Skip to main content
Version: 3.7.x

JATOS with Apache

This is an example of a configuration of Apache as a proxy in front of JATOS. While it's not necessary to run JATOS with a proxy, it's common to do so in order to allow encryption.

Here I used Apache 2.4.18 on a Ubuntu system. It is necessary to use at least version 2.4 since JATOS relies on WebSockets that aren't supported by earlier Apache versions.

A JATOS server that handles sensitive or private data should always use encryption (HTTPS). A nice free certificate issuer is certbot.eff.org from the Electronic Frontier Foundation.

I had to add some modules to Apache to get it working:

sudo a2enmod rewrite
sudo a2enmod proxy_wstunnel
sudo a2enmod proxy
sudo a2enmod headers
sudo a2enmod ssl
sudo a2enmod lbmethod_byrequests
sudo a2enmod proxy_balancer
sudo a2enmod proxy_http
sudo a2enmod remoteip

The following is an example of a proxy config with Apache. I stored it in /etc/apache2/sites-available/example.com.conf and added it to Apache with the command sudo a2ensite example.com.conf.

  • It enforces access via HTTPS by redirecting all HTTP traffic.
  • As an additional security measurement you can uncomment the <Location "/jatos"> and config your local network. This will restrict the access to JATOS' GUI (every URL starting with /jatos) to the local network.
<VirtualHost *:80>
ServerName www.example.com

# Redirect all unencrypted traffic to the respective HTTPS page
Redirect "/" "https://www.example.com/"
</VirtualHost>

<VirtualHost *:443>
ServerName www.example.com

# Restrict access to JATOS GUI to local network
#<Location "/jatos">
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1 ::1
# Allow from localhost
# Allow from 192.168
#</Location>

# Needed for JATOS to get the correct host and protocol
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Ssl "on"

# Your certificate for encryption
SSLEngine On
SSLCertificateFile /etc/ssl/certs/localhost.crt
SSLCertificateKeyFile /etc/ssl/private/localhost.key

# JATOS uses WebSockets for its batch and group channels
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://localhost:9000/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://localhost:9000/$1 [P,L]

# Proxy everything to the JATOS running on localhost on port 9000
ProxyPass / http://localhost:9000/
ProxyPassReverse / http://localhost:9000/
</VirtualHost>