqtwrk ,

Thank you for your link, this was exactly the guide I needed! Now I understand that the listeners set the frontend ports.

The only question I still have is: why is it not needed to configure an SSL certificate for the proxy running on port 443? This will be the frontend that will receive requests coming from Cloudflare...

If someone could explain me this or send me a link to additional material, that would be of great help!
 

Pong

Administrator
#4
You don' t need such complecated setup ( (Cloudflare -> OLS -> Apache). Is your goal to maximise your wordpress formance?
then quic.cloud cdn + OpenLiteSpeed with LSCWP will give your super fast result.
 
#5
Hi @Pong ,

In a first experimentation with OpenLiteSpeed, I would still prefer to test the site with Cloudflare -> OLS -> Apache. Since my knowledge is very limited, it seems to me that configuring OLS as reverse proxy is not much complicated (less things to go wrong due to misconfiguration).

I've already tried do configure OLS as reverse proxy some hours ago, but it didn't work. I get error 521 (host is down) when i try to visit the website (OLS configured as reverse proxy). I will mention the steps I took, if any of you could help on the troubleshooting, I would greatly appreciate.

1. Server configuration > External App > Webserver 1 created: http://127.0.0.1:8098 (name: apachehttp)

2. Server configuration > External App > Webserver 2 created: https://127.0.0.1:8099 (name: apachehttps)

3. Virtual Host created > (Virtual host root (where wordpress installation is located): /home/[my_vps_username]/public_html -- Document root: $VH_ROOT)

4. Inside this newly created Virtual host: Rewrite > Enable rewrite: yes / Autoload from .htaccess: yes / Rewrite rules below:
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ http://apachehttp/$1 [P,L]
RewriteRule ^(.*)$ http://apachehttps/$1 [P,L]

5. Created listener 1 > IP Address: ANY / port: 80 / secure: no

6. Created listener 2 > IP Address: ANY / port: 443 / secure: yes

7. Assigned the 2 newly created listeners to my Virtual host through Virtual host mappings (domain name as domain.tld and virtual host name > assigned to my newly created virtual host)

8. Apache ports changed to 8098 (http) and 8099 (https) directly through cPanel's WHM. Checked it worked through CLI netstat -lnp | grep httpd

9. Greaceful restart OLS and then through CLI systemctl restart lsws

10. Website access returns error 521 (host down)

Thank you in advance for any support!
 

lsqtwrk

Administrator
#6
Hi @lsqtwrk ,

Thank you for your link, this was exactly the guide I needed! Now I understand that the listeners set the frontend ports.

The only question I still have is: why is it not needed to configure an SSL certificate for the proxy running on port 443? This will be the frontend that will receive requests coming from Cloudflare...

If someone could explain me this or send me a link to additional material, that would be of great help!

because cloudflare will connect to your OLS 443 , then OLS 443 passes it to your apache port
 

lsqtwrk

Administrator
#7
Hi @Pong ,

In a first experimentation with OpenLiteSpeed, I would still prefer to test the site with Cloudflare -> OLS -> Apache. Since my knowledge is very limited, it seems to me that configuring OLS as reverse proxy is not much complicated (less things to go wrong due to misconfiguration).

I've already tried do configure OLS as reverse proxy some hours ago, but it didn't work. I get error 521 (host is down) when i try to visit the website (OLS configured as reverse proxy). I will mention the steps I took, if any of you could help on the troubleshooting, I would greatly appreciate.

1. Server configuration > External App > Webserver 1 created: http://127.0.0.1:8098 (name: apachehttp)

2. Server configuration > External App > Webserver 2 created: https://127.0.0.1:8099 (name: apachehttps)

3. Virtual Host created > (Virtual host root (where wordpress installation is located): /home/[my_vps_username]/public_html -- Document root: $VH_ROOT)

4. Inside this newly created Virtual host: Rewrite > Enable rewrite: yes / Autoload from .htaccess: yes / Rewrite rules below:
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ http://apachehttp/$1 [P,L]
RewriteRule ^(.*)$ http://apachehttps/$1 [P,L]

5. Created listener 1 > IP Address: ANY / port: 80 / secure: no

6. Created listener 2 > IP Address: ANY / port: 443 / secure: yes

7. Assigned the 2 newly created listeners to my Virtual host through Virtual host mappings (domain name as domain.tld and virtual host name > assigned to my newly created virtual host)

8. Apache ports changed to 8098 (http) and 8099 (https) directly through cPanel's WHM. Checked it worked through CLI netstat -lnp | grep httpd

9. Greaceful restart OLS and then through CLI systemctl restart lsws

10. Website access returns error 521 (host down)

Thank you in advance for any support!

first of all , disable CF for the time being during the test , so we can see what was response from OLS

and also make sure , OLS is correctly set on port

you can verify it by `netstat -lnp | grep litespeed`
 
#8
Hi @lsqtwrk ,

I've run the test as you suggested (paused cloudflare on site first).

Below the response to command 'netstat -lnp | grep litespeed'

Code:
tcp        0      0 0.0.0.0:7080            0.0.0.0:*               LISTEN      14665/openlitespeed
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      14665/openlitespeed
udp        0      0 0.0.0.0:7080            0.0.0.0:*                           14665/openlitespeed
udp        0      0 0.0.0.0:7080            0.0.0.0:*                           14665/openlitespeed
unix  2      [ ACC ]     STREAM     LISTENING     8352148  14665/openlitespeed  /usr/local/lsws/admin/tmp/admin.sock.7436
unix  2      [ ACC ]     STREAM     LISTENING     8352154  14665/openlitespeed  /usr/local/lsws/cgid/cgid.sock
So it's clear that only proxy on port 80 is working as expected. From the dashboard of the LiteSpeed WebAdmin Console, my http listener appears green (connected), while the https listener appears red (disconnected). Also, in the server error log, I got 2 error messages (listed below), but I think they are related to configurations not being used, since there is really no listener named "default" (my 2 listeners are named "listener_http" and "listener_https"):

[config:template:centralConfigLog] Listener [Default] does not exist
[config:template:EasyRailsWithSuEXEC] Listener [Default] does not exist

What I find strange is that, even when I changed the listener ports to unused ones, 30000 (http) and 30001 (https), to allow reverting apache to 80 and 443, the https listener still shows red (disconnected) in the admin dashboard.

So the issue is with the https listener that can't be enabled.

Any thoughts on what could be causing the issue with the https listener? How can I troubleshoot this?

Thank you in advance!
 

lsqtwrk

Administrator
#9
the 443 listner is not up

did you set certificate for that listener ? any cert can work , self-sigh , expired, invalid ...etc

listener won't start up without cert setting.
 
#10
Hi @lsqtwrk ,

Thank you for your clarification, it wasn't clear for me (nor through OLS's documentation) that the certificate was strictly necessary on port 443.

But the SSL certificate choice is not trivial. Even though I can use expired/invalid certificate, it would be a bad idea to have website visitors getting warning messages on their web browsers due to bad certificate (I will stay using full encryption on Cloudflare).

My idea is to use exactly the same SSL certificate I was using on Apache (which will be the backend and therefore not directly accessible from users - no need for SSL). But how I am going to "transfer" the AutoSSL capabilities from cPanel WHM (using Let's Encrypt) to work properly on OLS proxy is not clear.

Since this issue is apparently out of scope of the OLS guides, I will have to study this issue further, maybe on other forums. I will come back to this thread only after I successfully managed the SSL issue. If you know any good documentation/guide on how to re-configure cPanel WHM to issue SSLs (through AutoSSL) directly to proxy server, it would be of great help.
 

lsqtwrk

Administrator
#11
Hi,

Listener SSL doesn't matter , vhost SSL will override it

and if you are using CF, user will see CF cert regardless

in your cPanel interface you should be able to get your key and cert , then put it over OLS setting

I am not sure why you would want to do that , proxy will pass through the SSL issuance request to backend , you do not need to touch that part
 
#12
Hi @lsqtwrk ,

Ok, I discovered where the .crt and .key files were located, and inserted the absolute paths on port 443 listener and also on virtua host > SSL tab.

I've executed again the same procedure. This time, the listener turned "green" (same status as the port 80 listener), and I could confirm through command 'netstat -lnp | grep litespeed ' that both ports were listening properly on 80 and 443.

Code:
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      6485/openlitespeed
tcp        0      0 0.0.0.0:7080            0.0.0.0:*               LISTEN      6485/openlitespeed
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      6485/openlitespeed
udp        0      0 0.0.0.0:7080            0.0.0.0:*                           6485/openlitespeed
udp        0      0 0.0.0.0:7080            0.0.0.0:*                           6485/openlitespeed
udp        0      0 0.0.0.0:35768           0.0.0.0:*                           6496/openlitespeed
udp        0      0 0.0.0.0:38319           0.0.0.0:*                           6498/openlitespeed
udp        0      0 0.0.0.0:47455           0.0.0.0:*                           6497/openlitespeed
udp        0      0 0.0.0.0:443             0.0.0.0:*                           6485/openlitespeed
udp        0      0 0.0.0.0:443             0.0.0.0:*                           6485/openlitespeed
unix  2      [ ACC ]     STREAM     LISTENING     10183163 6485/openlitespeed   /usr/local/lsws/admin/tmp/admin.sock.7002
unix  2      [ ACC ]     STREAM     LISTENING     10183173 6485/openlitespeed   /usr/local/lsws/cgid/cgid.sock
I've disabled (paused) CF to remove one "possible source of issues".

This time, when I access the site, I no longer get the "host down" message, but instead get redirected to a cPanel standard page (domain.tld/cgi-sys/defaultwebpage.cgi), stating that the site "may have moved to another server", "server misconfigured" or "ip address may have changed".

Could it be my Virtual host root / document root location? The rewrite rules inside vhost?
 

lsqtwrk

Administrator
#13
Hi,


what was your proxy rule ?

try pass the targeted domain

Code:
RewriteRule ^(.*)$ http://proxy-name/$1 [P,E=Proxy-Host:your-domain.com,L]
replace "proxy-name" and "your-domain.com" to actual ones.

if without properly domain , on multi-site system that uses SNI , it may end up in default server page instead of correct website
 
#14
Hi @lsqtwrk ,

My previous configuration for the rewrite rules inside vhost was stated in another message above (#5) inside this thread (link).

I've edited the rewrite rules as per your last message (adding "E=Proxy-Host:domain.tld" to the rules), but the issue remains the same (redirect to default cPanel error page).

Thank you in advance for any additional troubleshooting ideas!
 
#16
Hi @lsqtwrk ,

I would prefer to use this step (provide SSH credentials) as last-case solution.

I did some additional testing, and I think I am already close to what is the root cause of the issue.

Let me remind some specific settings that I used according to OLS documentation for setting up reverse proxy (resulting in redirection to cPanel error page):

1. Server configuration > External app > Webserver > Name: apachehttps / Address: https://127.0.0.1:8099
2. Rewrite rules inside vhost: RewriteRule ^(.*)$ http://apachehttps/$1 [P,E=Proxy-Host:my_domain_name.tld]

I then changed this rewrite rule as follows (where 8099 is the port I configured for the SSL apache backend):
RewriteRule ^(.*)$ https://127.0.0.1:8099/$1 [P,E=Proxy-Host:my_domain_name.tld]

So by simply removing the webserver (configure in server configuration > external app) from the rewrite rule (and writing explicitly the localhost IP address and port), instead of the redirection to cPanel error page, I get a 500 internal server error message. Using network inspection on chrome developer tools, I can see the "server: litespeed" in the response headers (which means I've come close this time).

An additional observation inside log console within chrome developer tools is that the GET request is displayed as domain.tld/:1

So it seems that this wrong redirection (/:1) is also consequence from the rewrite rule.

Any ideas on why webserver inside server configuration is not working properly on the rewrite rule, and what else should I change so that this "/:1" doesn't generate a real redirect (which I assume is the root cause for causing the 500 error)?

P.S.: There are inconsistencies among documentation on OpenLiteSpeed and LiteSpeed websites regarding this rewrite rule for reverse proxy configuration. I have also tried the other one I found (adding a forward-slash in the beginning of the rule), like this (which results the same 500 error page): RewriteRule ^/(.*)$ https://127.0.0.1:8099/$1 [P,E=Proxy-Host:my_domain_name.tld]
 

lsqtwrk

Administrator
#17
when you do proxy , 500 error usually means backend is not reachable

I don't know , at this point , you will probably need to enable debug log to see what exactly was OLS connected into and header it sends and receives , that should give you some information
 
#18
Hi @lsqtwrk ,

The log viewer from OLS admin dashboard doesn't show any errors. I checked also the raw access log files from cPanel (Apache server) but couldn't locate the 500 responses.

Anyway, this kind of troubleshooting shouldn't be needed in the first place. I've strictly followed the reverse proxy guide from OLS documentation (and the procedure has few steps, so it should be really easy). It seems that there is some additional step missing, but I will not be able to find that on my own with my current knowledge. I've also tried to set up the proxy using context, but that proxy type also didn't work (redirected to cPanel default error page).

Since I have already generated too many service interruptions on my website in a short period of time, I will stop trying to make this work for now. Maybe I really need to take the time to set up a test environment and discover what exactly is missing in the set up instructions (or better prepare for the next server interruption with a clear path on what to look for on which server files - and which tests to perform when the site is down).

If you have any additional tips (or specific linux commands) that could give additional insight on what could be the issue, it would be of great help.

Thank you once again for your support!
 

lsqtwrk

Administrator
#19
hmmm

do you mind PM me your site and server IP ?

I can try set up a reverse proxy from my OLS server , it's OK if origin is on 80/443 port
 
#20
Hi @lsqtwrk ,

I had to come back here to report that, although the issue with server configuration has been overcome, LiteSpeed cache is still not working on the site.

I don't know if it is an issue related to the Wordpress plugin or still something on the server level. If you think this issue should be rather discussed through LiteSpeed Wordpress plugin support forum, I can continue the thread from there.

First of all: I got until the end of the configuration guide on https://openlitespeed.org/kb/litespeed-cache-openlitespeed-reverse-proxy/ . I could check through phpinfo() the variables LSWS_EDITION as 'Openlitespeed' and X-LSCACHE as 'on'.

I've installed and activated LiteSpeed Wordpress plugin and enabled cache function through LitSpeed Cache > Cache settings > Enable Cache. Under Toolbox > Report, the relevant server variables show:
LITESPEED_SERVER_TYPE = LITESPEED_SERVER_OLS
LITESPEED_CLI = NULL
LITESPEED_ALLOWED = true
LITESPEED_ON = true

I assume up to this point everything shows that LiteSpeed Cache should work as expected.

I've purged all other cached data on W3 Total Cache + Cloudflare and then started to analyze a page load from my site on Chrome developer tools, but noticed the following issues:

1. All .js and .css files were not being combined anymore (I use plugin Autoptimize to merge + minimize static files - all "page optimization" function on LiteSpeed plugin are disabled)
2. The only response header related to LiteSpeed on the requested URL on my site shows: "x-litespeed-cache-control: no-cache"
3. At the bottom of the HTML there is this comment tag related to LiteSpeed: <!-- Page uncached by LiteSpeed Cache 3.5.2 on 2020-11-03 15:14:50 -->

So it clearly shows that LiteSpeed cache (although reported as "activated" on its own plugin report page) is not caching anything + is messing with combine function of static files executed through Autoptimize plugin.

Even when disabling Autoptimize plugin (which could be a source of conflict with LiteSpeed Wordpress plugin - given that combining static files was not working anymore), the LiteSpeed related information on chrome developer tools show "no-cache".

When I disable LiteSpeed cache function, then the combining function for .js and .css files through Autoptimize plugin starts to work again.

Do you have any ideas of what tests I could perform in order to find out the root cause for the LiteSpeed plugin not caching anything? Maybe some conflict with W3 Total Cache?

Thank you in advance.
 
Top