docs(proxy): add Apache httpd example (#4657)

* docs(proxy): add httpd reverse proxy example * add httpd tab * add httpd tab * minor production checklist improvements
2025-02-28 20:07:23 +00:00 · 2022-11-04 18:00:40 +01:00 · 2022-11-04 18:00:40 +01:00 · b3d2892e4c
commit b3d2892e4c
parent c791f6de58
5 changed files with 187 additions and 15 deletions
--- a/docs/docs/guides/manage/self-hosted/production.md
+++ b/docs/docs/guides/manage/self-hosted/production.md
@ -7,11 +7,11 @@ you are ready to configure ZITADEL for production usage.

 ## High Availability

-We recommend running ZITADEL highly available using an orchestrator that schedules ZITADEL on multiple servers, like [Kubernetes](/docs/guides/deploy/kubernetes).
+We recommend running ZITADEL highly available using an orchestrator that schedules ZITADEL on multiple servers, like [Kubernetes](/docs/guides/deploy/kubernetes). For keeping startup times fast when scaling ZITADEL, you should also consider using separate jobs with `zitadel init` and `zitadel setup`, so your workload containers just have to execute `zitadel start`.

 ## Configuration

-Read [on the configure page](/docs/guides/manage/self-hosted/configure) about the available options you have to configure the ZITADEL.
+Read [on the configure page](/docs/guides/manage/self-hosted/configure) about the available options you have to configure ZITADEL.

 ## Networking

@ -70,7 +70,7 @@ Projections:
 ## Data Initialization

 - You can configure instance defaults in the DefaultInstance section.
-  If you plan to eventually create [multiple virtual instances](/docs/concepts/structure/instance#multiple-virtual-instances), these defaults take effect, too.
+  If you plan to eventually create [multiple virtual instances](/docs/concepts/structure/instance#multiple-virtual-instances), these defaults take effect.
  Also, these configurations apply to the first instance, that ZITADEL automatically creates for you.
  Especially the following properties are of special interest for your production setup.

@ -95,7 +95,7 @@ DefaultInstance:
    FromName:
 ```

- If you don't want to use the DefaultInstance configuration for the first instance that ZITADEL automatically creates for you during the [startup phase](/docs/guides/manage/self-hosted/configure#database-initialization), you can provide a FirstInstance YAML section using the --steps argument.
+- If you don't want to use the DefaultInstance configuration for the first instance that ZITADEL automatically creates for you during the [setup phase](/docs/guides/manage/self-hosted/configure#database-initialization), you can provide a FirstInstance YAML section using the --steps argument.
 - Learn how to configure ZITADEL via the [Console user interface](/docs/guides/manage/console/overview).
- Probably, you also want [apply your custom branding](/docs/guides/manage/customize/branding), [hook into certain events](/docs/guides/manage/customize/behavior), [customize texts](/docs/guides/manage/customize/texts) or [add metadata to your users](/docs/guides/manage/customize/user-metadata)
- If you want to automatically setup ZITADEL resources, you can use the [ZITADEL Terraform Provider](/docs/guides/manage/terraform/basics)
+- Probably, you also want to [apply your custom branding](/docs/guides/manage/customize/branding), [hook into certain events](/docs/guides/manage/customize/behavior), [customize texts](/docs/guides/manage/customize/texts) or [add metadata to your users](/docs/guides/manage/customize/user-metadata).
+- If you want to automatically create ZITADEL resources, you can use the [ZITADEL Terraform Provider](/docs/guides/manage/terraform/basics).
--- a/docs/docs/guides/manage/self-hosted/reverseproxy/_caddy.mdx
+++ b/docs/docs/guides/manage/self-hosted/reverseproxy/_caddy.mdx
@ -1,6 +1,6 @@
 ## TLS mode external

-```bash
+```
 https://localhost {
        reverse_proxy h2c://localhost:8080
        tls internal #only non production
@ -9,7 +9,7 @@ https://localhost {

 ## TLS mode enabled

-```bash
+```
 https://localhost {
        reverse_proxy https://localhost:8080
        tls internal #only non production
@ -18,7 +18,7 @@ https://localhost {

 ## TLS mode disabled

-```bash
+```
 http://localhost {
        reverse_proxy h2c://localhost:8080
 }
--- a/docs/docs/guides/manage/self-hosted/reverseproxy/_httpd.mdx
+++ b/docs/docs/guides/manage/self-hosted/reverseproxy/_httpd.mdx
@ -0,0 +1,166 @@
+## TLS mode external
+
+```
+LoadModule mpm_event_module modules/mod_mpm_event.so
+LoadModule authn_file_module modules/mod_authn_file.so
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+LoadModule authz_user_module modules/mod_authz_user.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule reqtimeout_module modules/mod_reqtimeout.so
+LoadModule filter_module modules/mod_filter.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule env_module modules/mod_env.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule version_module modules/mod_version.so
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule proxy_http2_module modules/mod_proxy_http2.so
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule status_module modules/mod_status.so
+LoadModule autoindex_module modules/mod_autoindex.so
+LoadModule dir_module modules/mod_dir.so
+LoadModule alias_module modules/mod_alias.so
+LoadModule rewrite_module modules/mod_rewrite.so
+
+ServerRoot "/usr/local/apache2"
+LogLevel warn
+ErrorLog /proc/self/fd/2
+CustomLog /proc/self/fd/1 "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
+
+ServerName my.domain
+Listen 80
+Listen 443
+
+SSLRandomSeed startup builtin
+SSLRandomSeed connect builtin
+
+<VirtualHost *:80>
+    ServerName my.domain
+    RewriteEngine On
+    RewriteCond %{HTTPS} off
+    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName my.domain
+    ProxyPreserveHost On
+    SSLCertificateFile /certs/server.crt
+    SSLCertificateKeyFile /certs/server.key
+    ProxyPass / h2c://localhost:8080/
+    ProxyPassReverse / h2c://localhost:8080/
+</VirtualHost>
+```
+
+## TLS mode enabled
+
+```
+LoadModule mpm_event_module modules/mod_mpm_event.so
+LoadModule authn_file_module modules/mod_authn_file.so
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+LoadModule authz_user_module modules/mod_authz_user.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule reqtimeout_module modules/mod_reqtimeout.so
+LoadModule filter_module modules/mod_filter.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule env_module modules/mod_env.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule version_module modules/mod_version.so
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule proxy_http2_module modules/mod_proxy_http2.so
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule status_module modules/mod_status.so
+LoadModule autoindex_module modules/mod_autoindex.so
+LoadModule dir_module modules/mod_dir.so
+LoadModule alias_module modules/mod_alias.so
+LoadModule rewrite_module modules/mod_rewrite.so
+LoadModule http2_module modules/mod_http2.so
+
+ServerRoot "/usr/local/apache2"
+LogLevel debug
+ErrorLog /proc/self/fd/2
+CustomLog /proc/self/fd/1 "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
+
+ServerName my.domain
+Listen 80
+Listen 443
+
+SSLRandomSeed startup builtin
+SSLRandomSeed connect builtin
+
+<VirtualHost *:80>
+    RewriteEngine On
+    RewriteCond %{HTTPS} off
+    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+</VirtualHost>
+
+<VirtualHost *:443>
+    ProxyPreserveHost On
+    SSLEngine on
+    SSLProxyEngine on
+    SSLCertificateFile /certs/server.crt
+    SSLCertificateKeyFile /certs/server.key
+    ProxyPass / h2://localhost:8080/
+</VirtualHost>
+```
+
+## TLS mode disabled
+
+```
+LoadModule mpm_event_module modules/mod_mpm_event.so
+LoadModule authn_file_module modules/mod_authn_file.so
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+LoadModule authz_user_module modules/mod_authz_user.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule reqtimeout_module modules/mod_reqtimeout.so
+LoadModule filter_module modules/mod_filter.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule env_module modules/mod_env.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule version_module modules/mod_version.so
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule proxy_http2_module modules/mod_proxy_http2.so
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule status_module modules/mod_status.so
+LoadModule autoindex_module modules/mod_autoindex.so
+LoadModule dir_module modules/mod_dir.so
+LoadModule alias_module modules/mod_alias.so
+LoadModule rewrite_module modules/mod_rewrite.so
+
+ServerRoot "/usr/local/apache2"
+LogLevel warn
+ErrorLog /proc/self/fd/2
+CustomLog /proc/self/fd/1 "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
+
+ServerName my.domain
+Listen 80
+
+<VirtualHost *:80>
+    ServerName my.domain
+    ProxyPreserveHost On
+    ProxyPass / h2c://localhost:8080/
+    ProxyPassReverse / h2c://localhost:8080/
+</VirtualHost>
+```
--- a/docs/docs/guides/manage/self-hosted/reverseproxy/_nginx.mdx
+++ b/docs/docs/guides/manage/self-hosted/reverseproxy/_nginx.mdx
@ -1,6 +1,6 @@
 ## TLS mode external

-```bash
+```
 worker_processes  1;
 events {
    worker_connections  1024;
@ -33,7 +33,7 @@ with

 ## TLS mode enabled

-```bash
+```
 worker_processes  1;
 events {
    worker_connections  1024;
@ -66,7 +66,7 @@ with

 ## TLS mode disabled

-```bash
+```
 worker_processes  1;
 events {
    worker_connections  1024;
--- a/docs/docs/guides/manage/self-hosted/reverseproxy/reverse_proxy.mdx
+++ b/docs/docs/guides/manage/self-hosted/reverseproxy/reverse_proxy.mdx
@ -8,6 +8,7 @@ import Zcloud from "./_zitadel_cloud.mdx";
 import Nginx from "./_nginx.mdx";
 import Traefik from "./_traefik.mdx";
 import Caddy from "./_caddy.mdx";
+import Httpd from "./_httpd.mdx";
 import Cftunnel from "./_cloudflare_tunnel.mdx";
 import Cloudflare from "./_cloudflare.mdx";
 import More from "./_more.mdx";
@ -22,6 +23,7 @@ import More from "./_more.mdx";
    { label: "NGINX", value: "nginx" },
    { label: "Traefik", value: "traefik" },
    { label: "Caddy", value: "caddy" },
+    { label: "Apache httpd", value: "httpd" },
    { label: "Cloudflare Tunnel", value: "cftunnel" },
    { label: "Cloudflare", value: "cf" },
  ]}
@ -42,6 +44,10 @@ import More from "./_more.mdx";
    <Caddy />
    <More />
  </TabItem>
+  <TabItem value="httpd">
+    <Httpd />
+    <More />
+  </TabItem>
  <TabItem value="cftunnel">
    <Cftunnel />
    <More />