My Spinnaker is running in Kubernetes with service type: LoadBalancer and added below azure annotations to take internal subnet private ip address to expose service internally.
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
service.beta.kubernetes.io/azure-load-balancer-internal-subnet: subnetName
I've one ubuntu VM where Apache is installed. Created self signed certificated and terminated in apache configurations, and I'm able to access apache home page using HTTPS.
Then I've created proxy rule to Spinnaker service IP address. Basically I want to access Spinnaker from Apache HTTPS --> to internally HTTP traffic towards kubernetes service.
Here is Apache configurations:
xxxx#xxxx:/etc/apache2/sites-available$ ls -ltrh
total 28K
-rw-r--r-- 1 root root 1332 Jul 16 18:14 000-default.conf
-rw-r--r-- 1 root root 6338 Jul 16 18:14 default-ssl.conf
drwxr-xr-x 2 root root 4096 Dec 12 17:24 abc
-rw-r--r-- 1 root root 680 Dec 12 13:04 abc.conf
drwxr-xr-x 2 root root 4096 Dec 12 14:29 xyz
-rw-r--r-- 1 root root 1151 Dec 12 13:08 xyz.conf
cat abc/00-redirect-to-https.conf
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^spinnaker$ / [L,R=302]
cat abc.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/abc_error.log
CustomLog ${APACHE_LOG_DIR}/abc_access.log combined
<IfModule mod_headers.c>
RequestHeader unset X-Forwarded-For
RequestHeader unset X-Forwarded-Host
RequestHeader unset X-Forwarded-Server
RequestHeader set X-Forwarded-Proto "http"
RequestHeader set X-Forwarded-Port "80"
</IfModule>
# Apache will try to set application/json based on mime type
# This behaviour casing problems with empty json responses from spring
RemoveType json
Include sites-available/abc/*.conf
</VirtualHost>
cat xyz/00-spinnaker.conf
ProxyPass /spinnaker balancer://spinnaker
ProxyPassReverse /spinnaker balancer://spinnaker
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Proxy balancer://spinnaker>
BalancerMember http://172.18.1.99:9000/spinnaker loadfactor=1 keepalive=On retry=0
ProxySet lbmethod=bytraffic
</Proxy>
cat xyz.conf
<VirtualHost *:443>
ServerAdmin webmaster#localhost
ServerName FQDN
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/xyz_error.log
CustomLog ${APACHE_LOG_DIR}/xyz_access.log combined
<IfModule mod_headers.c>
RequestHeader unset X-Forwarded-For
RequestHeader unset X-Forwarded-Host
RequestHeader unset X-Forwarded-Server
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</IfModule>
SSLEngine on
SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLCertificateFile /etc/apache2/certs/ca.cert
SSLCertificateKeyFile /etc/apache2/certs/ca.key
# Apache will try to set application/json based on mime type
# This behaviour casing problems with empty json responses from spring
RemoveType json
Include sites-available/xyz/*.conf
</VirtualHost>
if I request this url in browser https://apacheServerDomainName/spinnaker then it redirects to spinnaker internally,
But then if I want to go any other page in spinnaker say click on projects, applications etc. then it won't work because url will change to https://apacheServerDomainName/applications and this will give 404 because it assumes to get the page from local ubuntu apache server,
whereas that request should also redirect and response from spinnaker.
please advise what kind of apache rewrite rule could help to achieve this requirement or any other suggestion..
Follow these steps
deploy nginx ingress controller
Define Ingress rule for Spinnaker including TLS certificate in a secret
Nginx controller would do TLS termination allowing external connections over HTTPS
Related
I have two virtual hosts running on a single Tomcat server. Lets call them a.com and b.com. Tomcat is configured to support only http on port 8080. (This is simplified, in real life there are multiple Tomcat instances each running a set of virtual hosts.)
I am fronting the host with Apache24 for the purpose of proxying incoming https requests to backend http. This emulates a production environment in which https certificates are handled by a corporate firewall, and requests are forwarded to the backend via http with some additional header fields inserted.
So, I have this proxying for restricted (external) users with two-way authentication:
https://a.com:443 -> http://a.com:8080
I also have this proxying for trusted (internal) users:
http://a.com:80 -> http://a.com:8080
http://b.com:80 -> http://b.com:8080
The problem is that due to some Apache24 default handling, a request to https://b.com/foo gets routed to http://a.com:8080/foo. I want to the https to b.com to return a 404! I know I need some default mappings to kill the b.com request but so far nothing has worked.
The Apache24 details:
File httpd-vhosts.conf:
<VirtualHost a.com:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName a.com
DocumentRoot "c:/tmp"
ProxyPass / http://a.com:8080/
ProxyPassReverse / http://a.com:8080/
Header set Access-Control-Allow-Origin "*"
</VirtualHost>
<VirtualHost b.com:80>
ProxyPreserveHost On
ProxyRequests Off
ServerName b.com
DocumentRoot "c:/tmp"
ProxyPass / http://b.com:8080/
ProxyPassReverse / http://b.com:8080/
Header set Access-Control-Allow-Origin "*"
</VirtualHost>
File httpd-ssl/conf:
<VirtualHost a.com:443>
ProxyPreserveHost On
ProxyRequests Off
SSLEngine On
ServerName a.com
SSLVerifyClient require
SSLVerifyDepth 2
SSLStrictSNIVHostCheck on
#RewriteEngine On
RequestHeader set X-Forwarded-Proto https
RequestHeader setifempty CUSTOMFIELD "expr=CN=%{SSL_CLIENT_S_DN_CN}"
ProxyPass / http://a.com:8080/
ProxyPassReverse / http://a.com:8080/
SSLCertificateFile "c:/certs/a.com.crt"
SSLCertificateKeyFile "c:/certs/a.com.key"
SSLCACertificateFile "c:/certs/ca.crt"
</VirtualHost>
I see in the Apache24 logs lines that start like this when I request https://b.com/foo:
mod_proxy.c(880): [client 127.0.0.1:57956] AH03461: attempting to match URI path '/foo' against prefix '/' for proxying
mod_proxy.c(997): [client 127.0.0.1:57956] AH03464: URI path '/foo' matches proxy handler 'proxy:http://a.com:8080/foo'
I cannot make a connection from my dockerized Apache2.4 to the mailcow-dockerized web front-end. The particular Apache error is:
Connection refused: AH00957: HTTPS: attempt to connect to
127.0.0.1:8443 (127.0.0.1) failed
We have: 2 docker-compose files.
1. Mailcow (mailcow-dockerized), 2. apache-letsencrypt (enoniccloud/apache2-letsencrypt image)
We want:
Utilization of the Apache2.4 as reverse-proxy for the mailcow-dockerized web front-end + Apache2.4 usage as web-server for a website.
Additional Info:
Mailcow front-end can be reached when the Apache2.4 is not up and the bindings in its config are set to default.
Docker-Compose apache-letsencrypt container:
version: '2.1'
services:
apache2:
build: apache2
hostname: root.yyy.com
restart: always
volumes_from:
- letsencryptstore
volumes:
- /var/www/html:/var/www/html
ports:
- "80:80"
- "443:443"
expose:
- "8080"
- "8443"
environment:
LETS_ENCRYPT_EMAIL: "xyz#yahoo.de"
LETS_ENCRYPT_DOMAINS: "root.yyy.com,mail2.yyy.com"
labels:
io.enonic.backup.data: "/etc/letsencrypt,/var/lib/letsencrypt"
networks:
- mailcowdockerized_mailcow-network
letsencryptstore:
image: busybox
volumes:
- "/etc/letsencrypt"
- "/var/lib/letsencrypt"
networks:
mailcowdockerized_mailcow-network:
external: true
Apache config:
<VirtualHost *:80>
ServerName root.yyy.com
DocumentRoot /var/www/html/
RewriteEngine on
RewriteRule ^/(.*) https://root.yyy.com/$1 [L,R=301]
</VirtualHost>
<VirtualHost *:80>
ServerName mail2.yyy.com
RewriteEngine on
RewriteRule ^/(.*) https://mail2.yyy.com/$1 [L,R=301]
</VirtualHost>
<VirtualHost *:443>
ServerName mail2.yyy.com
ServerAlias autodiscover.mail2.yyy.com
ServerAlias autoconfig.mail2.yyy.com
# You should proxy to a plain HTTP session to offload SSL processing
ProxyPass / https://127.0.0.1:8443/
ProxyPassReverse / https://127.0.0.1:8443/
ProxyPreserveHost On
ProxyAddHeaders On
# This header does not need to be set when using http
RequestHeader set X-Forwarded-Proto "https"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/certs/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/certs/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/certs/chain.pem
RequestHeader set X-Forwarded-Proto "https"
Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>
<VirtualHost *:443>
ServerName root.yyy.com
DocumentRoot /var/www/html/
SSLEngine on
SSLCertificateFile /etc/letsencrypt/certs/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/certs/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/certs/chain.pem
RequestHeader set X-Forwarded-Proto "https"
Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
Mailcow-Config:
# ------------------------------
# mailcow web ui configuration
# ------------------------------
# example.org is _not_ a valid hostname, use a fqdn here.
# Default admin user is "admin"
# Default password is "moohoo"
MAILCOW_HOSTNAME=mail2.yyy.com
# ------------------------------
# SQL database configuration
# ------------------------------
DBNAME=mailcow
DBUSER=mailcow
# Please use long, random alphanumeric strings (A-Za-z0-9)
DBPASS=RdnvlN1CXSAHA98CVz4sYUgfrMuF
DBROOT=Ve91gtedyLa8xGJf6sXNmMcNzFUp
# ------------------------------
# HTTP/S Bindings
# ------------------------------
# You should use HTTPS, but in case of SSL offloaded reverse proxies:
HTTP_PORT=8080
HTTP_BIND=127.0.0.1
HTTPS_PORT=8443
HTTPS_BIND=127.0.0.1
Rest of the config is default.
Apache mods proxy, proxy_balancer, proxy_http are enabled.
Help would be much appreciated :)
I have Mailcow Nginx dockerized installed on my ubuntu 16 web server
The only difference I have from your setup are the HTTP_BIND IPs:
Mine looks like:
HTTP_PORT=8080
HTTP_BIND=0.0.0.0
HTTPS_PORT=8443
HTTPS_BIND=0.0.0.0
I have only set the binds to 0.0.0.0 so I can access my mail server trough port 8080 or 8443 from any IP in case my apache web server is down.
mail.domain.com-le-ssl.conf [generated by let's encrypt]
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName mail.example.com
ProxyPass / http://example.com:8080/
ProxyPreserveHost On
SSLCertificateFile /etc/letsencrypt/live/mail.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mail.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
My apache2 virtual host config for reverse proxy: mail.example.com.conf
<VirtualHost *:80>
ServerName mail.example.com
ProxyPass / http://example.com:8080/
ProxyPreserveHost On
RewriteEngine on
RewriteCond %{SERVER_NAME} =mail.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Please note that my original apache2 config file is:
<VirtualHost *:80>
ServerName mail.example.com
ProxyPass / http://example.com:8080/
ProxyPreserveHost On
</VirtualHost>
Because I don't really need ssl encryption between apache and nginx, the rewrite rule was added when I installed let's encrypt certificate on apache mail server for mail.example.com.
I like and only use SOGo web client so I don't need mail ssl certificate, if you are going to use an external mail client, then you may want to consider pointing your Mailcow ssl certificate file to the files created by let's encrypt-apache2
In other words:
[me]---ssl:443--->[mail.example.com]--local-->http://example.com:8080/
Maybe I could achieve the same result if I set my BIND address like yours, and it should be more secure.
Maybe http://localhost.com:8080/ will also work.
I'm sure my setup is venerable, this is my 1st try.
Please let me know if you need any info about my setup.
These are the tutorials and documentations I followed to get this running.
https://www.digitalocean.com/community/tutorials/how-to-use-apache-as-a-reverse-proxy-with-mod_proxy-on-ubuntu-16-04
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04
https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-16-04
https://mailcow.github.io/mailcow-dockerized-docs/firststeps-rp/
https://www.youtube.com/watch?v=VsiYowuiT6A&t=389s
https://www.youtube.com/watch?v=A3Prx_2YEm8&t=62s
1. What I want to do:
I have a domain example.me, and a sub-domain text.example.me which is hosted on my Windows Server. It's running Apache with php 5.6
I want to install and SSL certificate using Let's Encrypt and this tool https://github.com/PKISharp/win-acme
2. The problem:
It doesn't seem to be working, I get the following error when trying to access https://test.example.me
This site can’t provide a secure connection
3. What I have done so far
I followed every step from:
https://commaster.net/content/how-setup-lets-encrypt-apache-windows
This is the content of my httpd-ssl.conf
<VirtualHost *:443>
ServerAdmin me#examole.com
ServerName text.example.me
DocumentRoot "D:/xampp/htdocs"
RewriteEngine On
# Redirect to the correct domain name
RewriteCond %{HTTP_HOST} !^test.example.me$ [NC]
RewriteRule ^/?(.*)$ https://test.example.me/$1 [NE,L,R=301]
Alias /.well-known D:/xampp/htdocs/.well-known
SSLEngine on
SSLCertificateFile "conf/ssl.crt/text.example.me-crt.pem"
SSLCertificateKeyFile "conf/ssl.key/test.example.me-key.pem"
SSLCertificateChainFile "conf/ssl.csr/ca-test.example.me-crt.pem"
</VirtualHost>
My 80,443 ports are avaiable, and not being used by Skype, so that's not
the issue.
This is the content of my httpd-vhosts.conf
<VirtualHost *:80>
ServerAdmin me#example.me
ServerName test.example.me
RewriteEngine On
# Redirect to the HTTPS site
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*)$ https://test.example.me/$1 [NE,L,R=301]
ErrorLog logs/slog.log
</VirtualHost>
I am using Let's Encrypt since some years - but without(!) RewriteEngine.
So here is a snipped from my http-vhosts.conf
<VirtualHost *:80>
DocumentRoot "C:/webserver/html/example_html"
ServerName www.example.com
Redirect permanent / https://www.example.com/
# For the case that you are using ModProxy to forward to a Tomcat, please also add:
# ProxyPass "/.well-known/" "!"
</VirtualHost>
A snipped from my httpd-ssl.conf:
<VirtualHost *:443>
DocumentRoot "C:/webserver/html/example_html"
ServerName www.example.com
Protocols h2 http/1.1
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:DHE-RSA-CAMELLIA128-SHA:CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-CAMELLIA256-SHA:SEED-SHA:DHE-RSA-SEED-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLCertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/www.example.com-crt.pem"
SSLCertificateKeyFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/www.example.com-key.pem"
SSLCACertificateFile "C:/ProgramData/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/ca-www.example.com-crt.pem"
<IfModule headers_module>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header always set x-frame-options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
#Header always set Content-Security-Policy "script-src 'self'"
</IfModule>
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
#For the case that you use ModProxy to forward to a Tomcat or so
#ProxyPass "/.well-known/" "!"
EnableSendfile off
EnableMMAP off
</VirtualHost>
Also please keep in mind that when you want to use multiple hostnames, then you need a wildcard certificate - otherwise it's simple with Let's Encrypt to have one certificate for each host/domian name - but you need one virtual host section for each host/domain name you are using.
Last but not least my personal opinion is thet ModRewrite should not be used when there is no need, because it is complicate and not really understood by most people.
How to add SSL certificate from Certbot in Windows Apache
Go to Certbot’s official website: Certbot Instructions | Certbot (eff.org)
Download the latest version of the Certbot installer for Windows at
https://dl.eff.org/certbot-beta-installer-win_amd64.exe.
Install it in your C drive.
Run > Command Prompt > Run as administrator
C:\Users\Administrator>certbot --help
C:\Users\Administrator>certbot certonly --webroot
Enter your email address > Y > Y
Enter your domain/subdomain name: abc.com / abc.xyz.com
Go to : C:\xampp\apache\conf\extra
Open: httpd-vhosts.conf
Edit:
<VirtualHost *:443>
DocumentRoot C:\xampp\htdocs\aeapp
ServerName callum.aeapp.uk
SSLEngine on
SSLCertificateFile "C:\Certbot\live\abc.com\fullchain.pem"
SSLCertificateKeyFile "C:\Certbot\live\abc.com\privkey.pem"
Add port 443 in firewall settings (if you have already added then skip this step)
Search > Type: Firewall and open Windows Defender Firewall with Advanced Security on Local Computer
Go to: Inbound rules > New Rule > Select “Port” > Specific Local Ports : Type “443” > Allow the connection > Tick all 3 options > Add name “ ex: abc ssl” > Finish.
Restart Xampp
Check your website/webapp; if it's locked, you've added an SSL certificate successfully.
I am running into an issue that seems to be fairly common based off of my searches, however I've followed all the instructions and/or fixes I've run into but none have worked for me so I'm asking this hoping someone can guide me in the right direction.
I have Jenkins 1.644 installed on OS X 10.11.2 from Homebrew. I followed these instructions on how to install and get it setup inside OS X Server 5.0.15 Websites (I believe this version of OS X server is running Apache 2.4.16.
The problem: When I connect to the manage console in Jenkins, I get the error message "It appears that your reverse proxy set up is broken." and a link to this jenkins doc.
Hitting http://127.0.0.1:8080/manage does not produce the error.
I have added the proxy settings to my virtual host file like so:
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080/
ProxyPassReverse / http://jenkins.exampledomain.com/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
When I do the test curl:
curl -iLk -e https://jenkins.exampledomain.com/manage \
https://jenkins.exampledomain.com/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/test
I get the following results:
HTTP/1.1 302 Found
Date: Fri, 22 Jan 2016 06:30:57 GMT
Server: Jetty(winstone-2.9)
X-Content-Type-Options: nosniff
Location: https://jenkins.exampledomain.com/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https%3A%2F%2Fjenkins.exampledomain.com%2Fmanage/
Content-Length: 0
MS-Author-Via: DAV
HTTP/1.1 404 Not Found
Date: Fri, 22 Jan 2016 06:30:57 GMT
Server: Apache/2.4.16 (Unix) OpenSSL/0.9.8zg
Content-Length: 325
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https://jenkins.exampledomain.com/manage/ was not found on this server.</p>
</body></html>
Clearly that address is on this server because I can enter the management console by going to the correct address.
I'm stuck... Apache configuration is not my strong point. I'm looking for any help.
--EDIT More Info--
Adding the full virtual host file from the /Library/Server/Web/Config/apache2/sites directory for further detail.
<VirtualHost 127.0.0.1:34543>
ServerName https://jenkins.exampledomain.com:443
ServerAdmin admin#example.com
DocumentRoot "/Library/Server/Web/Data/Sites/jenkins.exampledomain.com"
DirectoryIndex index.html index.php default.html
CustomLog /var/log/apache2/access_log combinedvhost
ErrorLog /var/log/apache2/error_log
<IfModule mod_ssl.c>
SSLEngine On
SSLCipherSuite "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"
SSLProtocol -ALL +TLSv1
SSLProxyEngine On
SSLCertificateFile "/etc/certificates/machine.local.certCA1FileLocation.pem"
SSLCertificateKeyFile "/etc/certificates/machine.local.certCA2FileLocation.key.pem"
SSLCertificateChainFile "/etc/certificates/machine.local.certCA3FileLocation.chain.pem"
SSLProxyProtocol -ALL +TLSv1
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
</IfModule>
<Directory "/Library/Server/Web/Data/Sites/jenkins.exampledomain.com">
Options All -Indexes -ExecCGI -Includes +MultiViews
AllowOverride None
<IfModule mod_dav.c>
DAV Off
</IfModule>
<IfDefine !WEBSERVICE_ON>
Require all denied
ErrorDocument 403 /customerror/websitesoff403.html
</IfDefine>
</Directory>
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080/
ProxyPassReverse / http://jenkins.exampledomain.com/
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
</VirtualHost>
--EDIT 2 Another Finding--
I have noticed by attempting to curl to the 'not found' url above that indeed the server is reporting it not found. If I hit https://jenkins.exampledomain.com/manage/ I will get a 404. However, if I leave off the trailing /, it works. https://jenkins.exampledomain.com/manage is successful. Hopefully this means something to someone!
Thanks
I know this is an old question, but I was having the same problem with the error:
HTTP ERROR 404
Problem accessing /administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https%3A%2F%2Fbuild.scopeitconsulting.com%2Fmanage/. Reason:
http://build.domain.com/manage vs. https://build.domain.com/manage
I was able to solve my problem by including the two lines from the author's question:
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
So here is my relevant section from a working ssl.conf configuration in case it helps anybody. I am running Jenkins on port 8080 at the root context with http but reverse proxying it behind Apache enforcing https.
ProxyPass / http://localhost:8080/ nocanon
ProxyPassReverse / http://localhost:8080/
ProxyPassReverse / http://build.domain.com/
ProxyPassReverse / https://build.domain.com/
ProxyRequests Off
ProxyPreserveHost On
AllowEncodedSlashes NoDecode
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
<Proxy http://localhost:8080/>
Order deny,allow
Allow from all
</Proxy>
I hope this helps somebody who like me has spent way too much time trying to find a working configuration to resolve the error.
You need to add below to catalina.properties file. Updating Apache configuration itself is not sufficient.
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
We have the following configuration, one apache HTTP server which proxies AJP requests to an application on another as in the Proxy balancer configuration below.
The problem we have is the application only understands one HOST http header, i.e exampledomain.com, but we require www.exampledomain.com to be rewritten to exampledomain.com however still show the www.exampledomain.com address.
We also have HTTP proxies in between the browser and hitting the Apache server, and do not want this content to be cached!
The following is our configuration:
<Proxy balancer://ajp-cluster>
Order deny,allow
Allow from all
BalancerMember ajp://10.10.10.11:8009
</Proxy>
<VirtualHost *:80>
ServerName exampledomain.com
ServerAlias exampledomain.com *.exampledomain.com
RewriteEngine on
RewriteCond %{HTTP_HOST} ^www.exampledomain.com
RewriteRule ^/(.*)$ http://exampledomain.com/$1 [L,R=301,E=nocache:1]
## Set the response header if the "nocache" environment variable is set
## in the RewriteRule above.
Header always set Cache-Control "no-store, no-cache, must-revalidate" env=nocache
## Set Expires too ...
Header always set Expires "Thu, 01 Jan 1970 00:00:00 GMT" env=nocache
ProxyPass / balancer://ajp-cluster/
ProxyPassReverse / balancer://ajp-cluster/
</VirtualHost>