Configuring Apache2 as a proxy for Mattermost Server (Unofficial)

Ben Cooke

Updated March 06, 2026 09:47

On a Debian-based operating system such as Ubuntu, Apache2 proxy configuration is done in the /etc/apache2/sites-available directory. Red Hat-based systems organize Apache configuration files differently. If you're setting up Mattermost on a subdomain, you'll want to create a new configuration file along the lines of mysubdomain.mydomain.com.conf.

To configure Apache2 as a proxy

SSH into your server.
Make sure the Apache modules mod_rewrite , mod_proxy, mod_proxy_http, and mod_proxy_wstunnel are installed and enabled. If not, follow the instructions from your Linux distribution to do so.
Create the above mentioned configuration file. It is often helpful to start with a copy of 000-default.conf or default-ssl.conf (on Ubuntu).
Edit your configuration using the guide below:
a. If you're not setting up a subdomain, your ServerName will simply be set to mydomain.com.
b. ServerAlias can been added too if you want to capture www.mydomain.com.
c. Remember to change the values to match your server's name, etc.
d. If you have enabled TLS in the Mattermost settings, you must use the protocol wss:// instead of ws:// in the RewriteRule.
e. To serve requests on a different port (such as 8443), in addition to setting the port in the VirtualHost element, add Listen 8443 on a separate line before the VirtualHost line.

<VirtualHost *:80>
          # If you're not using a subdomain you may need to set a ServerAlias to:
          # ServerAlias www.mydomain.com
          ServerName mysubdomain.mydomain.com
          ServerAdmin hostmaster@mydomain.com
          ProxyPreserveHost On
          ProxyRequests Off

          # Set web sockets
          RewriteEngine On
          RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC]
          RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
          RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
          RewriteRule .* ws://127.0.0.1:8065%{REQUEST_URI} [P,QSA,L]

          <Location />
            Require all granted
            ProxyPass http://127.0.0.1:8065/
            ProxyPassReverse http://127.0.0.1:8065/
            ProxyPassReverseCookieDomain 127.0.0.1 mysubdomain.mydomain.com
          </Location>

</VirtualHost>

(Debian/Ubuntu only) Because you'll likely have not set up the subdomain before now on Apache2, run a2ensite mysubdomain.mydomain.com to enable the site (do not run a2ensite mysubdomain.mydomain.com.conf).
Restart Apache2.
- On Ubuntu 14.04 and RHEL 6: sudo service apache2 restart
- On Ubuntu 16.04+ and RHEL 7+: sudo systemctl restart apache2

You should be all set! Ensure that your Mattermost config file is pointing to the correct URL (which may include a port), and then ensure that your socket connection is not dropping once deployed. To prevent external access to Mattermost on port 8065, in the config file, set ListenAddress to localhost:8065 instead of :8065.

Pre-authentication secret configuration

From Mattermost v10.12, you can configure Apache2 to require a pre-authentication secret header before proxying requests to Mattermost for additional security. This is useful when you want to ensure only authorized clients can reach your Mattermost instance. For complete details on pre-authentication secrets, see the Pre-authentication Secrets documentation.

To add pre-authentication to your Apache2 configuration, modify the <Location /> block as follows.

Note: The whitelist below includes common paths that typically need to bypass pre-authentication, but you should modify it based on your specific needs and deployment requirements, see the Pre-authentication Secrets documentation for further details.

<Location />
    # Whitelist paths that don't require pre-auth
    RewriteCond %{REQUEST_URI} ^/api/v4/config/client [OR]
    RewriteCond %{REQUEST_URI} ^/login/sso/saml [OR]
    RewriteCond %{REQUEST_URI} ^/login/desktop [OR]
    RewriteCond %{REQUEST_URI} ^/static/ [OR]
    RewriteCond %{REQUEST_URI} ^/oauth/[A-Za-z0-9]+/(complete|login|mobile_login|signup)$ [OR]
    RewriteCond %{REQUEST_URI} ^/api/v3/oauth/[A-Za-z0-9]+/complete$ [OR]
    RewriteCond %{REQUEST_URI} ^/(signup|login)/[A-Za-z0-9]+/complete$
    RewriteRule .* - [E=WHITELIST:1]
    
    # Check pre-auth header for non-whitelisted paths
    RewriteCond %{ENV:WHITELIST} !^1$
    RewriteCond %{HTTP:X-Mattermost-Preauth-Secret} !^your-secret-here$
    RewriteRule .* - [E=REJECT:1]
    
    # Set headers and return 403 for requests without proper secret
    Header always set x-reject-reason "pre-auth" env=REJECT
    Header always set Cache-Control "no-store" env=REJECT
    RewriteCond %{ENV:REJECT} ^1$
    RewriteRule .* - [R=403,L]
    
    # Existing proxy configuration
    Require all granted
    ProxyPass http://127.0.0.1:8065/
    ProxyPassReverse http://127.0.0.1:8065/
    ProxyPassReverseCookieDomain 127.0.0.1 mysubdomain.mydomain.com
</Location>

Important: Replace your-secret-here with a strong, randomly generated secret. Make sure to also enable the mod_headers Apache module for this configuration to work properly.