From 32a09f73590ed04bd5db275bc20d527271e5046b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?dni=20=E2=9A=A1?= <office@dnilabs.com>
Date: Sat, 13 Aug 2022 14:41:23 +0200
Subject: [PATCH] add apache2 reverse proxy documentation (#868)

* add apache2 reverse proxy documentation

* add certbot

Co-authored-by: dni <dni.khr@gmail.com>
---
 docs/guide/installation.md | 43 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 42 insertions(+), 1 deletion(-)

diff --git a/docs/guide/installation.md b/docs/guide/installation.md
index d9b8d5d27..7885ff7e0 100644
--- a/docs/guide/installation.md
+++ b/docs/guide/installation.md
@@ -216,6 +216,47 @@ sudo systemctl enable lnbits.service
 sudo systemctl start lnbits.service
 ```
 
+## Running behind an apache2 reverse proxy over https
+Install apache2 and enable apache2 mods
+```sh
+apt-get install apache2 certbot
+a2enmod headers ssl proxy proxy-http
+```
+create a ssl certificate with letsencrypt
+```sh
+certbot certonly --webroot --agree-tos --text --non-interactive --webroot-path /var/www/html -d lnbits.org
+```
+create a apache2 vhost at: /etc/apache2/sites-enabled/lnbits.conf
+```sh
+cat <<EOF > /etc/apache2/sites-enabled/lnbits.conf
+<VirtualHost *:443>
+  ServerName lnbits.org
+  SSLEngine On
+  SSLProxyEngine On
+  SSLCertificateFile /etc/letsencrypt/live/lnbits.org/fullchain.pem
+  SSLCertificateKeyFile /etc/letsencrypt/live/lnbits.org/privkey.pem
+  Include /etc/letsencrypt/options-ssl-apache.conf
+  LogLevel info
+  ErrorLog /var/log/apache2/lnbits.log
+  CustomLog /var/log/apache2/lnbits-access.log combined
+  RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+  RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS}
+  ProxyPreserveHost On
+  ProxyPass / http://localhost:5000/
+  ProxyPassReverse / http://localhost:5000/
+  <Proxy *>
+      Order deny,allow
+      Allow from all
+  </Proxy>
+</VirtualHost>
+EOF
+```
+restart apache2
+```sh
+service restart apache2
+```
+
+
 ## Using https without reverse proxy
 The most common way of using LNbits via https is to use a reverse proxy such as Caddy, nginx, or ngriok. However, you can also run LNbits via https without additional software. This is useful for development purposes or if you want to use LNbits in your local network.
 
@@ -236,7 +277,7 @@ To create a certificate, first `cd` into your LNbits folder and execute the foll
 ```sh
 openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out cert.pem -keyout key.pem
 ```
-This will create two new files (`key.pem` and `cert.pem `). 
+This will create two new files (`key.pem` and `cert.pem `).
 
 Alternatively, you can use mkcert ([more info](https://kifarunix.com/how-to-create-self-signed-ssl-certificate-with-mkcert-on-ubuntu-18-04/)):
 ```sh