Apache virtual configuration file for Digikam image

[sse450]

I installed docker image with the following command on Almalinux 9.

sudo docker run -i -t -d --name=digikam -e TZ="Europe/Minsk" -e SUBFOLDER=/ -e TITLE="Picture Archive" -e PASSWORD='****' -e LC_ALL=en_EN.UTF-8 -e CUSTOM_USER=xxxx -e PUID=1000 -e PGID=1000 -e UMASK=022 -e DISABLE_IPV6=true -p 3000:3000/tcp -p 3001:3001/tcp -v /home/appdata/digikam/archive:/mnt:rw -v /home/appdata/digikam/archive_config:/config:rw --shm-size="1gb" --restart unless-stopped lscr.io/linuxserver/digikam:8.8.0

I am trying to access it through https. https://host:3001 not working. http://host:3000 working but without https.

My apache conf is as below:

`<VirtualHost *:443>

ServerName digi.xxx.com

ServerAlias digi.*

SSLEngine on
SSLCertificateFile  /etc/letsencrypt/live/xxx.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xxx.com/privkey.pem

ProxyRequests Off
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"

CustomLog logs/digikam_access_log combined
ErrorLog logs/digikam_error_log

LimitRequestBody 134217728

RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule ^/?websockify(.*) ws://xxx.53.129.xxx:3000/websockify$1 [P,L]

ProxyPass /websockify http://xxx.53.129.xxx:3000/websockify
ProxyPassReverse /websockify http://xxx.53.129.xxx:3000/websockify
ProxyPass / "http://digi.xxx.com:3000/"
ProxyPassReverse / "http://digi.xxx.com:3000/" </VirtualHost>

Result is continuous "websocket disconnected. attempting to reconnect" message on https://digi.xxx.com

What am I doing wrong? I would appreciate any help.
Thank you.

[drizuid]

we will not provide support for apache here. can you access via https://:3001? if yes, our part works

We do support our reverse proxy, swag, which is nginx based

[sse450]

I see. OK. I am revoking my Apache question. https://host:3001 is just fine for me.

When I enter https://host:3001, the browser says "Your connection is not private". Error message is net::ERR_CERT_AUTHORITY_INVALID.

When I accept the risk and go ahead, I can reach the UI of Digikam, but in an insecure connection.

I would appreciate any help to make the connection secure through https.

[drizuid]

this is expected behavior with a self-signed cert and is no issue. your connection IS private, browsers just dont consider non-global chains to be valid.

our recommendation to put it behind a "trusted" tls cert is to use a reverse proxy. you can also load trusted certs into the appropriate location in /config

[sse450]

I replaced cert.pem and cert.key in /config/ssl with LE certs. All fine now.

Thank you for the hint.

[drizuid]

I replaced cert.pem and cert.key in /config/ssl with LE certs. All fine now.

Thank you for the hint.

can you please mark as answered, so it closes out. thanks and glad you got it sorted. fwiw, a reverse proxy will still make everything simpler (single pane of trusted tls vs loading certs on numerous things)