Apache HTTP VM Behind HTTPS Lets Encrypt - apache

I've read a lot of questions and answers which seem exactly the same as mine, but I can't seem to get my setup to work. I have a VM running Apache with only HTTP support at 192.168.2.101:32773. I can access it on my local network as such just fine. I now am ready to expose it through my Apache web server that has Lets Encrypt setup to generate SSL certificates. So I added this to my server conf file:
<VirtualHost *:32773>
ServerName server.com
SSLEngine on
SSLProxyEngine On
SSLCertificateFile /etc/letsencrypt/live/server.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server.com/privkey.pem
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://192.168.2.101:32773/
ProxyPassReverse / http://192.168.2.101:32773/
</VirtualHost>
However, I get an ERR_SSL_PROTOCOL_ERROR when I try to load it up as https://server.com:32773. If I however change my address to http://server.com:32773, it loads just fine. Anything look wrong in this snippet? Thanks!

HTTP and HTTPS need to be on different ports. Typically HTTPS is served on port 443.

This is embarrassing... At some point I changed my port forward rules to point 32773 directly to 192.168.2.101 so I could validate that the rules were working at all. The above config worked as soon as I realized I wasn't even sending traffic to my Apache SSL enabled server.

Related

Configure Apache web server to call a app https url

Good day,
I have a Apache server (10.8.111.67), I configure it to ProxyPass to my app server http port (10.8.1.63), its work. The thing I do in httpd.conf is just as follow:
ProxyPass "/mfp" "http://10.8.1.63:9080/mfp"
ProxyPassReverse "/mfp" "http://10.8.1.63:9080/mfp"
However, I should proxy pass to https url instead of http.
I google around, found that I need to configure something in the ssl.conf, the following is what I plan to do:
<VirtualHost 10.8.111.67:80>
SSLEngine on
SSLCertificateFile ???
SSLCertificateKeyFile ???
ProxyPass "/mfp" "http://10.8.1.63:9080/mfp"
ProxyPassReverse "/mfp" "http://10.8.1.63:9080/mfp"
</VirtualHost>
I am not sure that what cert actually I should put for SSLCertificateFile, is it cert from app server? I can use openssl command to download it?
And for the SSLCertificateKeyFile, what file I should put inside? private key from app server? May I know how to generate the private key from web server? I run ssh-keygen, I got the id_rsa.pub and id_rsa.
Kindly advise.
Kindly notify me if I am doing something wrong.
You don't need to configure certificates in virtualhost just to proxy to a SSL backend.
To reverse proxy to a SSL backend you just need to make sure mod_ssl is loaded and that you have the directive: SSLProxyEngine on to let the reverse proxy do it to an SSL backend.
Loading certificates in virtualhost is for virtualhosts that will listen to SSL connections, mainly virtualhosts with 443 port.
So based in your description to reverse proxy to the SSL backend, aside from the mod_ssl module loaded what you want is:
<VirtualHost 10.8.111.67:80>
ServerName youshouldefinethisalways.example.com
SSLProxyEngine on
ProxyPass /mfp https://backend-server.example.com/mfp
ProxyPassReverse /mfp https://backend-server.example.com/mfp
</VirtualHost>

What is the difference between the proxy_pass and redirect?

I'm setting up the WAF with feature of reverse proxy, and have the config in /etc/apache2/sites-available/000-default.conf. then i have to setting the WAF as reverse proxy. Can i use redirect in exchange for proxy_pass? what is the difference between them?
I already setup the reverse proxy but always end up with my web application functional problem, but when i use redirect everything just work fine.
This is my 000-default.conf for reverse proxy:
<VirtualHost *:80>
ServerName https://mywebsite.com/
ProxyPass / https://10.10.123.32:443/
ProxyPassReverse / https://10.10.123.32:443/
ProxyPreserveHost on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSL ProxyCheckPeerExpire off
</VirtualHost>
-is that anything wrong with my reverse proxy config?
-and it's okay to use redirect as the replacement for proxy_pass setting?
-if that okay, whether the waf function will still run?
Thank you :)
ProxyPass instructs Apache to forward the request to the named backend server and forward the response to the client.
Redirect instructs Apache to respond directly to the client with a substitute URL.
It would rarely be effective for a WAF to send a redirect instead of acting as a proxy/gateway/middleman as the WAF would not really be in the loop for the traffic. Further, usually your client can't do anything with the direct address of what is likely an internal server.

Moqui running in jetty container behind httpd returns Error rendering screen

I have an httpd server configured and working. The server returns "It works" and I can see the SSL is installed correctly.
The next step I undertook was configuring the reverse proxy, so that the users requests are redirected and I can have more customers' apps under one subdomain. The httpd configuration (shown below) I use is not mine, I am just attempting to reconfigure it to work for me. But with no big success up to now. There are directives that may be incorrect, but I have not tried commenting anything out.
#Apache is listening on port 443
Listen 443
SSLSessionCache shmcb:c:/Apache24/logs/shmcb_cache(512000)
SSLSessionCacheTimeout 300
Mutex default ssl-cache
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost *:443>
#ProxyPreserveHost On
SSLProxyEngine On
ServerName XXXX.sk
ServerAdmin admin
# Logs
ErrorLog /var/log/rsk_error_log
TransferLog /var/log/rsk_access_log
# Server Certificate and Private Key:
SSLCertificateFile /ssl/certificate.crt
SSLCertificateKeyFile /ssl/private.key
SSLCertificateChainFile /ssl/chain.crt
#Include conf/extra/proxy-443-to-8890.conf
ProxyPass /customer http://172.17.0.4:8080
ProxyPassReverse /customer http://172.17.0.4:8080
</VirtualHost>
Now when I type XXXX.sk/customer I receive a response which is a login screen, but it is incorrectly rendered, the CSS is not used at all. There are many errors appearing. When I log in, no response is returned and the URL is corrupted.
Can any of you, using httpd in a reverse proxy mode, please share your configs, at least a part of them?
The default webroot in base-component is mapping to / in url. All of resources like css, js etc is using "/" to build url, So Although the proxying is
ProxyPass /customer http://172.17.0.4:8080
The actual js location is still
/lib/jquery/jquery-ui.min.css
not
/customer/lib/jquery/jquery-ui.min.css
To make it work, the reverse proxy would need more messy location proxy_pass configurations.
So using additional path to proxy the webroot is not suggested.

Apache mod_proxy on Azure

I keep running into an issue with Apache's mod_proxy where it won't forward any traffic. I'm using a Windows Azure virtual machine running Ubuntu 13.04 and have configured the proper HTTPS endpoint (port 443) for it. The proper Apache modules (proxy, ssl, etc.) are all installed, and the error logs show nothing, not even a warning to explain why this is happening. My VirtualHost setup is as follows:
<VirtualHost *:443>
RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost On
ServerName www.example.com
SSLEngine On
#SSLProxyEngine On
SSLCertificateFile /ssl/my.com.crt
SSLCertificateKeyFile /ssl/my.key
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
SSLRequireSSL
Order deny,allow
Allow from all
</Location>
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
I have Listen 443 and NameVirtualHost *:443 all set as well. My service on the other port is running fine as doing a wget responds with an HTTP 200 OK response and I can reach it by manually inputting the port number. I have disabled all firewalls (for testing) to no avail as well. However, whenever I try to reach the service from the outside world through mod_proxy (port 443), the request times out and I get the usual "website not available" browser error.
If it means anything, the app I am running on the other port I need to forward HTTPS traffic to is a Play Framework 2.1 application. I set the server up exactly as in their documentation but still have these problems, so I'm assuming it may have something to do with Azure.
Any ideas? Is there some other type of endpoint configuration that I need to do specific for Windows Azure virtual machines to support SSL/TLS?
So, apparently, I have no idea how or why - but the Azure Gods decided to shine upon my setup all of a sudden. Overnight, without so much as a reboot or anything, mod_proxy on Azure just started working. I have no idea what the issue was, or even if there was one in the first place, but apparently the problem lies with something in the Azure infrastructure.
Sorry I couldn't be of more help for others encountering similar issues, but just giving it time worked for some unknown reason.

Apache VirtualHost with mod-proxy and SSL

I am trying to setup a server with multiple web applications which will all be served through apache VirtualHost (apache running on the same server). My main constrain is that each web application must use SSL encryption. After googling for a while and looking other questions on stackoverflow, I wrote the following configuration for the VirtualHost:
<VirtualHost 1.2.3.4:443>
ServerName host.domain.org
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://localhost:8443/
ProxyPassReverse / https://localhost:8443/
</VirtualHost>
Even though https://host.domain.org:8443 is accessible, https://host.domain.org is not, which defeats the purpose of my virtual host configuration. Firefox complains that even though it successfully connected to the server, the connection was interrupted. Chrome return an error 107: net::ERR_SSL_PROTOCOL_ERROR.
Finally I should also mention that the virtual host works perfectly fine when I do not use SSL.
How can I make this work ?
Thanks
You don't need to configure SSL in both Apache and Tomcat.
The easiest way to accomplish that is configure SSL just on Apache and proxy to tomcat using http.