ERR:insecure response with apache - apache

Apache server is proxying requests to express server running on 9999
<VirtualHost *:443>
ServerName api.aonesalons.com
SSLEngine on
SSLCertificateFile /home/ec2-user/aonesalons.com.pem
SSLCertificateKeyFile /home/ec2-user/aonesalons.com.key
# <Proxy *>
# Order allow,deny
# Allow from all
# </Proxy>
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:9999/
ProxyPassReverse / http://localhost:9999/
</VirtualHost>
If I hit, api.aonesalons.com in browser, my request goes to the server.
from my application frontend, that is also served over https by apache, when any of the api url's are called,
it always returns
ERR_FAILED or ERR_INSECURE_CONNECTION
Edit:
In browser console in security tab, the certificate is valid totally. I have tried proxying requests to the https version of the express server as well but no difference. It started happening after moving to https.
As soon I start to use Cloudflare as a proxy for api.aonesalons.com, api.aonesalons.com returns my client end application and doesn't hit my API's. I am using apache to proxy api.aonesalons.com to 9999 server and *.aonesalons.com to client folder with static application content

From the SSLLabs report for api.aonesalons.com:
Trusted - No - NOT TRUSTED
A closer look at the certificate shows:
Subject - CloudFlare Origin Certificate
Issuer - CloudFlare, Inc.
This is not a certificate intended for direct access by the public. It is trusted only by Clouldflare itself and is intended to secure the path between the Cloudflare CDN and the server protected by this CDN, see Introducing CloudFlare Origin CA.
In browser console, in security tab, certificate is valid totally.
I don't know what you did to you browser but maybe you explicitly trusted the Cloudflare CA. When visiting the site with a browser I get the expected warning:
NET::ERR_CERT_AUTHORITY_INVALID
My guess is that you've tried to protect your site with the Cloudflare CDN but failed to adjust the DNS settings properly in order to let Cloudflare manage the relevant parts of your DNS.

Related

How to trust a remote servers self-signed SSL certificate in Apache

I'm setting up a Tomcat server behind an Apache proxy, everything is working fine except for the forward proxy when dealing with a remote server with a self-signed certificate. I can access other HTTPS sites, but not ones with self-signed certs. I've already added the CA using SSLProxyCACertificateFile, but it still doesn't work.
In the error log, I get "AH00898: Connect to remote machine blocked returned by server_hostname".
Apache 2.4.54 on Debian 11
I can wget the URL (Once I added the CA to Debian). I can also access the URL if I allow Tomcat to bypass the proxy (When the CA is in the Java key store). But I need all the traffic to go through the proxy.
<VirtualHost 10.10.10.6:8082>
ProxyRequests On
ProxyVia On
<Proxy "*">
Require ip 10.10.10
</Proxy>
ErrorLog ${APACHE_LOG_DIR}/error_forward_proxy_secure.log
CustomLog ${APACHE_LOG_DIR}/access_forward_proxy_secure.log combined
SSLProxyCACertificateFile /var/ssl/trusted_ca.crt
</VirtualHost>
What am I doing wrong?

Configure Apache Client Certificate Authentication for proxy

I have 3 Backend API servers(HTTPS), API servers have different authorization permissions for different users based on user certificate, I am configuring apache to load balance the 3 backend servers, like below
<VirtualHost *:zzzz>
SSLEngine on
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
SSLCACertificateFile /path/to/ca.crt
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
<Proxy balancer://api_server>
BalancerMember https://xx.xx.xx.xx:yyyy
BalancerMember https://xx.xx.xx.xx:yyyy
</Proxy>
ProxyPass / balancer://api_server/
</VirtualHost>
The problem is that when a client request apache, with certificates, only the request goes to the API server, not the certificates, and API server responses unauthorized user, I tried using SSLProxyMachineCertificateFile, but it only accepts one set of certificate, and every time passes the same certificate, but in this case, the authorization happens only based on certificates.
Is there a way to blindly forward HTTPS request to API? or any other suggestions is warmly welcomed.
Transforming the comment into an answer since it solved the OP's question.
The user talks to Apache, then Apache talks to the balanced machines. That's the point of a proxy, it ensures clients do not talk to servers directly. So from the balanced server perspective, Apache is the client.
Only way I can see doing that is to use a layer 4 network load balancer which does not do SSL offloading. i.e. not Apache
Try switching to AJP instead of HTTP proxy, as explained in the Apache doc : https://httpd.apache.org/docs/2.4/en/mod/mod_proxy_ajp.html
If I understand well what you're saying, you need the client certificate to be forwarded, which is a feature of AJP :
Request Packet Structure
?ssl_cert 0x07 String

Mutual TLS with Apache proxy to Tomcat

The setup I am working with involves an Apache server acting as a proxy to a tomcat server which serves several web applications. I have enabled mutual TLS on apache and I can successfully connect to one of my tomcat web applications and verify the client certificate. However, I want to take this one step further... At the moment in my ssl.conf I have a default HTTPS VirtualHost configuration which looks like this:
<VirtualHost *:443>
....
SSLEngine on
SSLCertificateFile /path/to/www_yoursite_com.crt
....
#other SSL options...
</VirtualHost>
In my modproxy.conf I have a configuration as follows:
ProxyPass /webApp1 https://localhost:1234/webApp1
ProxyPassReverse /webApp1 https://localhost:1234/webApp1
ProxyPass /webApp2 https://localhost:1234/webApp2
ProxyPassReverse /webApp2 https://localhost:1234/webApp2
where 1234 is the https port configured on a connector element on tomcat's server.xml file.
Let's assume that I only want mTLS for webApp1, the problem with this configuration is that I need a client cert on my browser even if I am accessing webApp2 so in other words I want to enable mTLS only for one web application. Even better, I would like to enable mTLS for a specific URL within my web application (is this even possible??), so for example I want mTLS required when someone hits https://myserver.com/webApp1/test/mtlsEndpoint but not on https://myserver.com/webApp1/test/otherEndpoint.
Is it possible to achieve this with another VirtualHost config for SSL on my ssl.conf ? I am going to test this tomorrow (trying to achieve this with another VirtualHost config that will proxy mTLS to my webApp1) but thought I should ask here as well to avoid trial and error and reinventing the wheel maybe this is easier than I am thinking ?
Yes, you just need separate SSL directives for webApp1 and webApp2. SSL directives can be configured in Apache right down to the directory level.

no let's encrypt renewal with reverse-proxy in ispconfig3

I am running an ISPConfig 3 server with apache. To get HTTPS i use the certbot of let's encrypt. ISPConfig supports cert generation which is working for various cites.
One site runs locally on a different port (as it is a complex system).
To reach it, i added a new site in ISPConfig and configured apache as a reverse proxy as shown below.
The site is up an running, but unable to renew the certificates via certbot (does not work only for this site).
ProxyRequests Off
ProxyVia Off
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://my.domain.com:8080
ProxyPassReverse / http://my.domain.com:8080
I guess the problem is the unreachability of the challenge folder (/acme/.well-known/acme-challenge)
How to configure apache as reverse proxy that it is able to renew its certificate?
I have the same problem here: the proxy endpoint doesn't have the same webroot and cannot serve the .well-known directory correctly, which means Let's Encrypt fails to find it.
The trick is to skip the proxying for the well-known URL, using something like this answer. In my case, it was simply a matter of adding this line:
ProxyPass /.well-known/ !
which will disable the proxying for the certbot directory.
Good luck!

how to use force-ssl in meteor.js without deployment to meteor.com subdomains?

The document is not clear. How to install certificate and etc in localhost?
force-ssl
This package causes Meteor to redirect insecure connections (HTTP) to a secure URL (HTTPS). Use this package to ensure that communication to the server is always encrypted to protect users from active spoofing attacks.
To simplify development, unencrypted connections from localhost are always accepted over HTTP.
Application bundles (meteor bundle) do not include an HTTPS server or certificate. A proxy server that terminates SSL in front of a Meteor bundle must set the standard x-forwarded-proto header for the force-ssl package to work.
Applications deployed to meteor.com subdomains with meteor deploy are automatically served via HTTPS using Meteor's certificate.
I've slogged through setting up an Apache reverse proxy that terminates SSL in front of Meteor, and wanted to document that here as well.
I added the following to the config file for the SSL virtual host:
<VirtualHost _default_:443>
ServerName server.domain.com
## SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
## Proxy to port 3000 for Meteor apps
SSLProxyEngine On
ProxyRequests Off # Disable forward proxying
ProxyPass / http://localhost:3000
ProxyPassReverse / http://localhost:3000
## Your other SSL config directives such as certificates, etc.
</VirtualHost>
You do not need to install certificates on localhost. As it says "To simplify development, unencrypted connections from localhost are always accepted over HTTP.", which means that you can develop and test the application without using SSL and without installing certificates. Just run you application and access it with http://localhost:3000 as usual.
If you are talking about installing certificates for publicly facing applications it is probably best to use a reverse proxy server such as nginx and install the certificates for that server. http://wiki.nginx.org/HttpProxyModule