Blog

You are currently viewing Enable HTTPS over the Traccar portal using Apache Reverse Proxy

Enable HTTPS over the Traccar portal using Apache Reverse Proxy

  • Post author:
  • Post category:Guides

Enable HTTPS for the Traccar Portal Using an Apache Reverse Proxy πŸ”’

Traccar does not natively support HTTPS on its web interface. To securely expose the Traccar portal over HTTPS, we can place Apache in front of it as a reverse proxy.

In this setup, Apache listens on port 443, terminates SSL, and securely forwards both standard HTTP traffic and WebSocket connections to Traccar on its default internal port (8082). This allows Traccar to continue running unchanged, while users access it exclusively over HTTPS.

By proxying Traccar through Apache:

  • All browser access is encrypted with HTTPS
  • WebSockets continue to function correctly for live tracking updates
  • Port 8082 can remain closed to the public internet
  • The server’s overall attack surface is significantly reduced

This guide provides clear, copy-and-paste-ready steps to configure Apache, enable the required modules, set up SSL with Let’s Encrypt, handle WebSockets correctly, and troubleshoot common issues.

Prerequisites

  • A running Traccar instance (default: listens on port 8082) installed at /opt/traccar
  • Root or sudo access on the server
  • A domain with working DNS (e.g. portal.example.com)
  • A valid SSL certificate (Let’s Encrypt or commercial)

Enable required Apache modules βœ…

These modules provide HTTP proxying, WebSocket support, header forwarding, and SSL handling.

sudo a2enmod proxy sudo a2enmod proxy_http 
sudo a2enmod proxy_wstunnel sudo a2enmod headers sudo a2enmod ssl

Reload Apache after enabling modules:

sudo systemctl reload apache2

Apache HTTPS VirtualHost configuration

Create or edit the following file (adjust domain and certificate paths as needed):

/etc/apache2/sites-available/portal.example.com.conf

Important: The WebSocket ProxyPass rule must appear before the general ProxyPass / rule.

We are also using Letsencrypt for free SSL certificate generation. You will need to generate certificates and ensure they are in the location below or apache will fail to start.

<VirtualHost *:80>
    ServerName portal.example.com
    Redirect permanent / https://portal.example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName portal.example.com
    ServerAdmin admin@example.com

    ProxyRequests Off
    ProxyPreserveHost On

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/portal.example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/portal.example.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

    # Forward original request info to Traccar
    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-Host "portal.example.com"
    RequestHeader set X-Real-IP %{REMOTE_ADDR}s

    # WebSocket proxy (must be before the generic ProxyPass)
    ProxyPass /api/socket ws://127.0.0.1:8082/api/socket
    ProxyPassReverse /api/socket ws://127.0.0.1:8082/api/socket

    # Regular HTTP proxy to Traccar
    ProxyPass / http://127.0.0.1:8082/
    ProxyPassReverse / http://127.0.0.1:8082/

    ErrorLog ${APACHE_LOG_DIR}/portal-error.log
    CustomLog ${APACHE_LOG_DIR}/portal-access.log combined
</VirtualHost>

Note: If Traccar is listening on IPv6 only, replace 127.0.0.1 with [::1].

Enable the site and reload Apache:

sudo a2ensite portal.example.com.conf 
sudo systemctl reload apache2

Traccar configuration tips (traccar.xml) πŸ’‘

Edit the Traccar configuration file:

/opt/traccar/conf/traccar.xml

Ensure Traccar trusts forwarded headers from Apache:

<entry key="web.overrideForwarded">true</entry>

(Optional) Force Traccar to listen on IPv4:

<entry key="web.address">0.0.0.0</entry>

Set the public HTTPS URL (helps with links and redirects):

<entry key="web.url">https://portal.example.com</entry>

Restart Traccar after changes:

sudo systemctl restart traccar

When to reload or restart services

  • After Apache vhost or module changes:
sudo systemctl reload apache2
  • After Traccar configuration changes:
sudo systemctl restart traccar

Firewall and security guidance πŸ”

  • Open ports 80 and 443 publicly for browser access
  • Expose Traccar device ports (5055, 5002, 5009, 5023, 5027, 5111, 5222, etc.) only if required
  • Restrict device ports by provider IP ranges whenever possible
  • Close port 8082 externally β€” only Apache should access it via localhost

Verification and testing

  • Open https://portal.example.com and confirm the UI loads
  • WebSocket handshakes should return HTTP 101 Switching Protocols
  • Check Traccar logs: tracker-server.log
  • Check Apache logs: portal-access.log and portal-error.log

Common errors and fixes ⚠️

  • 405 on /api/socket β€” WebSocket proxy rule missing or in the wrong order
  • 401 Unauthorized β€” forwarded headers not trusted; enable web.overrideForwarded
  • Connection refused β€” IPv4/IPv6 mismatch; verify Traccar bind address
  • Devices show offline after replay β€” WebSocket upgrade not working correctly

Compare the results between the HTTP and HTTPS site, as well as by using a incognito browser in case there is a session issue.

For example, using our website https://gpyes.com.au as an example:

  • http://portal.gpyes.com.au:8082

and

  • https://portal.gpyes.com.au

Do either work?

Minimal checklist

Enable Modules

sudo a2enmod proxy proxy_http proxy_wstunnel headers rewrite ssl
sudo systemctl reload apache2

Configure /etc/apache2/sites-available/portal.example.com.conf

sudo apache2ctl configtest && sudo systemctl reload apache2
sudo systemctl restart traccar

Final tip

Once it’s working over HTTPS, lock down port 8082, keeping it inaccessible from the internet when proxying through Apache. This enforces HTTPS and significantly reduces your attack surface.

R G

Dedicated to everything GPS.