Apache web server configuration - HTTP to HTTPS not working - apache

I've been at this for two weeks now and still nothing. What's even odd is I've done this on a different server and it worked so I don't understand why this isn't working. Really frustrated here.
I'm trying to configure my apache web server on my RHEL so that HTTP requests are redirected to HTTPS when then points to my tomcat.
This is my configuration:
<VirtualHost *:80>
ServerName server.com
Redirect / https://server.com/
</VirtualHost>
<VirtualHost *:443>
ServerName server.com
ServerAlias www.server.com
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/pki/tls/certs/cert.cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/key.key.pem
#SSLCACertificateFile /etc/pki/tls/certs/ca-chain.cert.pem
</VirtualHost>
Believe me when I say I have tried so many different combinations yet nothing. I have commented and un-commented the Include conf.d/ssl.conf, still no effect.
Please, what am I doing wrong here?

First of all: "isn't working" is quite a weak description. I might or might not hit what your problem is, but I see several options:
First: Test if the forward works
Second: What's the result when you're connecting to the https server? You can try this without the forward - just type the https protocol yourself and figure out if you can rule out the forward configuration completely.
I've done this on a different server and it worked
You're forwarding to localhost:8080. If that other server had tomcat installed (and running) on port 8080, but the one that you're trying now doesn't - well, here's your solution. localhost is always "the same" computer.
As Ortomala Lokni mentions in a comment: Your ProxyPassReverse directive is lacking a /:
ProxyPassReverse / http://localhost:8080/
Note that with this configuration, tomcat will not know that the original request has been sent through https - thus any CONFIDENTIAL declaration on tomcat assumes that the request has been sent in the clear - and it will try to redirect to https. As the ProxyPass still forwards through http, Tomcat will never know that the request actually was encrypted. There are hacks to work around this (e.g. secure="true" on the connector configuration) or more proper solution (like forwarding through AJP instead of http)
ProxyPass / ajp://localhost:8009/
(notice the changed port)
There's potential for more going wrong - in case these hints don't help, please specify "isn't working" more.

thanks ever so much! Especially you, Olaf Kock. Your suggestion was golden! Just like you suggested, I decided to forget about the forwarding and focus on what happens when I try connecting to the HTTPS directly, and that's when I came across this error:
proxy: HTTP: disabled connection for (localhost)
I did a little search and found out that I had to run this command to get things rolling: /usr/sbin/setsebool -P httpd_can_network_connect 1
(Note, there are other variations of this command, like: setsebool -P httpd_can_network_connect on or sudo setsebool -P httpd_can_network_connect on)
Then I had to setup these in the ssl.conf file under the <VirtualHost _default_:443> tag:
ServerName server.com
ServerAlias www.server.com
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
And it worked!
However, I didn't want to have to reference the ssl.conf file. I wanted everything in the httpd.conf file, and so after tinkering a bit, this is what worked for me, and I believe should work for anyone with a similar problem.
So, after commenting out the include conf.d/ssl.conf line
LoadModule ssl_module modules/mod_ssl.so
Listen 443
#For HTTP requests, redirecting to HTTPS
<VirtualHost *:80>
ServerName server.com
Redirect / https://server.com/
</VirtualHost>
#For HTTPS requests
<VirtualHost *:443>
ServerName server.com
ServerAlias www.server.com
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/cert.cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/key.key.pem
#SSLCACertificateFile /etc/pki/tls/certs/ca-chain.cert.pem
</VirtualHost>
Obviously, you should have installed your mod_ssl in the first place.
Thanks everyone!

Related

Apache ProxyPass HTTP does not work with SSL

I was trying to add cloudflare SSL certification to the website I host locally, and force HTTPS for all users.
Connecting to IP:80 works fine (from inside my network). IP:443 fails as it expects a SSL certificate. Accessing domainname.com tells me the site is secure, so the SSL certificate works. But whenever I access it this way, the proxy website doesn't, displaying the 'Apache2 Default Page'. Same with connecting to IP:80 outside the network, it fails to proxy pass.
This is the config file I have setup, and by running apachectl -S I checked that no other rules exist.
<VirtualHost *:80>
ServerName name.com:80
ProxyPreserveHost On
ProxyPass / http://localhost:7000/
ProxyPassReverse / http://localhost:7000/
</VirtualHost>
<VirtualHost *:443>
ServerName name.com:443
SSLEngine on
SSLCertificateFile /etc/cloudflare/name.com.pem
SSLCertificateKeyFile /etc/cloudflare/name.com.key
ProxyPreserveHost On
ProxyPass / http://localhost:7000/
ProxyPassReverse / http://localhost:7000/
</VirtualHost>
Is this because I am trying to load an http website, even though it is local? And if this is true, how else can I solve this problem? I feel so close, thanks for the help.
I solved it, by switching to the default-ssl config file provided with Apache2, and removing my version the issue resolved itself. Not sure why it worked the second time I tried it but oh well.

Reverse proxy in Apache + CentOS for HTTPS requests to PostgREST webserver

I would like to make https requests to my postgREST webserver, which by design doesn't support https. I spend several days now I don't know any further...
My setup
My server is running on CentOS 7.9.2009
I have a website domain that uses Wordpress to serve my content in home/myuser/public_html
I setup PostgREST 7.0.1 on my server which runs on port 3000
I am running Apache/2.4.51 (cPanel)
My Problem
The following request works just fine: http://my-domain.com:3000/my_db_table
I would like to run the same request like: https://my-domain.com/api/my_db_table
My Apache configuration is in an "includes" file, seems to be loaded (as errors occur when I put wrong syntax intentionally in this file) and it looks like this:
<VirtualHost *:443>
DocumentRoot /
ServerName my-domain.com
ServerAlias my-domain
ErrorLog /home/myuser/public_html/api/error.log
CustomLog /home/myuser/public_html/api/access.log combined
SSLEngine on
SSLUseStapling off
SSLCertificateFile /etc/ssl/certs/server.my-domain.com.crt
SSLCertificateKeyFile /etc/ssl/private/server.my-domain.com.key
<Location /api/ >
ProxyPreserveHost On
ProxyPass http://localhost:3000/
ProxyPassReverse http://localhost:3000/
RequestHeader set X-Forwarded-Port "443"
RequestHeader set X-Forwarded-Proto "https"
</Location>
</VirtualHost>
running httpd -t returns Syntax OK
after my changes I run sudo systemctl restart httpd
when I then try to do a request like curl -i https://my-domain.com/api/my_db_table I am redirected to the 404 page of my Wordpress website
the error.log file of my apache config does not include any errors (it included errors for stapling which I resolved by adding the line SSLUseStapling off in my config)
I don't know what to do anymore. And because I don't have any error logs I even don't know how to start debugging it. I would be happy for any hint somebody could provide me.
I have successfully use https with postgrest and the following settings in the virtuahost section but I didn't use the tag.
ProxyHTMLEnable On
ProxyPreserveHost On
SSLEngine on
SSLProxyEngine On
RewriteEngine on
#Proxy for postgrest api
ProxyPassMatch "/api/(.*)" "http://localhost:3000/$1"
ProxyPassReverse "/api/" "http://localhost:3000/"

Apache ProxyPass adding Port only on base URL

This is getting frustrating to say the least haha.
I have setup a proxypass and proxypassreverse in apache under virtual host 443 to proxy to nginx running in a container on port 8443.
This is all I have set up to do this
CustomLog /srv/apps/ktech-connect/log/apache/custom.log combined
ErrorLog /srv/apps/ktech-connect/log/apache/errors.log
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass / https://127.0.0.1:8443/
ProxyPassReverse / https://127.0.0.1:8443/
When I hit any url such as example.com/page it works like it should
But when I go to example.com or even example.com/ it will show a redirect from apache to example.com:8443 in the url.
I have tried adding ProxyPreserveHost but it does nothing, and a whole host of other options. I just don't understand where the redirect is coming from and the fact that it only happens when hitting the base url.
Any thoughts?
Thanks to ServerFault, It was an old rewrite directive still in my browser cache lol. Cleared it and now it works as expected.

What is the correct way of having apache redirect to https AND tomcat (port 8080) at the same time

I know similar questions have been asked a lot already, and I feel like I read all of them 12 times. Every time the answer is slightly different, and I tried virtually all combinations, but still cannot get it to work...
So, I have an Apache and a Tomcat running in a Freenas Jail (so running FreeBSD). I used Certbot to get an SSL certificate for my domain. Lets call that example.com. In my router, I opened ports 80 and 443.
Now, I want users to just enter either 'www.example.com' or 'example.com' in their browser, and land on 'https://www.example.com' and port 8080.
I found that to accomplish this, I need to configure my apache Virtual Hosts file. However, as I said, I found many different things to put in there, and none of them seem to be exactly the right ones. Here is what I have now:
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
# ProxyPreserveHost On
# ProxyRequests Off
# ProxyPass / http://localhost:8080/
# ProxyPassReverse / http://localhost:8080/
# Redirect permanent / https://www.example.com/
</VirtualHost>
<VirtualHost _default_:443>
SSLEngine on
SSLCertificateFile /usr/local/etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /usr/local/etc/letsencrypt/live/example.com/chain.pem
ServerName www.example.com
ServerAlias example.com
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
</VirtualHost>
I also added this into the Tomcat server.xml:
<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8080"
proxyName="www.example.com"
proxyPort="80"/>
So, my questions are these:
Does it matter which one has www, ServerName or ServerAlias? Because I've seen both.-
Should I have Apache listen on port 80 or 433?
How can I verify if Apache and tomcat are listening on the right ports? Before, I had this in a CentOS VPS, and there it was with 'netstat -tulpn'. (I didnt have SSL yet back then)
At one point, I had it almost working: entering example.com was properly redirected to https://www.example.com/ on port 8080 because I reached the website runnning in Tomcat. If I removed then the 's' in the URL, it did not redirect to https again. Also, I should have saved that exact config because I cannot find it back...
I will be so thankful for any answer I get. Thanks a lot in advance.
Reygok
Let's go through your questions:
Does it matter which one has www, ServerName or ServerAlias?
Use in server name the canonical hostname, in alias aliases pointing to your CNAME. Choose which name you want to advertise to the users.
Should I have Apache listen on port 80 or 443?
You must do both because Let's Encrypt requires port 80 to be open, so HTTPd has to do Listen *:80 and Listen *:443.
How can I verify if Apache and tomcat are listening on the right ports?
FreeBSD magic: sockstat -46
Now to your setup:
Assumptions: HTTPd and Tomcat run on the same host and Tomcat listens on localhost.
Tomcat's server.xml:
<Connector address="localhost" port="8080" redirectPort="443" ... />
I never needed the proxy* attributes, just used this in the <Host />:
<Valve className="org.apache.catalina.valves.RemoteIpValve" />
the access log valve will require: requestAttributesEnabled="true"
HTTPd:
<VirtualHost *:80>
Redirect permanent / https://{hostname}/
</VirtualHost>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>
In your web.xml you set to have Tomcat to redirect to HTTP to HTTPS: http://docs.adaptivecomputing.com/viewpoint/hpc/Content/topics/1-setup/securityConfiguration/modifyingWebxmlEnableHTTPS.htm

Apache Reverse Proxy Cookies not working

following scenario:
I have a webservice running on port 81.
I want to use apache(nginx would also be okay) as reverse proxy, running on port 80 and redirecting mail.domain.com to port 81.
This is working so far.. but my webservice is telling me, that i should activate cookies. Without proxy it's working.
I followed a lot of tutorials etc., but none of the tips worked so far.
This is how my virtualhost looks:
<virtualHost *:80>
ProxyPassReverseCookiePath / http://mail.domain.com
ServerName mail.domain.com:81
ProxyPass / http://127.0.0.1:81
ProxyPassReverse / http://127.0.0.1:81
ProxyPassReverseCookiePath http://myPublicIp:81 http://mail.domain.com
</VirtualHost>
If someone has an easier way with nginx doing this, pls also tell me.
Thanks a lot in advance!!
You probably need to do something like this:
<VirtualHost *:80>
ServerName mydomain.com
ProxyPass / http://mail.domain.com:81
ProxyPassReverse / http://mail.domain.com:81
ProxyPassReverseCookieDomain mydomain.com mail.domain.com
</VirtualHost>
In your example, you are using the CookiePath which is modify the path in the cookie and not the domain.