Running Cells behind an Apache reverse proxy

Created on 2019/04/18

In this how to we will take a look at a basic Apache configuration for a reverse proxy to run for your Cells installation.

Specific Pydio Cells Configuration

During the installation process, instead of the offered settings you should enter configuration similar to this:

Internal url:
External Host:
  • Internal Host : address where the application http server is bound to. It MUST contain a server name and a port.
  • Protocol: If you are going to use SSL then the external host must be starting with https:// (you don't need to specify the port)
  • External host : url the end user will use to connect to the application, (the protocol will be added automatically)
  • Example: If you want your application to run on the localhost at port 8080 with SSL and use the url, then set CELLS_INTERNAL to localhost:8080 and CELLS_EXTERNAL to

If you wish to use the address you must respect this rule, cells_bind has to be exactly like this cells_internal=<port> and cells_external=<domain name,address>:<port>, the port is mandatory in both otherwise you will have a grey screen stuck in the loading

Configure Apache

You must enable the following mods with apache :

  • proxy
  • proxy_http
  • proxy_wstunnel

sudo a2enmod modname

Edit Apache mod_ssl configuration file to have this:

For this example the proxy is running on a server with this address, while the cells is running on another server using under the port 8080.

Listen 8080
<VirtualHost *:8080>

  AllowEncodedSlashes On
  RewriteEngine On
  #SSLProxyEngine On
  #SSLProxyVerify None
  #SSLProxyCheckPeerCN Off
  #SSLProxyCheckPeerName Off

  #Proxy WebSocket
  #RewriteCond %{HTTP:Upgrade} =websocket [NC]
  #RewriteRule /(.*) wss://$1 [P,L]
  ProxyPassMatch "/ws/(.*)" ws://$1 nocanon
  # for ssl
  # ProxyPassMatch "/ws/(.*)" wss://ip.or.domain.server/ws/$1 nocanon

  # Collabora Online
  # ProxyPassMatch "/lool/(.*)ws$" wss://*1/ws noncanon

  # Onlyoffice
  # ProxyPassMatch "/onlyoffice/(.*)/websocket$" ws://$1/websocket nocanon

  #Finally simple proxy instruction
  ProxyPass "/" ""
  ProxyPassReverse "/" ""

  #Uncomment if you are going to use SSL
  #SSLEngine on
  #SSLCertificateFile /etc/ssl/localcerts/server.crt
  #SSLCertificateKeyFile /etc/ssl/localcerts/server.key
  #SSLCertificateChainFile /etc/ssl/localcerts/bundled.crt

  ErrorLog ${APACHE_LOG_DIR}/error-ssl.log
  CustomLog ${APACHE_LOG_DIR}/access-ssl.log combined

Important points

Please note:

  • The AllowEncodedSlashes enabled, may be necessary if not activated globally in apache (to API calls like /a/meta/bulk/path%2F%to%2Ffolder)

  • When I configure Cells, even on another port, I actually make sure to bind it directly to the as well (like Apache). This is necessary for the presigned URL used with S3 API for uploads and downloads (they used signed headers and a mismatch between received Host headers may break the signature). Another option is to still bind Cells using a local IP, then in the Admin Settings, under Configs Backend, use the field “Replace Host Header for S3 Signature” and use the internal IP here.