macOS Catalina Profile Manager and Other Websites
Each release of macOS has the possibility of changing things and macOS Catalina is no different. There are numerous change with macOS Catalina. I have written an entire book about all of the changes. I use my iMac for developing websites and testing out ideas.
Another thing I use my iMac for is testing out Apple's Profile Manager service, which is available through the macOS Server app. With macOS Mojave I was able to create a website on a different port. This took a bit of tweaking and configuring of Apache. This was outlined in a post that I wrote last year.
It looks like the initial release of macOS Catalina has actually broken the ability for this to work. Here is the scenario.
Scenario
After I upgraded macOS to Catalina and then upgraded the Server.app, the ability for me to run a website on a different port, at the same time no longer works. If Server is configured, it will start before the Apache service does, and it will utilize ports 443 and 80.
If I stop both Apache and Profile Manager and then start Apache, the configuration works. However, if I start Profile Manager and then Apache, the website would never load. It is not merely a configuration issue, as the site works when only Apache is loaded.
Additionally, if I go to Terminal and type in "netstat -an | grep 8080", it would return nothing. In case you are wondering, this command will filter the contents of the "netstat -an" command for any lines that have 8080. This would come up blank, which means that the service is not up and running.
The Fix
I spent approximately 4 hours trying to figure out a workaround, but to no avail. When I began writing this post, I did not have a solution for this, but during the writing an idea came to me. Since Server is able to successfully work, why not edit the server's website configuration and just use it to host the additional sites I need.
This is exactly what I ended up doing. The files for the Server app are located in /Library/Server/Web/Config. Here there are two folders "apache2" and "proxy". Your first thought might be that you need to modify those under "apache2". However, the actual file that you want to modify is under the "proxy" folder. Specifically, the "apache_serviceproxy.conf" file.
Here is the configuration that I used.
# Custom Configuration - 8080 / PHP
Listen 8080
LoadModule php7_module libexec/apache2/libphp7.so
<IfModule php7_module>
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
<IfModule dir_module>
DirectoryIndex index.html index.php
</IfModule>
</IfModule>
<VirtualHost *:8080>
ProxyPreserveHost On
SetEnv proxy-chain-auth on
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
RequestHeader unset Proxy early
<IfModule mod_ssl.c>
SSLEngine On
SSLCertificateFile "/etc/certificates/${CERT_ID}.cert.pem"
SSLCertificateKeyFile "/etc/certificates/${CERT_ID}.key.pem"
SSLCertificateChainFile "/etc/certificates/${CERT_ID}.chain.pem"
SSLHonorCipherOrder On
SSLCipherSuite "HIGH:MEDIUM:!MD5:!RC4:!3DES"
SSLProtocol -all +TLSv1.2
SSLProxyEngine On
SSLProxyProtocol -all +TLSv1.2
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
</IfModule>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot "/usr/local/website"
ServerName dummy-host.example.com
ServerAlias www.dummy-host.example.com
ErrorLog "/private/var/log/apache2/website-error_log"
CustomLog "/private/var/log/apache2/website-access_log" common
</VirtualHost>
Let me break down what this code does, in order.
- Indicates to listen on port 8080
- Load the PHP 7 module
- Set PHP to be usable by adding extensions to apache
- Configure the VirtualHost
- Within the VirtualHost, configure SSL support
There is one section I want to call out specifically within the VirtualHost 8080 configuration. The three lines are:
SSLCertificateFile "/etc/certificates/${CERT_ID}.cert.pem"
SSLCertificateKeyFile "/etc/certificates/${CERT_ID}.key.pem"
SSLCertificateChainFile "/etc/certificates/${CERT_ID}.chain.pem"
I copied and pasted these three lines from the VirtualHost configuration earlier in the file. These actually have a benefit as they will use any SSL certificate that you have configured within the Server app. This means that you will not need to update certificate information in multiple places and instead can update it through the Server app and have it work for all of your sites. This should be an improvement for me since I had to manually configure SSL with apache under macOS Mojave.
Possible Drawback
There is one possible drawback from using this configuration. The drawback is that your configuration could get wiped out by a future update to macOS Server. Because of this, it is a good idea to have a backup of your configuration saved once you get it working. Additionally, you should save a backup outside of the Server Web configuration path, just to be on the safe side.
Closing Thoughts
While it may be a pain to have to use modify the Server's configuration to have multiple websites, but it is better than not having ti work at all. Before you make any changes, it is always a good idea to have a backup of any configuration files before making any configuration changes.