apache Proxy returns random 403 - apache

I'm using 2 VMs configured with Apache2 as a Proxy for the Tomcat server, but I have a very strange behavior I have sometimes HTTP 403 error on my front end, I tried different configurations but I can see that depending on the requests coming from my Load Balancer (plugged with my 2 VMs Apache) it returns HTTP 403 randomly (and not for the same requests as well).
Here is the flow:
Front end -> Load Balancer (443)
-> Apache2 Reverse Proxy (443) -> Tomcat (8080)
-> Apache2 Reverse Proxy (443) -> Tomcat (8080)
I run this Apache2 Reverse Proxy on Ubuntu, here is the configuration for my Apache2 Proxies:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
Header add Access-Control-Allow-Origin "https://myfrontend.com"
SSLEngine on
SSLCertificateFile /etc/ssl/myfrontend.key
SSLCertificateKeyFile /etc/ssl/privatemyfrontend.key
SSLCertificateChainFile /etc/ssl/ca_bundle
SSLProxyEngine on
ProxyRequests off
SSLProxyVerify require
SSLProxyVerifyDepth 1
SSLProxyCACertificateFile "/etc/ssl/myfrontend.key"
SSLProxyCheckPeerName on
ProxyPreserveHost On
ProxyPass / http://localhost:8080/back/
ProxyPassReverse / http://localhost:8080/back/
</VirtualHost>
any idea why I'm getting such 403 errors?

I had a similar problem with two applications (Gitlab and SonarQube) deployed behind an Apache server configured as a reverse proxy. I solved it by uninstalling the mod_evasive module of Apache.

Related

Getting 404 with Apache Reverse Proxy and Google App Engine

I am trying to do some basic testing of Apache reverse proxy in GCP. I have an Apache2.4 service running on a Debian10 VM.
The Apache VM has a public Internet interface and a 10.x.x.x interface in my GCP VPC.
Via GCP app engine, I have (2) services running (simple Go web apps), and I have added the "VPC connector" configuration so that the services are available from the VMs/VPC.
Both app engine services can be curled successfully from the Apache machine:
curl https://service1-dot-myProject-cloudapp.uk.r.appspot.com
curl https://service2-dot-mProject-cloudapp.uk.r.appspot.com
I am trying connect to these services from the Internet with the Apache doing reverse proxy.
I have a basic configuration in sites-enabled:
<VirtualHost *:443>
ServerName my-test.my-domain.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# service1 reverse proxy
<Proxy balancer://service1>
Order deny,allow
Deny from all
Allow from all
BalancerMember https://service1-dot-myProject-cloudapp.uk.r.appspot.com/
ProxySet lbmethod=bytraffic
</Proxy>
ProxyPass "/service1/" "balancer://service1/"
ProxyPassReverse "/service1/" "balancer://service1/"
# service2 reverse proxy
<Proxy balancer://service2>
Order deny,allow
Deny from all
Allow from all
BalancerMember https://service2-dot-mProject-cloudapp.uk.r.appspot.com/
ProxySet lbmethod=bytraffic
</Proxy>
ProxyPass "/service2/" "balancer://service2/"
ProxyPassReverse "/service2/" "balancer://service2/"
</VirtualHost>
When I test with https://<externalIP>/ , I get my default Apache splash page, with the usual warning that I dont have a legitimate cert --that's fine for now, I just want to get the mechanics of reverse proxy/Balancers working.
When I try to go to https://<externalIP>/service1 or https://<externalIP>/service2, I am getting 404 errors.
For right now, I am not able to setup DNS for this external IP. Is that what is preventing me connecting all the way to my "backend" services via reverse proxy?

How can I run TLS on Apache2 Proxy behind port forwarding

I have a problem with apache2 proxy in TLS using port forwarding.
I manage to make it work correctly in HTTP, but as soon as I try to make it work in HTTPS, Apache shows the message
Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
Here is my .conf file:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName service-test.mydomain.com
ServerAlias service-test.mydomain.com
ServerAdmin localhost#localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / https://192.168.1.34:1010/
ProxyPassReverse / https://192.168.1.34:1010/
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/service-test.mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/service-test.mydomain.com/privkey.pem
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
My NAT is well configured, and it's only with HTTPS that the issue occur.
I use Debian 11 on Proxmox.
Did the server behind the proxy have to get an SSL certificate too?
I've tried but it's seem doesn't work too...
How can I fixe this?

Apache reverse proxy error on firefox : SSL_ERROR_RX_RECORD_TOO_LONG

I'm stuck with my Apache config
Situation
I have a Node chat web app and a phpmyadmin running on the same debian VPS server. Node runs on :3000 and phpmyadmin on :443.
The server base url on :443 is currently displaying phpmyadmin login page and the chat app can be accessed on IP:3000 (https)
Each have their own SSL cert and https is working without issues on both of them separately
Goal
What I'm trying to do is setup an Apache reverse proxy to forward requests from a a clean url (like chat.domain.com) to my Node app while keeping phpmyadmin on it's own dedicated subdomain (vps.domain.com).
like so :
internet (chat.domain.com on :443) -> reverse proxy -> node app running on :3000
internet (vps.domain.com on :443) -> reverse proxy -> phpmyadmin
Issue
Redirection does not work at all.
Firefox shows an error page with SSL_ERROR_RX_RECORD_TOO_LONG (ERR_SSL_PROTOCOL_ERROR on Chrome). As far as I understand it is telling me that I can't redirect to a service running on a different port than :443
I need secure https for both of my services (phpmadmin and chat) but can only run one of them on :443 since one is Apache and the other is Node. They each have their own routing system.
What I've considered
I'm not sure if what I'm trying to do is possible with Apache and this setup. I'd like to run my main app on :443 but then PMA would have to be moved to another port and. Alternatively I could run several servers for cleaner separation of services. I could also use Docker containers, but I don't think this should be necessary here.
Not sure which solution is the most appropriate. I just wanted to do some basic redirections.
Setup config :
Including relevant information about my config in this section.
Apache version : Apache/2.4.53 (Debian)
rewrite and proxy mods are enabled
apachectl configtest -> Syntax OK
vHosts :
default http -> https redirection
# 000-default.conf
VirtualHost *:80>
ServerName default.domain.me
Redirect / https://localhost:443
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
reverse proxy vhost
# reverse_proxy.conf
<VirtualHost chat.domain.me:443>
ServerName rproxy.domain.me
# ProxyPreserveHost On
ProxyRequests Off
# chat
ProxyPass / https://localhost:3000/
ProxyPassReverse / https://localhost:3000/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
PMA vhost
# phpmyadmin.conf
<VirtualHost _default_:443>
ServerName phpmyadmin.domain.me
DocumentRoot /usr/share/phpmyadmin
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/vps.domain.me/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/vps.domain.me/privkey.pem
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=63072000"
# Alias /phpmyadmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
Require all granted
# limit libapache2-mod-php to files and directories necessary by pma
<IfModule mod_php7.c>
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir /usr/share/phpmyadmin/:/usr/share/doc/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/:/usr/share/javascript/
</IfModule>
</Directory>
# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
Require all denied
</Directory>
ErrorLog ${APACHE_LOG_DIR}/phpmyadmin/error.log
CustomLog ${APACHE_LOG_DIR}/phpmyadmin/access.log combined
</VirtualHost>
# intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite # don't know if secret. didn't include.
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
Let me give you some possible solutions.
1)Changing the virtual host tag, ie, from <VirtualHost chat.domain.me:443> to <VirtualHost _default_:443>
2)setting the ports.conf file as follows
Listen 80
Listen 443 https
execute a2ensite default-ssl
Finally let me give you one of example that I have
ServerName abc.com
ServerAdmin webmaster#abc.com
<Proxy *>
Require all granted
</Proxy>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8181/
ProxyPassReverse / http://127.0.0.1:8181/
ErrorLog ${APACHE_LOG_DIR}/abc.com.error.log
CustomLog ${APACHE_LOG_DIR}/abc.com.access.log combined
SSLCertificateFile /etc/letsencrypt/live/abc.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/abc.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Apache as reverse proxy doesn't work

I am trying to publish, behind a proxy, a Spring app (also with Spring Security) which has /x/services as entry point. It is running in Tomcat in 8080 in Google Engine (Debian). I configure Apache 2 as a reverse proxy with next configuration
<VirtualHost *:80>
ServerAdmin webmaster#localhost
ProxyRequests off
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyPreserveHost On
<Proxy *>
Order allow,deny
Allow from all
</Proxy>
# Servers to proxy the connection, or
# List of application servers Usage
ProxyPass / http://127.0.0.1:8080/x/services/
ProxyPassReverse / http://127.0.0.1:8080/x/services
ServerName localizator.org
ServerAlias *.localizator.org
</VirtualHost>
I checked it against a lot of examples and seems it is OK, but the only response I am getting is the "Index of /" page. And Apache logs are not helping at all.
Any help will be very appreciated.
For those with a similar problem don't forget to do :
sudo a2ensite proxy-host
(lets suppose your .conf file name is proxy-host)

How to prevent tomcat7 repeat context name in apache proxy setup

I have this problem where my apache forward http request to tomcat using proxy (see my apache virtual host config below).It works fine, but the web http request http://subdomain.example.com/xyz/images/background2.jpg arrive at tomcat as /xyz/xyz/images/background2.jpg. context name "xyz" appear twice which cause missing resource at tomcat end.
How do you resolve this problem ?
Apache Virtual Host config file
<VirtualHost *:80>
ServerName subdomain.example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyRequests Off
ProxyPreserveHost On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://www.example.com:8080/xyz/
ProxyPassReverse / http://www.example.com:8080/xyz/
</VirtualHost>
Tomcat project setup: ../tomcat7/webapps/xyz/...
You need to update ProxyPass settings as below.
ProxyPass /xyz/ http://www.example.com:8080/xyz/
ProxyPassReverse /xyz/ http://www.example.com:8080/xyz/