We Keep Coding

Apache reverse proxy error on firefox : SSL_ERROR_RX_RECORD_TOO_LONG

I'm stuck with my Apache config
Situation
I have a Node chat web app and a phpmyadmin running on the same debian VPS server. Node runs on :3000 and phpmyadmin on :443.
The server base url on :443 is currently displaying phpmyadmin login page and the chat app can be accessed on IP:3000 (https)
Each have their own SSL cert and https is working without issues on both of them separately
Goal
What I'm trying to do is setup an Apache reverse proxy to forward requests from a a clean url (like chat.domain.com) to my Node app while keeping phpmyadmin on it's own dedicated subdomain (vps.domain.com).
like so :
internet (chat.domain.com on :443) -> reverse proxy -> node app running on :3000
internet (vps.domain.com on :443) -> reverse proxy -> phpmyadmin
Issue
Redirection does not work at all.
Firefox shows an error page with SSL_ERROR_RX_RECORD_TOO_LONG (ERR_SSL_PROTOCOL_ERROR on Chrome). As far as I understand it is telling me that I can't redirect to a service running on a different port than :443
I need secure https for both of my services (phpmadmin and chat) but can only run one of them on :443 since one is Apache and the other is Node. They each have their own routing system.
What I've considered
I'm not sure if what I'm trying to do is possible with Apache and this setup. I'd like to run my main app on :443 but then PMA would have to be moved to another port and. Alternatively I could run several servers for cleaner separation of services. I could also use Docker containers, but I don't think this should be necessary here.
Not sure which solution is the most appropriate. I just wanted to do some basic redirections.
Setup config :
Including relevant information about my config in this section.
Apache version : Apache/2.4.53 (Debian)
rewrite and proxy mods are enabled
apachectl configtest -> Syntax OK
vHosts :
default http -> https redirection
# 000-default.conf
VirtualHost *:80>
ServerName default.domain.me
Redirect / https://localhost:443
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
reverse proxy vhost
# reverse_proxy.conf
<VirtualHost chat.domain.me:443>
ServerName rproxy.domain.me
# ProxyPreserveHost On
ProxyRequests Off
# chat
ProxyPass / https://localhost:3000/
ProxyPassReverse / https://localhost:3000/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
PMA vhost
# phpmyadmin.conf
<VirtualHost _default_:443>
ServerName phpmyadmin.domain.me
DocumentRoot /usr/share/phpmyadmin
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/vps.domain.me/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/vps.domain.me/privkey.pem
Protocols h2 http/1.1
Header always set Strict-Transport-Security "max-age=63072000"
# Alias /phpmyadmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
Require all granted
# limit libapache2-mod-php to files and directories necessary by pma
<IfModule mod_php7.c>
php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
php_admin_value open_basedir /usr/share/phpmyadmin/:/usr/share/doc/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/:/usr/share/javascript/
</IfModule>
</Directory>
# Disallow web access to directories that don't need it
<Directory /usr/share/phpmyadmin/templates>
Require all denied
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
Require all denied
</Directory>
ErrorLog ${APACHE_LOG_DIR}/phpmyadmin/error.log
CustomLog ${APACHE_LOG_DIR}/phpmyadmin/access.log combined
</VirtualHost>
# intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite # don't know if secret. didn't include.
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Let me give you some possible solutions.
1)Changing the virtual host tag, ie, from <VirtualHost chat.domain.me:443> to <VirtualHost _default_:443>
2)setting the ports.conf file as follows
Listen 80
Listen 443 https
execute a2ensite default-ssl
Finally let me give you one of example that I have
ServerName abc.com
ServerAdmin webmaster#abc.com
<Proxy *>
Require all granted
</Proxy>
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8181/
ProxyPassReverse / http://127.0.0.1:8181/
ErrorLog ${APACHE_LOG_DIR}/abc.com.error.log
CustomLog ${APACHE_LOG_DIR}/abc.com.access.log combined
SSLCertificateFile /etc/letsencrypt/live/abc.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/abc.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Installed SSL on Apache server, page not responding

My question is about SSL installation. I purchased a new SSL for a website that's hosted on a Ubuntu 16.04 box with Apache 2.4.29. I was able to get this installed and I'm not getting any errors but my page is not redirecting. I've followed some guides (DigitalOcean) but feel as I'm missing something.
I have checked the sites-available files (000-default.conf, default-ssl.conf & example.com.conf) and I'm not seeing anything that's catching my eye, but I feel I migtht be missing something. I've checked the status of Apache and I'm not getting any errors and I've restarted the services several times to no avail.
Here's a general breakdown of what I have. Am I missing something? Is additional information required for setting this up?
000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
Redirect "/" "https://example.com/"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
SSLCertificateFile /root/example.com.crt
SSLCertificateKeyFile /root/www.example.com.key
SSLCACertificateFile /root/intermediate.crt
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>4
mydomain.com.conf
<VirtualHost *:443>
ServerAdmin admin#somedomain.com
ServerName mydomain.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/html
Redirect permanent / https://example.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Here is my attempt at a combined configuration. Note that I do not have your setup to test it, but I have used similar configurations on production servers.
First define your port 80 VirtualHost (000-default.conf in your setup):
Listen 80
<VirtualHost *:80>
Redirect "/" "https://example.com/"
LogLevel debug
ErrorLog "${APACHE_LOG_DIR}/80_error.log"
CustomLog "${APACHE_LOG_DIR}/80_access.log" combined
</VirtualHost>
No need for a DocumentRoot since you redirect everything.
Then comment out default-ssl.conf. This file is an example of what you could do to setup an SSL enabled VirtualHost. If you use that file AND another VirtualHost on port 443, this one will always be used, since Apache uses the first VirtualHost it finds that matches the client's request (here port 443).
Another point, VirtualHost are not "added" to one another. Each is independent of the others and must contain a complete configuration. This means you cannot put some configuration in on VirtualHost on port 443, and some in another and expect it to work.
Then create your example.com.conf file:
Listen 443
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin#example.com
SSLCertificateFile "/root/example.com.crt"
SSLCertificateKeyFile "/root/example.com.key"
SSLCACertificateFile "/root/intermediate.crt"
LogLevel debug
ErrorLog "logs/443_error_log"
CustomLog "logs/443_access_log" combined
DocumentRoot "/var/www/example.com/html"
DirectoryIndex index.html
<Directory "/var/www/example.com/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
Some notes:
I put the LogLevel at debug, so you can troubleshoot, but once it is working, change it to error. Otherwise you will have huge log files quickly!
For the same reason, I split the logs for port 80 and port 443. Each VirtualHost should have its own logs.
The certificate files must match the domain name. Not the filename (although it makes it easier to match), but the certificate itself.
If you want your certificate to cover example.com and www.example.com, both names must be added to the alternate names in the certificate.
I do not understand why you have Redirect permanent / https://example.com in your configuration. You are already in the https, port 443 VirtualHost.
The options based on <FilesMatch> directives in the default ssl configuration can be added if you want.
This setup will ensure that all http requests will be redirected to https://example.com. Then it will use the :443 VirtualHost, use the proper certificate for that domain and serve the content from the DocumentRoot directory.

SSL for subdomain is allowing parent domain to redirect to subdomain

I've enabled SSL for my sub domain and everything is working great. The problem I have is when you include https for the parent domain (which should not allow SSL connections) it redirects to the subdomain as the parent.
I'm assuming I have something in my virtualhosts entry that's incorrect.
Any thoughts?
Thanks

You're not providing many details, but here's start.
When you specify HTTPS://<hostname>, the TCP message is sent to <ip address>:443. Not <hostname>:443. Your browser does the hostname->IP address conversion prior to sending anything. Your browser ALSO sticks a header Host: <hostname> in with the (encrypted) message.
Only on unpacking the encrypted message does the webserver get the Host header and can then (possibly) route it to a different virtual host.
But at the time of decryption, it's "already" talking with a SSL virtual host (otherwise, apache can't decrypt the message). So at that point, it attempts to figure out what the "desired" host name was (via Hosts header) and then sees if you have a :443 virtual host with that name. If not, it hands it to the default :443 virtual host.

Assuming:
you are hosting the two domains on the same httpd instance
you have only one virtualhost definition for port 443
Im also assuming that when you say "redirects to the subdomain as the parent" that you mean that the content that should only appear at the HTTPS subdomain (ie https://sub.example.com) is appearing at the HTTPS parent domain (ie https://example.com looks exactly like https://sub.example.com) and that no real HTTP redirect is occuring
Then:
If you have two virtualhost entries like this:
<VirtualHost *:80>
# using parent content
DocumentRoot "/web/parent"
</VirtualHost>
<VirtualHost *:443>
#using subdomain content
DocumentRoot "/web/subdomain"
# All sorts of SSL config
....
</VirtualHost>
This has the consequence that no matter what hostname you use:
Any request to port 80 will always produce the parent content
Any request to port 443 will always produce the subdomain content
So:
Try adding "NameVirtualHost *:443" (if you dont already have it) and at least a third VirtualHost:
NameVirtualHost *:443
<VirtualHost *:80>
# the default virtualhost for port 80
# using parent content
DocumentRoot "/web/parent"
</VirtualHost>
<VirtualHost *:443>
# the default virtualhost for port 443
# using subdomain content
ServerName sub.example.com
DocumentRoot "/web/subdomain"
# All sorts of SSL config
....
</VirtualHost>
<VirtualHost *:443>
# another virtualhost for port 443
# only activated for example.com like https://example.com/something
# using parent content
ServerName example.com
DocumentRoot "/web/parent"
# All sorts of SSL config
....
</VirtualHost>
The order of evaluation is important, so the first virtualhost becomes the default for any request that doesnt match any other virtualhost.
The third virtualhost will need to be configured for whatever you expect to happen when someone request HTTPS on the parent domain: ie do you want to redirect back to the HTTP version, or just present different content?
The httpd command has a -S flag that will output the current ordered virtualhost config, then exit, which is useful for diagnosing what virutal hosts are defined on what ports and the names associated
-S
Show the settings as parsed from the config file (currently only shows the virtualhost settings).
Some config, version and platform would have been helpful on this question.

ServerAdmin webmaster#localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Ubuntu 14.04 Apache + SSL server, how to configure Varnish

I have a Magento running on a Ubuntu 14.04 server with Apache2 and SSL.
I have installed Varnish but not sure how to set it up with SSL without using Nginx.
this is my current vhost file ;
<VirtualHost *:443>
ServerName mysite.com
ServerAlias www.mysite.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/mysite.com
<Directory /var/www/mysite.com/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
</Directory>
SSLEngine on
SSLCertificateFile /home/ssl/mysite_com.crt
SSLCertificateKeyFile /home/ssl/mysite.com.key
SSLCACertificateFile /home/ssl/mysite_com.ca-bundle
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:80>
ServerName mysite.com
RewriteEngine On
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=permanent]
</VirtualHost>

With your current Apache I would do:
Configure your site to listen in another port, 8888 for example
<VirtualHost *:8888>
ServerName mysite.com
ServerAlias www.mysite.com
ServerAdmin webmaster#localhost
DocumentRoot /var/www/mysite.com
<Directory /var/www/mysite.com/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
</Directory>
</VirtualHost>
Then configure the SSL one to proxy to Varnish
<VirtualHost *:443>
# what you had above plus the following:
RequestHeader set X-Forwarded-Proto "https"
ProxyPass / http://localhost:6081/
ProxyPassReverse / http://localhost:6081/
</VirtualHost>
You will need some extra modules:
sudo a2enmod headers proxy proxy_http proxy_html
Finally Configure Varnish backend to use port 8888
backend default {
.host = "127.0.0.1";
.port = "8888";
}

Short answer, you can't setup Varnish with SSL since Varnish doesn't support it.
You have 2 options
Setup Nginx (or some other SSL-terminator) infront of Varnish which acts as reverse proxy and forwards the requests to Varnish via HTTP.
Split the traffic between your current Apache2 server (that supports SSL) and Varnish. The HTTP-traffic on port 80 goes to Varnish and the HTTPS-traffic on port 443 goes to Apache2.

multiple ssl virtual hosts on apache

I want to configure two virtual hosts with their own ssl certificates on apache (apache 2.2.22 and openssl 1.0.1, debian 7.6). I've found many articles about SNI, but still can't configure it properly. Here's my config:
ports.conf
NameVirtualHost *:80
NameVirtualHost *:443
Listen 80
<IfModule mod_ssl.c>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
test1-ssl
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName test1.com
DocumentRoot /var/www/test1
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/test1.crt
SSLCertificateKeyFile /etc/apache2/ssl/test1.key
</VirtualHost>
</IfModule>
test2-ssl
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName test2.test.pl
DocumentRoot /var/www/test2
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/test2.crt
SSLCertificateKeyFile /etc/apache2/ssl/test2.key
</VirtualHost>
</IfModule>
Domain https://test1.com works properly (with its own certificate).
Domain https://test2.test.pl displays content of domain test1.com and uses test1 ssl certificate instead of test2.crt (as it is defined in config file test2-ssl).
Any ideas,sugestions very appreciated.
Kind regards,
and thanks in advance!

After little more searching it turns out that it's possible (https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm). My only problem was two separate configuration files for domains... when I configure virtualhost for domains in one config file it worked.

In my use case, I had 2 certificates, one wildcard and one not.
I put on a single file both configs:
<VirtualHost *.wildcard.com:443>
....
<VirtualHost normal.com:443>
...
but didn't work. The solution was this:
<VirtualHost *:443>
....
<VirtualHost *:443>
...
for both domains, provided that on every virtualhost definition you add the desired ServerName and ServerAlias:
ServerName normal.com
ServerAlias www.normal.com
ServerAlias m.normal.com
etc