Wrong certificate being presented behind apache reverse proxy - apache

I think I know the reason this is happening but I don't know how to fix it. I have a reverse proxy set up on one server and it's proxying from port 443 to my mattermost server (not on the same machine) on the default port of 8065.
I have SSL set up on the proxy with a let's encrypt certificate.
Port 8065 is opened on my firewall to the mattermost server but also on that same public IP I have port 80 and 443 opened to a completely different server.
What is happening is that when I hit the url for my mattermost server the certificate for that other server is being presented to my browser instead of the one that is configured on the proxy. I have no idea why this is happening. Here is my virtual host section:
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName chat.example.com
<Directory "/var/www/html">
allow from all
Options None
Require all granted
</Directory>
ProxyPreserveHost On
RewriteEngine On
RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} \bUpgrade\b [NC]
RewriteRule .* ws://x.x.x.x:8065%{REQUEST_URI} [P,QSA,L]
ProxyPass / http://x.x.x.x:8065/ timeout=31536000
ProxyPassReverse / http://x.x.x.x:8065/
SSLCertificateFile /etc/letsencrypt/live/chat.example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/chat.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/chat.example.com/chain.pem
</VirtualHost>
</IfModule>
Let me know if more information is required.
Rich

I ended up doing this a different way - not sure why it wasn't working. I'm calling it worked around.

Related

Apache Reverse Proxy to Figma Prototype with Websocket

I am trying to reverse proxy a Figma prototype to the domain I have with SSL configured. Proxying it to the main Figma page works but I cannot connect it to my prototype page.
For example, how can I connect to the following Figma sample page?
https://www.figma.com/proto/KVm2roB2LnduHTLJjKjkfn/Prototyping-in-Figma
Below is the conf file used for reverse proxying to the Figma main home page with https://exampledomain.com. So this works, but if I try to access the prototype page at https://exampledomain.com/proto/KVm2roB2LnduHTLJjKjkfn/Prototyping-in-Figma , it displays only the loading page and does not proceed to the prototype.
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
SSLUseStapling on
ServerName exampledomain.com
DocumentRoot /var/www/exampledomain
ProxyRequests Off
SSLProxyEngine On
ProxyPreserveHost Off
ProxyPass / https://www.figma.com/
ProxyPassReverse / https://www.figma.com/
SSLEngine on
SSLCertificateKeyFile myserver.key
SSLCertificateFile myserver.crt
SSLCertificateChainFile myserver.ca-bundle
</VirtualHost>
</IfModule>
I think the problem here is the Websocket configuration, so I enabled mod_proxy_wstunnel on Apache and added the below configurations, but wasn't successful.
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule .* "wss://www.figma.com/$1" [P,L]
I'm unsure if it is even possible to configure Websocket to a non-local website as I don't know if I can find Figma's Websocket port number. How can I connect Figma prototype via reverse proxy and change the URL to my domain?

How to use same port for http and https

I pretty much don't know about http and this topic, so couldn't find any answer enough to solve my question. Let me know if this question is duplicated and you already found the answer about this.
What I want to achieve
Normally it's working with http://domain:3000 but I want to make it accessible for https://domain:3000.
What I did
I installed let's encrypt and added reverse proxy settings on my apache setting file. So it was possible to access https://domain:3000 with the path such as https://domain/api but as I mentioned above I want to directly use port number on https as well.
additional lines on my httpd.conf are
NameVirtualHost *:80
<VirtualHost *:80>
ServerName my.domain
ServerAlias www.my.domain *.my.domain
DocumentRoot /var/www/html
RewriteEngine on
RewriteCond %{SERVER_NAME} =my.domain [OR]
RewriteCond %{SERVER_NAME} =www.my.domain [OR]
RewriteCond %{SERVER_NAME} =*.my.domain
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
Listen 443
</IfModule>
Include /etc/httpd/conf/httpd-le-ssl.conf
<IfModule mod_proxy.c>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /api http://my.domain:3000
ProxyPassReverse /api http://my.domain:3000
</IfModule>
Do I need to add more settings? or any other way to solve this?
It is better to configure the application you have to use different port for SSL connections, e.g. 3001 and forward requests via HTTPS to this port or access it directly

Domain won't direct correctly without typing "https://" with it

I recently got https for my domain, purchasing an SSL certificate from namecheap. However if someone types domain.com it will direct them to a page stating Gateway Timeout: can't connect to remote host. However, if someone was to type https://domain.com, it would direct correctly. Typing in http://domain.com also will not direct correctly.
The website is running on Amazon Linux AMI. I've tried messing with .htaccess but no luck. Within my httpd.conf file I have the following:
<VirtualHost *:443>
ServerName domain.com
DocumentRoot rootPath
SSLENGINE on
SSLCertificatekeyFile keyPath
SSLCertificateFile certPath
SSLCertificateChainFile chainPath
</VirtualHost>
<VirtualHost *:80>
RewriteEngine On
RewriteRule ^ https://domain.com%{REQUEST_URI} [R=301,L]
</VirtualHost>
<VirtualHost *:443>
DocumentRoot rootPath
SSLENGINE on
SSLCertificatekeyFile keyPath
SSLCertificateFile certPath
SSLCertificateChainFile chainPath
RewriteEngine On
RewriteRule ^ https://domain.com%{REQUEST_URI} [R=301,L]
</VirtualHost>
I want all traffic to be redirect to https://domain.com automatically.
Any suggestions?
I usually use this in order to redirect to SSL version
#force SSL
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,L]
You can't rewrite the request to an SSL enabled site from a non-SSL enabled request. You can redirect to one. Negotiating SSL is part of the connection for an https request.
Example from Apache's website

how to add ipv6 to an apache vhost with v4 https and http

I'm having some difficulties with adding ipv6 to a vhost configuration that uses https and http, and forwards all http requests to https. This is what I currently have which works fine, but I'm not sure how to go about adding ipv6 to the mix. Any help would be greatly appreciated
<VirtualHost 213.138.102.25:443>
ServerName example.co.uk
ServerAlias www.example.co.uk
SSLEngine on
SSLCertificateFile /home/example/ssl/www_example_co_uk.crt
SSLCertificateKeyFile /home/example/ssl/www.example.co.uk.key
SSLCertificateChainFile /home/example/ssl/www_example_co_uk.ca-bundle
DocumentRoot /home/example/public_html/example.co.uk
<Directory /home/example/public_html/example.co.uk/>
Options MultiViews Indexes FollowSymLinks
AllowOverride all
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName example.co.uk
RewriteEngine on
RewriteCond %{HTTP_HOST} ^example.co.uk [NC,OR]
RewriteCond %{HTTP_HOST} ^www.example.co.uk [NC]
#RewriteRule ^(.*)$ https://www.example.co.uk/$1 [L,R=301,NC]
RewriteRule ^(.+[^/])/$ http://%{HTTP_HOST}/$1 [R=301,L]
Redirect permanent / https://www.example.co.uk/
</VirtualHost>
There are a few things you will need to do;
First, you may need to add a "Listen" directive in your conf file like this
Listen [2001:cdba:0000:0000:0000:0000:3257:9652]:443
Listen [2001:cdba:0000:0000:0000:0000:3257:9652]:80
Look in your existing conf file for the IP4 version and put it near that.
This might not be necessary if you are just listening to the ports like this
Listen 80
but if its like this you do need to add it
Listen 12.34.56.78:80
Second Leave your IP4 directives in-place and copy / paste them replacing the opening section in the copied version with something like this;
<VirtualHost [2001:cdba:0000:0000:0000:0000:3257:9652]:443>
and
<VirtualHost [2001:cdba:0000:0000:0000:0000:3257:9652]:80>
Do note that the IPV6 address is enclosed in square brackets and the address provided is only for example.
You will also need to be aware that IPV6 usually has its own firewall/iptables config and there may be other gotchas as well.
Dont forget to reload / restart Apache
Hope this helps.

Redirecting HTTP to HTTPS with Apache

I have an issue using mod_rewrite to force redirection of HTTP requests to HTTPS using Apache 2.2.22 on Ubuntu Server 12.04.
My /etc/apache2/sites-available/default file is as follows:
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>
The HTTPS host is defined in default-ssl in the same directory.
Visiting the server's local IP address, the redirect appears to work fine. However, accessing it via the FQDN, it doesn't. Using the FQDN, the site is available at port 5443, which is mapped in the firewall to 443 on the server, so perhaps that has something to do with the problem. I cannot just use port 443 directly, as it is in use on this IP address by another server.
To further clarify, the following are valid links:
https://website:5443
https://192.168.200.80:443
The redirect works here:
http://192.168.200.80
But the following gives a 400 Bad Request, and this is where the redirect is needed:
http://website:5443/
"Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please."
This is totally possible. The following redirects all http to the https url.
<VirtualHost *:80>
ServerName mydomainname.com
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
make sure you load the rewrite module mod_rewrite and enable it.
Your problem here is the initial HTTP request: This won't work as the server won't understand it receiving the request on port 443 (as the response code suggests).
If no port is given, the protocol http defaults to port 80, https to port 443.
This is also the reason why your local redirect works. I bet, if you access the page through http://website/ (with proper port forwarding of port 80), it will work as well. Also note that your VirtualHost is only defined for port 80 anyway, so it won't be valid for requests sent to website:5443 (or website:443).
In general, you'd need a server accepting both HTTP and HTTPS requests on a single port. Not sure any popular server actually supports something like that, because (I think) it essentially violates the specs.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
if u want to redirect your site from http:// anything.example.com to https: //anything.example.com ... Just create a dedicated hosting .conf file as /etc/httpd/conf.d/dedicated.conf and other conf file as virtual.conf ... entries for dedicated.conf are as follows....
this is dedicated server hosting conf file for redirecting it to https...
<virtualhost *:80>
servername host.example.com
documentroot /var/www/html
rewriteengine on
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
sslcertificatefile /etc/pki/tls/certs/name.crt
sslcertificatekeyfile /etc/pki/tls/private/name.key
</virtualhost>
<directory /var/www/html>
allowoverride all
require all granted
</directory>
Alternatively as mentioned in comment below, we can use redirect also:
<virtualhost *:80>
servername host.example.com
documentroot /var/www/html
RedirectMatch / https://host.example.com:ANY_PORT/ #if there is specific port
sslcertificatefile /etc/pki/tls/certs/name.crt
sslcertificatekeyfile /etc/pki/tls/private/name.key
</virtualhost>
<directory /var/www/html>
allowoverride all
require all granted
</directory>