How to trust a remote servers self-signed SSL certificate in Apache - apache

I'm setting up a Tomcat server behind an Apache proxy, everything is working fine except for the forward proxy when dealing with a remote server with a self-signed certificate. I can access other HTTPS sites, but not ones with self-signed certs. I've already added the CA using SSLProxyCACertificateFile, but it still doesn't work.
In the error log, I get "AH00898: Connect to remote machine blocked returned by server_hostname".
Apache 2.4.54 on Debian 11
I can wget the URL (Once I added the CA to Debian). I can also access the URL if I allow Tomcat to bypass the proxy (When the CA is in the Java key store). But I need all the traffic to go through the proxy.
<VirtualHost 10.10.10.6:8082>
ProxyRequests On
ProxyVia On
<Proxy "*">
Require ip 10.10.10
</Proxy>
ErrorLog ${APACHE_LOG_DIR}/error_forward_proxy_secure.log
CustomLog ${APACHE_LOG_DIR}/access_forward_proxy_secure.log combined
SSLProxyCACertificateFile /var/ssl/trusted_ca.crt
</VirtualHost>
What am I doing wrong?

Related

ERR:insecure response with apache

Apache server is proxying requests to express server running on 9999
<VirtualHost *:443>
ServerName api.aonesalons.com
SSLEngine on
SSLCertificateFile /home/ec2-user/aonesalons.com.pem
SSLCertificateKeyFile /home/ec2-user/aonesalons.com.key
# <Proxy *>
# Order allow,deny
# Allow from all
# </Proxy>
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:9999/
ProxyPassReverse / http://localhost:9999/
</VirtualHost>
If I hit, api.aonesalons.com in browser, my request goes to the server.
from my application frontend, that is also served over https by apache, when any of the api url's are called,
it always returns
ERR_FAILED or ERR_INSECURE_CONNECTION
Edit:
In browser console in security tab, the certificate is valid totally. I have tried proxying requests to the https version of the express server as well but no difference. It started happening after moving to https.
As soon I start to use Cloudflare as a proxy for api.aonesalons.com, api.aonesalons.com returns my client end application and doesn't hit my API's. I am using apache to proxy api.aonesalons.com to 9999 server and *.aonesalons.com to client folder with static application content
From the SSLLabs report for api.aonesalons.com:
Trusted - No - NOT TRUSTED
A closer look at the certificate shows:
Subject - CloudFlare Origin Certificate
Issuer - CloudFlare, Inc.
This is not a certificate intended for direct access by the public. It is trusted only by Clouldflare itself and is intended to secure the path between the Cloudflare CDN and the server protected by this CDN, see Introducing CloudFlare Origin CA.
In browser console, in security tab, certificate is valid totally.
I don't know what you did to you browser but maybe you explicitly trusted the Cloudflare CA. When visiting the site with a browser I get the expected warning:
NET::ERR_CERT_AUTHORITY_INVALID
My guess is that you've tried to protect your site with the Cloudflare CDN but failed to adjust the DNS settings properly in order to let Cloudflare manage the relevant parts of your DNS.

no let's encrypt renewal with reverse-proxy in ispconfig3

I am running an ISPConfig 3 server with apache. To get HTTPS i use the certbot of let's encrypt. ISPConfig supports cert generation which is working for various cites.
One site runs locally on a different port (as it is a complex system).
To reach it, i added a new site in ISPConfig and configured apache as a reverse proxy as shown below.
The site is up an running, but unable to renew the certificates via certbot (does not work only for this site).
ProxyRequests Off
ProxyVia Off
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://my.domain.com:8080
ProxyPassReverse / http://my.domain.com:8080
I guess the problem is the unreachability of the challenge folder (/acme/.well-known/acme-challenge)
How to configure apache as reverse proxy that it is able to renew its certificate?
I have the same problem here: the proxy endpoint doesn't have the same webroot and cannot serve the .well-known directory correctly, which means Let's Encrypt fails to find it.
The trick is to skip the proxying for the well-known URL, using something like this answer. In my case, it was simply a matter of adding this line:
ProxyPass /.well-known/ !
which will disable the proxying for the certbot directory.
Good luck!

configure secure SSL Apache reverse proxy

I'm trying to establish a reverse proxy setup with apache that securely supports SSL all the way through:
Client <--> Proxy # somehostname.com <--> Server # 123.45.67.89
Note that my proxy server has a hostname, but the remote server does not. The SSL setup between clients and the proxy works fine with a letsencrypt setup. However, I am struggling to secure the connection between the proxy and the remote server.
Because the remote server doesn't have a hostname, and letsencrypt doesn't issue certificates for IPs only, my idea was to generate a self-signed certificate and copy the certificate over to the proxy for it to only trust that one. Unfortunately I don't know how.
If I just disable these certificate checks, the connection works, as the proxy just trusts every certificate:
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
While encryption will work fine, to my understanding authenticity is compromised and I am subject to MitM attacks during the handshake. This is not ideal.
Instead, I've instructed Apache to trust my self-signed certificate with
SSLProxyCACertificateFile /path/to/cert.pem
and then tried to enforce a valid certificate with
SSLProxyVerify require
but despite me explicitly listing the certificate, and the documentation of SSLProxyCACertificateFile saying "These are used for Remote Server Authentication", it seems to not trust it.
Is there a way to make sure the connection between the proxy and remote server is safe, for example by enforcing Apache to always connect to the proxy using that specific certificate?
Turns out adding certificates via SSLProxyCACertificateFile does not skip name checks, which makes total sense. So in order for custom certificates to work, they still need to be issued to the correct name, or in my case, the IP. After I made a new certificate issued to that IP, my configuration works now. Here are the relevant parts:
<VirtualHost *:443>
ServerName somehostname.com
SSLProxyEngine On
SSLProxyVerify require
SSLProxyCACertificateFile /path/to/custom_cert.pem
SSLProxyCheckPeerCN on # or omit, default is on
SSLProxyCheckPeerName on # same
ProxyPass / https://123.45.67.89/
ProxyPassReverse / https://123.45.67.89/
</VirtualHost>

Configuration https on lamp web server ec2 aws with let's encrypt

I have a problem, yesterday i create certificate with let's encrypt on my ec2 instance. Now i want to use them o my site, but i don't know how i can proceed. Have you any suggestions?
I tried to do this but i hadn't any results:
https://www.paulwakeford.info/2015/11/24/letsencrypt/
than, after using webroot plugin on let's encrypt, i install mod_ssl.so on my istance, i edit my security group and enable https on port 443 and than i modify my httpd.conf right here:
<VirtualHost *:443>
DocumentRoot /var/www/my-domain
ServerName my-domain.com
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/my-domain/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/my-domain/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/my-domain/chain.pem"
<Directory /var/www/my-domain>
AllowOverride All
</Directory>
</VirtualHost>
Have you any suggestions?
The tutorial you pointed out uses SSL certificate to Cloudfront distribution, a CDN. Are your using Cloudfront? Because if you are using you need to set certificate on the distribution (and maybe to apache server too), otherwise on the apache server.
Try this look into:
Enabling SSL on apache instance on EC2
and
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-an-instance.html
For the last, forget about "getting certificate" as you already have one issued by Lets Encrypt.

Error during SSL Handshake with remote server

I have Apache2 (listening on 443) and a web app running on Tomcat7 (listening on 8443) on Ubuntu.
I set apache2 as reverse proxy so that I access the web app through port 443 instead of 8443. Besides, I need to have SSL communication not only between browser and apache2 but also between apache2 and tomcat7, thus I set SSL on both apache2 and tomcat7.
If I try to access the web app by directly contacting tomcat7, everything is fine.
The problem is that when I try to access the tomcat's web app through apache2 (reverse proxy), on the browser appears the error:
Proxy Error
The proxy server could not handle the request GET /web_app.
Reason: Error during SSL Handshake with remote server
The comment by MK pointed me in the right direction.
In the case of Apache 2.4 and up, there are different defaults and a new directive.
I am running Apache 2.4.6, and I had to add the following directives to get it working:
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
I have 2 servers setup on docker, reverse proxy & web server.
This error started happening for all my websites all of a sudden after 1 year.
When setting up earlier, I generated a self signed certificate on the web server.
So, I had to generate the SSL certificate again and it started working...
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ssl.key -out ssl.crt
On a remote OEL (Oracle Enterprise Linux) 7.8 server, i have a backend web application running with HTTPS/8009. As its a third party app, I did not have choice to disable SSL or change port.
As i needed to access the web app from my local machine's browser, i thought of setting up a reverse proxy (HTTP to HTTPS mapping) using Apache httpd. Now i can access the web app from my local browser through below URL:
http://10.157.146.97:1234/
FYI, CURL commands working inside the Linux Machine were below ones:
curl http://10.157.146.97:1234/
curl -k https://localhost:8009/
Here is my reverse proxy setup :
/etc/httpd/conf/httpd.conf
Listen 1234
<VirtualHost *:1234>
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost On
ProxyPass / https://localhost:8009/
ProxyPassReverse / https://localhost:8009/
</VirtualHost>
One aspect i struggled a lot, earlier i was trying with url pattern (/sample) in ProxyPass/ProxyPassReverse but that was causing HTTP 404 (not found) for css/js files as web-app's welcome page contains indirect css/js paths (sample code below). So replacing url pattern (/sample) with (/) solved that problem too.
previous Not working config:
ProxyPass /sample https://localhost:8009/
ProxyPassReverse /sample https://localhost:8009/
<script defer src="abc.js"></script><link href="xyz.css" rel="stylesheet"></head>
Faced the same problem as OP:
Tomcat returned response when accessing directly via SOAP UI
Didn't load html files
When used Apache properties mentioned by the previous answer, web-page appeared but AngularJS couldn't get HTTP response
Tomcat SSL certificate was expired while a browser showed it as secure - Apache certificate was far from expiration. Updating Tomcat KeyStore file solved the problem.
Here is my variation on this theme, inspired by this Git gist. The server is a Docker container with an internal self-signed SSL certificate, reachable at https://localhost:8443. Proxied to server.example.org:443. Relevant config details:
<VirtualHost AAA.BBB.CCC.DDD:443>
ServerName server.example.org
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# These settings are definitely needed
SSLEngine On
SSLProxyEngine On
ProxyRequests Off
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
# These may not be needed, depending on proxied application
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto https
ProxyPass "/" "https://localhost:8443/"
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) "wss://localhost:8443/$1" [P,L]
ProxyPassReverse "/" "https://localhost:8443/"
</VirtualHost>
The section between SSLEngine On and RequestHeader... I put together via Googling and trial and error. Maybe some of these settings are not needed, YMMV.
Note: the RewriteRule with "wss" was needed because the server uses secure websockets.
Platform: Ubuntu 20.04.3 LTS, Apache 2.4.41.
My problem was having one Apache server behind another and having mismatched certificates on each server.
It took me a while to realise that
SSLCertificateFile
and
SSLCertificateKeyFile
were pointing to files with the same names on each server, but that the first first server had an updated certificate and private key compared with the second one, so the content of the files was different.
Note that the error might also occur when your system have TLSv1 disabled. Like e.g Ubuntu 20.x have TLSv1.0 disabled by default. For example if you have something like this:
Apache 2.4.41 on Ubutntu20 (proxy) --[https]--> old Apache serving TLS v1.0
SSLProxyVerify etc will not help you.
What you need to do is to enable TLS 1.0 in openssl.conf. At least until you can update the old server 🙊...
Enabling old TLS on Ubuntu
So in Ubuntu 20.04.3 TLS to effectively enable TLSv1 change /etc/ssl/openssl.cnf. At the top of the file (before any sections) add:
# Added to enable TLS1.0
openssl_conf = default_conf
And on the very end of the file
##
# Added to enable TLS1.0
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
CipherString = DEFAULT#SECLEVEL=1
##
Comments are obviously not required 😉, but will help when you want to disable TLS1 again.
Once you restart / reboot everything should work fine.
Note that this is a global (system-wide) change. So it is not ideal, but it just works. See also: more notes about Ubuntu and default TLS versions.
If the host of your apache proxy
is different from the host
of the proxy target (or its sni name),
set -
ProxyPreserveHost Off