default backend - 404 Apache with ssl - apache

I am pretty much new to apache. I am trying to use the apache official container to redirect the incoming traffic to below 2 pods
Pod-1. To my own custom container(CC) (this is a http service).
Pod-22. To cutomised rabbitmq container.
I am exposing both 80 and 443 of apache. I am able to access my application which is running on Pod-1. But if I try to access using 80 (which is redirected to https[443]) i get default backend error. I have enabled the "mod_socache_shmcb.so", "mod_ssl.so" moduels and included my config file. Below is my config file.
<VirtualHost *>
ServerName apachessl
Redirect / https://apachessl/
</VirtualHost>
<VirtualHost *:443>
ServerName apachessl
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLEngine on
SSLProtocol -ALL +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCertificateFile /usr/local/apache2/conf/certificate.crt
SSLCertificateKeyFile /usr/local/apache2/conf/privateKey.key
ProxyPreserveHost On
KeepAlive On
MaxKeepAliveRequests 0
ProxyTimeout 600
SSLProxyEngine on
ProxyPass /ws wss://rmqssl-app-loc:15674/ws
ProxyPassReverse /ws wss://apachessl/ws
ProxyPass / http://my-apllication:6543/
ProxyPassReverse / https://apachessl/
ErrorLog "logs/my_application_log"
LogLevel error


Please change -
ProxyPassReverse / https://apachessl/
To
ProxyPassReverse / http://my-apllication:6543/
and try again.


If you are using it from kubernetes and receiving default backend 404 error ... it essentially means that the domain using which the request is landing to kubernetes ingress controller is not mapped to any of the ingress.
So what you need is to check when request on port 80 is redirected to 443, the url apachessl --> has one ingress mapped in ingress definition under specs .. something like -
spec:
rules:
- host: apachessl
http:
paths:
- backend:
serviceName: <<your-app-service-exposed-on-k8s>>
servicePort: 80
path: /
tls:
- hosts:
- apachessl
secretName: <<your-ssl-secret>>
Can you share your ingress definition, just to be clear what needs to be fixed.

Related

TeamCity server WebSocket connection error in Docker image behind Apache proxy

I am running TeamCity server behind Apache proxy. My Apache configuration of virtual host teamcity.example.com.
HTTP:
<VirtualHost *:80>
ServerName teamcity.example.com
ServerAlias www.teamcity.example.com
Redirect / https://teamcity.example.com/
</VirtualHost>
HTTPS:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPreserveHost On
ProxyRequests Off
ServerName www.teamcity.example.com
ServerAlias teamcity.example.com
ProxyPass / http://localhost:8111/
ProxyPassReverse / http://localhost:8111/
# This doesn't work
ProxyPass /app/subscriptions ws://localhost:8111/app/subscriptions connectiontimeout=240 timeout=1200
ProxyPassReverse /app/subscriptions ws://localhost:8111/app/subscriptions
# This doesn't work
ProxyPass / http://localhost:8111/ connectiontimeout=5 timeout=300
ProxyPassReverse / http://localhost:8111/
SSLCertificateFile /etc/letsencrypt/live/teamcity.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/teamcity.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Apache modules are enabled:
sudo apachectl -M | grep proxy
proxy_module (shared)
proxy_http_module (shared)
proxy_wstunnel_module (shared)
And my docker-compose.yaml
version: "3.5"
services:
server:
image: jetbrains/teamcity-server:latest
container_name: teamcity_server
networks:
- teamcity_network
ports:
- "8111:8111"
extra_hosts:
- "host.docker.internal:host-gateway"
volumes:
- datadir:/data/teamcity_server/datadir
- logs:/opt/teamcity/logs
environment:
- TEAMCITY_HTTPS_PROXY_ENABLED=true
agent:
image: jetbrains/teamcity-agent:2022.10.1-linux-sudo
container_name: teamcity_agent
volumes:
- agent_conf:/data/teamcity_agent/conf
environment:
- SERVER_URL=https://teamcity.example.com
networks:
teamcity_network:
volumes:
datadir:
logs:
agent_conf:
TeamCity user interface reports WebSocket connection error:
WebSocket connection issues Some users cannot use optimized web UI
updates via WebSocket protocol. The following addresses were used by
the affected sessions: https://teamcity.example.com Most probably
there is not appropriately configured proxy server between the client
browsers and the TeamCity server.
And DeveloperTool console in Chrome:
WebSocket connection to
'wss://teamcity.example.com/app/subscriptions?browserLocationHost=https%3A%2F%2Fteamcity.example.com'
failed: openSocket # 6942286895631677648.js?v=1671191552738:648 open
# 6942286895631677648.js?v=1671191552738:742 start #
6942286895631677648.js?v=1671191552738:907 (anonymous) # projects?mode=builds:391
Q: What is wrong with Docker image or Apache configuration?

The solution is to place ProxyPass and ProxyPassReverse directives in proper order. This configuration works as expected.
<IfModule mod_ssl.c>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyRequests Off
ServerName www.teamcity.example.com
ServerAlias teamcity.example.com
ProxyPass /app/subscriptions ws://localhost:8111/app/subscriptions connectiontimeout=240 timeout=1200
ProxyPassReverse /app/subscriptions ws://localhost:8111/app/subscriptions
ProxyPass / http://localhost:8111/ connectiontimeout=5 timeout=300
ProxyPassReverse / http://localhost:8111/
SSLCertificateFile /etc/letsencrypt/live/teamcity.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/teamcity.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

apache Proxy returns random 403

I'm using 2 VMs configured with Apache2 as a Proxy for the Tomcat server, but I have a very strange behavior I have sometimes HTTP 403 error on my front end, I tried different configurations but I can see that depending on the requests coming from my Load Balancer (plugged with my 2 VMs Apache) it returns HTTP 403 randomly (and not for the same requests as well).
Here is the flow:
Front end -> Load Balancer (443)
-> Apache2 Reverse Proxy (443) -> Tomcat (8080)
-> Apache2 Reverse Proxy (443) -> Tomcat (8080)
I run this Apache2 Reverse Proxy on Ubuntu, here is the configuration for my Apache2 Proxies:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Proxy *>
AddDefaultCharset Off
Order deny,allow
Allow from all
</Proxy>
Header add Access-Control-Allow-Origin "https://myfrontend.com"
SSLEngine on
SSLCertificateFile /etc/ssl/myfrontend.key
SSLCertificateKeyFile /etc/ssl/privatemyfrontend.key
SSLCertificateChainFile /etc/ssl/ca_bundle
SSLProxyEngine on
ProxyRequests off
SSLProxyVerify require
SSLProxyVerifyDepth 1
SSLProxyCACertificateFile "/etc/ssl/myfrontend.key"
SSLProxyCheckPeerName on
ProxyPreserveHost On
ProxyPass / http://localhost:8080/back/
ProxyPassReverse / http://localhost:8080/back/
</VirtualHost>
any idea why I'm getting such 403 errors?

I had a similar problem with two applications (Gitlab and SonarQube) deployed behind an Apache server configured as a reverse proxy. I solved it by uninstalling the mod_evasive module of Apache.

Reverse proxy does not work with https on ubuntu 20 using apache2

I have a very simple Asp.net Core app that I published to my linux server.
The app works perfectly and I used curl http://1270.0.0.1:5000 and curl https://1270.0.0.1:5001 to verify that.
I followed the instructions here: https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-apache?view=aspnetcore-5.0
servername is my domain
I can interact with my app from http://servername but I didn't get https to work!
https://servername returns 404
Here is my configuration (most of it is from microsoft link and the rest from some answers on stackoverflow):
<VirtualHost *:*>
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>
<VirtualHost *:80>
ServerName servername.com
ServerAlias *.servername.com
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
</VirtualHost>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPass / https://127.0.0.1:5001/
ProxyPassReverse / https://127.0.0.1:5001/
ServerName servername.com
ServerAlias *.servername.com
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerExpire off
SSLEngine on
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets on
SSLUseStapling off
SSLCertificateFile /path/to/my/cert/file
SSLCertificateKeyFile /path/to/ny/private/key/file
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
</VirtualHost>

When you run Asp.net Core app on local. https work on localhost. and of you wrap your localhost with webserver like (Apache/ nginx) https work for connection between your app and webserver. but your domain https work for client and your webserver need valid SSl or Free one like letsencrypt. to secure your client must install ssl on your apache.
for comminucate betwwn your app and webserver simple solution use only http (webserver didn't need ssl for map client http) and other solution install valid ssl for your localhost https://devblogs.microsoft.com/dotnet/configuring-https-in-asp-net-core-across-different-platforms/.

After 2 long days, I solved it by disabling the default config for apache.
Appartentlly I had 2 virtual hosts for 443.
The one I created and apache craeted a file default-ssl.conf
All I did was
Disabled the default config a2dissite default-ssl
Changed ProxyPreserveHost from ON to OFF
Added SSLProxyCheckPeerName OFF
And restarted apache systemctl restart apache2
Before you follow these steps, verify that you have the same problem by listing all files in /etc/apache2/sites-enabled. If you have more than one config to the same host and port, then you've the same problem.

Apache24 how to proxy and return 404 for undefined endpoints

I have two virtual hosts running on a single Tomcat server. Lets call them a.com and b.com. Tomcat is configured to support only http on port 8080. (This is simplified, in real life there are multiple Tomcat instances each running a set of virtual hosts.)
I am fronting the host with Apache24 for the purpose of proxying incoming https requests to backend http. This emulates a production environment in which https certificates are handled by a corporate firewall, and requests are forwarded to the backend via http with some additional header fields inserted.
So, I have this proxying for restricted (external) users with two-way authentication:
https://a.com:443 -> http://a.com:8080
I also have this proxying for trusted (internal) users:
http://a.com:80 -> http://a.com:8080
http://b.com:80 -> http://b.com:8080
The problem is that due to some Apache24 default handling, a request to https://b.com/foo gets routed to http://a.com:8080/foo. I want to the https to b.com to return a 404! I know I need some default mappings to kill the b.com request but so far nothing has worked.
The Apache24 details:
File httpd-vhosts.conf:
<VirtualHost a.com:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName a.com
DocumentRoot "c:/tmp"
ProxyPass / http://a.com:8080/
ProxyPassReverse / http://a.com:8080/
Header set Access-Control-Allow-Origin "*"
</VirtualHost>
<VirtualHost b.com:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName b.com
DocumentRoot "c:/tmp"
ProxyPass / http://b.com:8080/
ProxyPassReverse / http://b.com:8080/
Header set Access-Control-Allow-Origin "*"
</VirtualHost>
File httpd-ssl/conf:
<VirtualHost a.com:443>
ProxyPreserveHost On
ProxyRequests Off
SSLEngine On
ServerName a.com
SSLVerifyClient require
SSLVerifyDepth 2
SSLStrictSNIVHostCheck on
#RewriteEngine On
RequestHeader set X-Forwarded-Proto https
RequestHeader setifempty CUSTOMFIELD "expr=CN=%{SSL_CLIENT_S_DN_CN}"
ProxyPass / http://a.com:8080/
ProxyPassReverse / http://a.com:8080/
SSLCertificateFile "c:/certs/a.com.crt"
SSLCertificateKeyFile "c:/certs/a.com.key"
SSLCACertificateFile "c:/certs/ca.crt"
</VirtualHost>
I see in the Apache24 logs lines that start like this when I request https://b.com/foo:
mod_proxy.c(880): [client 127.0.0.1:57956] AH03461: attempting to match URI path '/foo' against prefix '/' for proxying
mod_proxy.c(997): [client 127.0.0.1:57956] AH03464: URI path '/foo' matches proxy handler 'proxy:http://a.com:8080/foo'

Using mailcow-dockerized with a dockerized Apache2.4

I cannot make a connection from my dockerized Apache2.4 to the mailcow-dockerized web front-end. The particular Apache error is:
Connection refused: AH00957: HTTPS: attempt to connect to
127.0.0.1:8443 (127.0.0.1) failed
We have: 2 docker-compose files.
1. Mailcow (mailcow-dockerized), 2. apache-letsencrypt (enoniccloud/apache2-letsencrypt image)
We want:
Utilization of the Apache2.4 as reverse-proxy for the mailcow-dockerized web front-end + Apache2.4 usage as web-server for a website.
Additional Info:
Mailcow front-end can be reached when the Apache2.4 is not up and the bindings in its config are set to default.
Docker-Compose apache-letsencrypt container:
version: '2.1'
services:
apache2:
build: apache2
hostname: root.yyy.com
restart: always
volumes_from:
- letsencryptstore
volumes:
- /var/www/html:/var/www/html
ports:
- "80:80"
- "443:443"
expose:
- "8080"
- "8443"
environment:
LETS_ENCRYPT_EMAIL: "xyz#yahoo.de"
LETS_ENCRYPT_DOMAINS: "root.yyy.com,mail2.yyy.com"
labels:
io.enonic.backup.data: "/etc/letsencrypt,/var/lib/letsencrypt"
networks:
- mailcowdockerized_mailcow-network
letsencryptstore:
image: busybox
volumes:
- "/etc/letsencrypt"
- "/var/lib/letsencrypt"
networks:
mailcowdockerized_mailcow-network:
external: true
Apache config:
<VirtualHost *:80>
ServerName root.yyy.com
DocumentRoot /var/www/html/
RewriteEngine on
RewriteRule ^/(.*) https://root.yyy.com/$1 [L,R=301]
</VirtualHost>
<VirtualHost *:80>
ServerName mail2.yyy.com
RewriteEngine on
RewriteRule ^/(.*) https://mail2.yyy.com/$1 [L,R=301]
</VirtualHost>
<VirtualHost *:443>
ServerName mail2.yyy.com
ServerAlias autodiscover.mail2.yyy.com
ServerAlias autoconfig.mail2.yyy.com
# You should proxy to a plain HTTP session to offload SSL processing
ProxyPass / https://127.0.0.1:8443/
ProxyPassReverse / https://127.0.0.1:8443/
ProxyPreserveHost On
ProxyAddHeaders On
# This header does not need to be set when using http
RequestHeader set X-Forwarded-Proto "https"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/certs/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/certs/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/certs/chain.pem
RequestHeader set X-Forwarded-Proto "https"
Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>
<VirtualHost *:443>
ServerName root.yyy.com
DocumentRoot /var/www/html/
SSLEngine on
SSLCertificateFile /etc/letsencrypt/certs/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/certs/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/certs/chain.pem
RequestHeader set X-Forwarded-Proto "https"
Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
Mailcow-Config:
# ------------------------------
# mailcow web ui configuration
# ------------------------------
# example.org is _not_ a valid hostname, use a fqdn here.
# Default admin user is "admin"
# Default password is "moohoo"
MAILCOW_HOSTNAME=mail2.yyy.com
# ------------------------------
# SQL database configuration
# ------------------------------
DBNAME=mailcow
DBUSER=mailcow
# Please use long, random alphanumeric strings (A-Za-z0-9)
DBPASS=RdnvlN1CXSAHA98CVz4sYUgfrMuF
DBROOT=Ve91gtedyLa8xGJf6sXNmMcNzFUp
# ------------------------------
# HTTP/S Bindings
# ------------------------------
# You should use HTTPS, but in case of SSL offloaded reverse proxies:
HTTP_PORT=8080
HTTP_BIND=127.0.0.1
HTTPS_PORT=8443
HTTPS_BIND=127.0.0.1
Rest of the config is default.
Apache mods proxy, proxy_balancer, proxy_http are enabled.
Help would be much appreciated :)

I have Mailcow Nginx dockerized installed on my ubuntu 16 web server
The only difference I have from your setup are the HTTP_BIND IPs:
Mine looks like:
HTTP_PORT=8080
HTTP_BIND=0.0.0.0
HTTPS_PORT=8443
HTTPS_BIND=0.0.0.0
I have only set the binds to 0.0.0.0 so I can access my mail server trough port 8080 or 8443 from any IP in case my apache web server is down.
mail.domain.com-le-ssl.conf [generated by let's encrypt]
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName mail.example.com
ProxyPass / http://example.com:8080/
ProxyPreserveHost On
SSLCertificateFile /etc/letsencrypt/live/mail.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
My apache2 virtual host config for reverse proxy: mail.example.com.conf
<VirtualHost *:80>
ServerName mail.example.com
ProxyPass / http://example.com:8080/
ProxyPreserveHost On
RewriteEngine on
RewriteCond %{SERVER_NAME} =mail.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Please note that my original apache2 config file is:
<VirtualHost *:80>
ServerName mail.example.com
ProxyPass / http://example.com:8080/
ProxyPreserveHost On
</VirtualHost>
Because I don't really need ssl encryption between apache and nginx, the rewrite rule was added when I installed let's encrypt certificate on apache mail server for mail.example.com.
I like and only use SOGo web client so I don't need mail ssl certificate, if you are going to use an external mail client, then you may want to consider pointing your Mailcow ssl certificate file to the files created by let's encrypt-apache2
In other words:
[me]---ssl:443--->[mail.example.com]--local-->http://example.com:8080/
Maybe I could achieve the same result if I set my BIND address like yours, and it should be more secure.
Maybe http://localhost.com:8080/ will also work.
I'm sure my setup is venerable, this is my 1st try.
Please let me know if you need any info about my setup.
These are the tutorials and documentations I followed to get this running.
https://www.digitalocean.com/community/tutorials/how-to-use-apache-as-a-reverse-proxy-with-mod_proxy-on-ubuntu-16-04
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04
https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-16-04
https://mailcow.github.io/mailcow-dockerized-docs/firststeps-rp/
https://www.youtube.com/watch?v=VsiYowuiT6A&t=389s
https://www.youtube.com/watch?v=A3Prx_2YEm8&t=62s