We Keep Coding

Apache reverse proxy - URL without / is refused

I use reverse proxy to show backend server content for a subdomain.
The subdomain.mydomain.com (server A) should display content of server with IP 123.123.123.123 port 1111 (server B).
Virtual host of subdomain.mydomain.com (server A):
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName subdomain.mydomain.com
SSLEngine on
SecAuditEngine On
RewriteEngine On
SSLProxyEngine on
ProxyPreserveHost On
LogLevel warn
<Directory />
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Location />
ProxyPass https://123.123.123.123:1111
ProxyPassReverse https://123.123.123.123:1111
</Location>
ErrorLog /var/log/apache2/error.log
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLVerifyClient none
SSLVerifyDepth 1
SSLCertificateFile /etc/apache2/cert.site/chain_wildcard_site_combined.crt
SSLCertificateKeyFile /etc/apache2/cert.site/key_wildcard_site.key
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
Virtual host of 123.123.123.123:1111 (server B):
<IfModule mod_ssl.c>
<VirtualHost 123.123.123.123:1111>
DocumentRoot /srv/www/site/htdocs
SSLEngine on
RewriteEngine On
SSLProxyEngine on
ProxyPreserveHost On
LogLevel warn
<Location "/">
Require ip 222.222.222.222
</Location>
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /srv/www/site/htdocs>
Options -Indexes +FollowSymLinks +MultiViews
DirectoryIndex index.php
AllowOverride None
Require all granted
</Directory>
ErrorLog /srv/www/site/log/error.log
CustomLog /srv/www/site/log/access.log combined
CustomLog /srv/www/site/log/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLVerifyClient none
SSLVerifyDepth 1
SSLCertificateFile /etc/apache2/cert.site/chain_wildcard_site_combined.crt
SSLCertificateKeyFile /etc/apache2/cert.site/key_wildcard_site.key
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
If I load URL:
https://subdomain.mydomain.com/dir/
it loads successfully.
If I load URL (without trailing slash):
https://subdomain.mydomain.com/dir
it results error page: ERR_CONNECTION_REFUSED.
EDIT1:
I execute command:
curl -IL https://subdomain.mydomain.com/dir
and I get this result:
HTTP/1.1 301 Moved Permanently
Date: Mon, 23 Aug 2021 13:45:13 GMT
Server: Apache
Strict-Transport-Security: max-age=15768000; includeSubDomains
Strict-Transport-Security: max-age=15768000; includeSubDomains
Location: https://subdomain.mydomain.com:1111/dir/
Content-Type: text/html; charset=iso-8859-1
curl: (7) Failed to connect to subdomain.mydomain.com port 1111: Connection refused
EDIT2:
I added trailing slash
<Location />
ProxyPass https://123.123.123.123:1111/
ProxyPassReverse https://123.123.123.123:1111/
</Location>
But I still get the Connection refused error.
Any idea why is it resulting error, when trailing slash is missing?
Thanks!

Since you used ProxyPreserveHost ON, your ProxyPassReverse should be ProxyPassReverse https://subdomain.mydomain.com:1111/ because this is the Location: header your backend is producing that you need the frontend to fixup.
The backend unfortunately sees no port in the Host: header and picks the port of the local connection. It is a problem that only happens when the default port is used on the frontend + ProxyPreserveHost. ServerName with an explicit port :443 might help on the backend.

You cannot use port 1111 for SSL - it MUST be 443 (modern certificates and CORS do not work or accept different ports)

Virtual host Object not found

Everytime I try to access https://sub.myproject.test/ this message pops up:
Object not found!
The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again.
If you think this is a server error, please contact the webmaster.
Error 404
sub.myproject.test
Apache/2.4.38 (Unix) OpenSSL/1.0.2q PHP/7.2.15 mod_perl/2.0.8-dev Perl/v5.16.3
On httpd-vhosts.conf I have:
<VirtualHost *:80>
DocumentRoot "/mnt/data/myproject/sub.myproject.com/public_html"
ServerName sub.myproject.test
ServerAlias www.sub.myproject.test
<Directory "/mnt/data/myproject/sub.myproject.com/public_html/">
AllowOverride All
Require local
</Directory>
</VirtualHost>
and on httpd-ssl.conf I have:
# catalog config
<VirtualHost *:443>
DocumentRoot "/mnt/data/myproject/sub.myproject.com/public_html"
ServerName sub.myproject.test:443
ServerAlias www.sub.myproject.test:443
ErrorLog "/opt/lampp/logs/error_log"
TransferLog "/opt/lampp/logs/access_log"
SSLEngine on
SSLCertificateFile "/opt/lampp/etc/ssl.crt/server.crt"
SSLCertificateKeyFile "/opt/lampp/etc/ssl.key/server.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/mnt/data/myproject/sub.myproject.com/public_html/">
SSLOptions +StdEnvVars +FakeBasicAuth
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Allow from all
Require all granted
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/opt/lampp/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
And of course in /mnt/data/myproject path I have the sub.myproject.com folder
If you could help me fix this, it'd be very appreciated

Your VirtualHost is ok (except you do not need to put :443 in ServerName and ServerAlias directives), but you never tell Apache which page to display by default, when not specified in the request.
Define DirectoryIndex in each VirtualHost.
Ex: DirectoryIndex index.html
When the request is https://example.com/
,hence nothing after the domain name, Apache will display index.html, from the DocumentRoot directory.
Unrelated to your question, you should put ServerTokens Prod and ServerSignature Off in your configuration, your error message is displaying way to much information.

Apache Virtual host document root AND proxy file access forbidden

I am setting up my personal domain and I have this config:
ServerAdmin contact#brentc.in
Listen 80
<VirtualHost *:80>
DocumentRoot "/www/brentc.in"
ServerName brentc.in
ServerAlias www.brentc.in
</VirtualHost>
Listen 443 https
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/opt/rh/httpd24/root/var/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost *:443>
ServerName brentc.in
ServerAlias www.brentc.in
DocumentRoot /www/brentc.in/
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/brentc.in/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/brentc.in/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/brentc.in/fullchain.pem
</VirtualHost>
<VirtualHost *:443>
ServerName atlassian.brentc.in
ServerAlias www.atlassian.brentc.in
DocumentRoot /www/atlassian.brentc.in/
Options Indexes FollowSymLinks Includes ExecCGI
SSLProtocol all -SSLv2
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /jira/secure/admin/IntegrityChecker.jspa http://localhost:8081/jira/secure/admin/IntegrityChecker.jspa timeout=3600
ProxyPassReverse /jira/secure/admin/IntegrityChecker.jspa http://localhost:8081/jira/secure/admin/IntegrityChecker.jspa
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/brentc.in/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/brentc.in/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/brentc.in/fullchain.pem
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location /jira>
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept"
ProxyPass http://localhost:8081/jira retry=0
ProxyPassReverse http://localhost:8081/jira
SetOutputFilter DEFLATE
</Location>
</VirtualHost>
For the first domain (brentc.in) I can access index.html just fine.
For the second domain (atlassian.brentc.in) it shows the apache sample (test 123) page and when I explicitly go to index.html it says I'm not allowed to access the file.
My file permissions are exactly the same as the working index.html. Am I missing something here?
The atlassian.brentc.in is also a proxy to a behind the scenes tomcat server. My intention is, when you go to atlassian.brentc.in it shows you a landing page. Then from there you can go to atlassian.brentc.in/jira.
The error_log contains this:
[Wed Jun 14 10:43:47.714099 2017] [authz_core:error] [pid 4399] [client <ip>:58299] AH01630: client denied by server configuration: /www/atlassian.brentc.in/index.html
[Wed Jun 14 10:43:47.952670 2017] [authz_core:error] [pid 4399] [client <ip>:58299] AH01630: client denied by server configuration: /www/atlassian.brentc.in/favicon.ico, referer: https://atlassian.brentc.in/index.html

i think you need to add something like this
<Directory "your/sample/directory">
# AllowOverride All # Deprecated
# Order Allow,Deny # Deprecated
# Allow from all # Deprecated
# --New way of doing it this is the important part
Require all granted
</Directory>

How do I configure client authorization for sub-domain.domain.com?

I have wamp server with client authentication I generated for specific sub folder:
Now , I want to access my site instead of https://www.domain.com/subdomain/app1 by using https://app1.domain.com
When I try to access the url I do get asked to choose client certificate , but when I choose the matching one I get error 403 forbidden.
When I generated my certificate using OpenSSL , I've used *.domain.com as CN for the server key.
Here is my virtual host definition in httpd-ssl.conf
<VirtualHost *:443>
ServerName www.domain.com:443
DocumentRoot "c:/wamp/www"
ServerAdmin admin#domain.com
ErrorLog "C:/wamp/bin/apache/apache2.4.9/logs/ssl_error.log"
TransferLog "C:/wamp/bin/apache/apache2.4.9/logs/ssl_access.log"
SSLEngine on
SSLVerifyClient require
SSLVerifyDepth 10
SSLCertificateFile "C:\wamp\bin\apache\apache2.4.9\conf\cert\server.cer"
SSLCertificateKeyFile "C:\wamp\bin\apache\apache2.4.9\conf\cert\server.key"
SSLCACertificateFile "C:\wamp\bin\apache\apache2.4.9\conf\cert\ca.cer"
<LocationMatch ^(?=.*/subomain/app1/)(?!.*/subdomain/app1/service).*>
SSLRequire %{SSL_CLIENT_S_DN_CN} eq "App1Key"
</LocationMatch>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
CustomLog "c:/wamp/bin/apache/apache2.4.9/logs/ssl_request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Also , I've created this vhosts.conf to allow subdomain.domain.com
<VirtualHost *:80>
ServerName www.domain.com
ServerAlias *.domain.com
VirtualDocumentRoot "C:\wamp\www\demo\%1"
ErrorLog "logs\errors.log"
<directory "C:\wamp\www\demo\%1">
Options FollowSymLinks
AllowOverride all
Order Deny,Allow
Deny from all
Allow from all
</directory>
</VirtualHost>
Update
I've added the following code to the ssl.conf based on an answer , but now the client certificate always works and it ignores the criteria of the LocationMatch
<directory "C:\wamp\www\demo\%1">
Options FollowSymLinks
AllowOverride all
Order Deny,Allow
Deny from all
Allow from all
</directory>
Lets say I want to have the equivalent criteria below to subdomain.domain.com
<LocationMatch ^(?=.*/subomain/app1//)(?!.*/subomain/app1//service).*>
#SSLOptions +StdEnvVars +ExportCertData
SSLRequire %{SSL_CLIENT_S_DN_CN} eq "Shob"
</LocationMatch>

It's not your SSL setup that is giving the 403 forbidden.
Add this at the end of your <VirtualHost> block (just before the </VirtualHost> although it's only a preference to put it there) to give permissions to access the DocumentRoot folder for the virtual host:
<Directory "c:/wamp/www">
Order allow, deny
Allow from all
</Directory>
Or if you're on Apache 2.4 or later:
<Directory "c:/wamp/www">
Require all granted
</Directory>
You should also check if you had anything else in your previous <Directory> block when you had your previous setup, and bring that in too. For example, you might need to AllowOverride or set up some Options but the above will fix the problem you're asking about.

Running ssl on apache, Xampp

I have xampp installed on my vps. My website works perfect now. But I need to run my website with ssl.
I've read many tutorials about it and most of them was the same. Anyway, I did what they told. And anything doesn't work for me.
I've created certificates with ssh not with a CA authority. It's just for test.
I've edited php.ini file to enable ssl extension.
I've edited httpd-ssl.conf and httpd-vhosts.conf files.
Here is my httpd-vhosts.conf file:
NameVirtualHost *:80
NameVirtualHost *:443
<VirtualHost *:80>
ServerAdmin info#example.com
DocumentRoot "C:/xampp/htdocs/"
ServerName example.com
ServerAlias www.example.com:8080
ErrorLog "logs/example.com-error.log"
CustomLog "logs/example.com-access.log" common
</VirtualHost>
<VirtualHost *:443>
DocumentRoot C:\xampp\htdocs\
ServerName example.com
<Directory C:\xampp\htdocs\n>
AllowOverride All
Allow from All
</Directory>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "conf/ssl.crt/server.crt"
SSLCertificateKeyFile "conf/ssl.key/server.key"
<FilesMatch "\.(cgi|shtml|pl|asp|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/xampp/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>
When I type https://example.com or example.com:443 website doesn't open.
Any solution?
Update:
Here is the log in apache error logs file:
[Fri Sep 23 19:09:11.355966 2016] [ssl:warn] [pid 2616:tid 284]
AH01909: example.com:443:0 server certificate does NOT include an ID
which matches the server name

Problem solved.
Firewall was blocking port 443. Now it's open and there is no problem.