I am running an ISPConfig 3 server with apache. To get HTTPS i use the certbot of let's encrypt. ISPConfig supports cert generation which is working for various cites.
One site runs locally on a different port (as it is a complex system).
To reach it, i added a new site in ISPConfig and configured apache as a reverse proxy as shown below.
The site is up an running, but unable to renew the certificates via certbot (does not work only for this site).
ProxyRequests Off
ProxyVia Off
<Proxy *>
Require all granted
</Proxy>
ProxyPass / http://my.domain.com:8080
ProxyPassReverse / http://my.domain.com:8080
I guess the problem is the unreachability of the challenge folder (/acme/.well-known/acme-challenge)
How to configure apache as reverse proxy that it is able to renew its certificate?
I have the same problem here: the proxy endpoint doesn't have the same webroot and cannot serve the .well-known directory correctly, which means Let's Encrypt fails to find it.
The trick is to skip the proxying for the well-known URL, using something like this answer. In my case, it was simply a matter of adding this line:
ProxyPass /.well-known/ !
which will disable the proxying for the certbot directory.
Good luck!
Related
I'm setting up a Tomcat server behind an Apache proxy, everything is working fine except for the forward proxy when dealing with a remote server with a self-signed certificate. I can access other HTTPS sites, but not ones with self-signed certs. I've already added the CA using SSLProxyCACertificateFile, but it still doesn't work.
In the error log, I get "AH00898: Connect to remote machine blocked returned by server_hostname".
Apache 2.4.54 on Debian 11
I can wget the URL (Once I added the CA to Debian). I can also access the URL if I allow Tomcat to bypass the proxy (When the CA is in the Java key store). But I need all the traffic to go through the proxy.
<VirtualHost 10.10.10.6:8082>
ProxyRequests On
ProxyVia On
<Proxy "*">
Require ip 10.10.10
</Proxy>
ErrorLog ${APACHE_LOG_DIR}/error_forward_proxy_secure.log
CustomLog ${APACHE_LOG_DIR}/access_forward_proxy_secure.log combined
SSLProxyCACertificateFile /var/ssl/trusted_ca.crt
</VirtualHost>
What am I doing wrong?
I've read a lot of questions and answers which seem exactly the same as mine, but I can't seem to get my setup to work. I have a VM running Apache with only HTTP support at 192.168.2.101:32773. I can access it on my local network as such just fine. I now am ready to expose it through my Apache web server that has Lets Encrypt setup to generate SSL certificates. So I added this to my server conf file:
<VirtualHost *:32773>
ServerName server.com
SSLEngine on
SSLProxyEngine On
SSLCertificateFile /etc/letsencrypt/live/server.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server.com/privkey.pem
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://192.168.2.101:32773/
ProxyPassReverse / http://192.168.2.101:32773/
</VirtualHost>
However, I get an ERR_SSL_PROTOCOL_ERROR when I try to load it up as https://server.com:32773. If I however change my address to http://server.com:32773, it loads just fine. Anything look wrong in this snippet? Thanks!
HTTP and HTTPS need to be on different ports. Typically HTTPS is served on port 443.
This is embarrassing... At some point I changed my port forward rules to point 32773 directly to 192.168.2.101 so I could validate that the rules were working at all. The above config worked as soon as I realized I wasn't even sending traffic to my Apache SSL enabled server.
I can't figure how to create an SSL certificate for a Shiny server that runs on a CentOS machine.
My end goal is to be able to access my app with HTTPS.
So instead of - HTTP://mydomain.com:3838/my-app/
To have something like - HTTPS://mydomain.com:3838/my-app/
Or even better - HTTPS://mydomain/my-app/
I tried my best with numerous tutorials but I'm not an expert in system administration and didn't have a lot of success.
Would really appreciate any help here!
# cat /etc/centos-release
CentOS Linux release 7.5.1804 (Core)
# shiny-server --version
Shiny Server v1.5.7.907
Thanks!
My answer in one word: letsencrypt.
Letsencrypt provides an executable that will grant you SSL certificates for all the domains your server handles. For this, it validates your machine by mounting a temporary web server and checks if can reach it with the domain names you provided.
There's more info in the official website. Once you have the certs, simply add them to nginx or Apache or whatever web server you are using.
UPDATE:
To forward http calls to your shiny web server you have to use Apache web server as a proxy, that means, that every call yo yourdomain:80, will be redirected to locahost:3838.
You have to edit your default conf. In ubuntu you can find it in this path: /etc/apache2/sites-enabled/000-default.conf
Then, in the conf file:
<VirtualHost *:80>
# These lines configures SSL
SSLEngine on
SSLCertificateFile /path/to/your/ssl.crt
SSLCertificateKeyFile /path/to/your/ssl.key
# These lines configure the proxy
ProxyPreserveHost On
ProxyPass / http://0.0.0.0:3838/
ProxyPassReverse / http://0.0.0.0:3838/
# This sets the domain name to listen for
ServerName yourdomain.com
</VirtualHost>
Then, restart apache and you're good to go.
Apache server is proxying requests to express server running on 9999
<VirtualHost *:443>
ServerName api.aonesalons.com
SSLEngine on
SSLCertificateFile /home/ec2-user/aonesalons.com.pem
SSLCertificateKeyFile /home/ec2-user/aonesalons.com.key
# <Proxy *>
# Order allow,deny
# Allow from all
# </Proxy>
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://localhost:9999/
ProxyPassReverse / http://localhost:9999/
</VirtualHost>
If I hit, api.aonesalons.com in browser, my request goes to the server.
from my application frontend, that is also served over https by apache, when any of the api url's are called,
it always returns
ERR_FAILED or ERR_INSECURE_CONNECTION
Edit:
In browser console in security tab, the certificate is valid totally. I have tried proxying requests to the https version of the express server as well but no difference. It started happening after moving to https.
As soon I start to use Cloudflare as a proxy for api.aonesalons.com, api.aonesalons.com returns my client end application and doesn't hit my API's. I am using apache to proxy api.aonesalons.com to 9999 server and *.aonesalons.com to client folder with static application content
From the SSLLabs report for api.aonesalons.com:
Trusted - No - NOT TRUSTED
A closer look at the certificate shows:
Subject - CloudFlare Origin Certificate
Issuer - CloudFlare, Inc.
This is not a certificate intended for direct access by the public. It is trusted only by Clouldflare itself and is intended to secure the path between the Cloudflare CDN and the server protected by this CDN, see Introducing CloudFlare Origin CA.
In browser console, in security tab, certificate is valid totally.
I don't know what you did to you browser but maybe you explicitly trusted the Cloudflare CA. When visiting the site with a browser I get the expected warning:
NET::ERR_CERT_AUTHORITY_INVALID
My guess is that you've tried to protect your site with the Cloudflare CDN but failed to adjust the DNS settings properly in order to let Cloudflare manage the relevant parts of your DNS.
The setup I am working with involves an Apache server acting as a proxy to a tomcat server which serves several web applications. I have enabled mutual TLS on apache and I can successfully connect to one of my tomcat web applications and verify the client certificate. However, I want to take this one step further... At the moment in my ssl.conf I have a default HTTPS VirtualHost configuration which looks like this:
<VirtualHost *:443>
....
SSLEngine on
SSLCertificateFile /path/to/www_yoursite_com.crt
....
#other SSL options...
</VirtualHost>
In my modproxy.conf I have a configuration as follows:
ProxyPass /webApp1 https://localhost:1234/webApp1
ProxyPassReverse /webApp1 https://localhost:1234/webApp1
ProxyPass /webApp2 https://localhost:1234/webApp2
ProxyPassReverse /webApp2 https://localhost:1234/webApp2
where 1234 is the https port configured on a connector element on tomcat's server.xml file.
Let's assume that I only want mTLS for webApp1, the problem with this configuration is that I need a client cert on my browser even if I am accessing webApp2 so in other words I want to enable mTLS only for one web application. Even better, I would like to enable mTLS for a specific URL within my web application (is this even possible??), so for example I want mTLS required when someone hits https://myserver.com/webApp1/test/mtlsEndpoint but not on https://myserver.com/webApp1/test/otherEndpoint.
Is it possible to achieve this with another VirtualHost config for SSL on my ssl.conf ? I am going to test this tomorrow (trying to achieve this with another VirtualHost config that will proxy mTLS to my webApp1) but thought I should ask here as well to avoid trial and error and reinventing the wheel maybe this is easier than I am thinking ?
Yes, you just need separate SSL directives for webApp1 and webApp2. SSL directives can be configured in Apache right down to the directory level.