Configuring Teleport 13+ behind Apache 2 as an HTTPS reverse proxy

[webvictim]

Here's how to configure Teleport 13+ behind Apache 2 as an HTTPS reverse proxy.

This was set up on an Ubuntu 22.04 server. You will need Apache version 2.4.47 or higher to support Teleport's connection upgrades.

Notes:

• In all examples, replace teleport.example.com with your own public domain.
• Teleport listens on port 3080. Apache listens on port 443 and forwards traffic to port 3080.
• Port 443 must be open to the outside via firewall/security groups etc.
• Add an A record for teleport.example.com, pointing to the external IP address of your Apache server
  • If you're using Cloudflare, your DNS records must be set to "DNS only" rather than "proxied"
• You will need to get a valid TLS certificate for your domain using something like certbot which you can supply to Apache:
  • Example: sudo certbot certonly -d teleport.example.com
• Don't forget to configure a cron job or some kind of process to automatically run certbot renew at least every 90 days
  • Add a hook to automatically reload Apache to read the update certificates when this is done.
• Teleport itself will use a self-signed certificate and does not need to be configured to use certbot.
• Make sure you're using Teleport version 13+, and that you have tsh version 13+ installed locally.
  • If you're using an older version of tsh, commands like tsh login will not work as expected. Check your version with tsh version and upgrade if necessary.
• This guide does not currently cover Application Access. If you require that functionality, please experiment and let us known how you get on!

/etc/teleport.yaml:

version: v3
teleport:
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: true
  cluster_name: "teleport.example.com" # update to your own public domain
  listen_addr: 0.0.0.0:3025
  proxy_listener_mode: multiplex
  authentication:
    second_factor: on
    webauthn:
      rp_id: teleport.example.com # update to your own public domain
ssh_service:
  enabled: true
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
proxy_service:
  enabled: true
  web_listen_addr: 0.0.0.0:3080
  public_addr: teleport.example.com:443 # update to your own public domain
  https_keypairs: []
  https_keypairs_reload_interval: 0s
  acme: {}
  trust_x_forwarded_for: true

etc/apache2/sites-available/001-teleport.conf:

<VirtualHost *:443>
    ServerName teleport.example.com

    ErrorLog /var/log/apache2/teleport.error.log
    CustomLog /var/log/apache2/teleport.access.log combined

    SSLEngine on
    SSLProxyEngine on
    SSLProtocol TLSv1.3 TLSv1.2
    # Replace path here with your own domain
    SSLCertificateFile /etc/letsencrypt/live/teleport.example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/teleport.example.com/privkey.pem

    # Replace localhost:3080 with the IP:port of your Teleport server if needed
    # The upgrade=ANY line is needed to pass custom connection upgrades used by Teleport
    ProxyPass / https://localhost:3080/ upgrade=ANY
    ProxyPassReverse / https://localhost:3080/
    ProxyPreserveHost on
    ProxyRequests off
</VirtualHost>

Once this is done, you must enable the mod_proxy mod_ssl mod_rewrite modules, then also enable the 001-teleport site, then restart Apache 2:

sudo a2enmod proxy ssl rewrite
sudo a2ensite 001-teleport
sudo systemctl restart apache2

• You can check Teleport logs with sudo journalctl -u teleport -f.
• You can check Apache 2's Teleport access/error logs using sudo tail -F /var/log/apache2/teleport*.log

If you have any issues, post comments here for assistance. We'd also love to hear if you just get it working!

[Mefevre]

INFO

If you're using Cloudflare, your DNS record can be set to "proxied". Just don't forget to enable websocket support on your website.
Enable Websocket on CloudFlare

Thanks @webvictim for this doc !