Problem reverse proxy and SSL

Support
1

NethServer Version: 7.7
Module: 1908

Good morning,

I have problem with the “Reverse Proxy” module, in particular for SSL load-balancing.
I configured reverse proxy on NS with just virtual hosts and a wildcard certificate. The websites are hosted in dedicated VM’s.

This module works great with hostnames in HTTP request, and I’m using it for over 10 websites.
But when I try to enable the HTTPS on websites, it gives me always this message if I try to open outside:

Bad Request

" Your browser sent a request that this server could not understand. Reason: You’re speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. "

I’ve a phisical Fortigate firewall with HTTP load-balancing and the wildcart certificate installed on it.
With this enabled, everything works ok (on HTTP port of course). If I change the balancing to HTTPS, it gives me that error.

Every websites work ok with HTTPS: If i try to disable the balancer and I create a firewall rule to make one website open with HTTPS port (TCP 443), and works perfectly. But I need to use several websites with HTTPS port.

Hoping there’s a solution, I’m waiting for your reply
Regards

2

I’m posting the virtualhost configuration made with NSImmagine

3

What happens is you change the https://crm.software360.it/ to http://crm.software360.it/? Do you still get the same error?

4

@360_Consulenza

Hi

I have the feeling that it’s more a DNS issue.
Does https://crm.software360.it resolve to the correct (internal) IP adress?

My 2 cents
Andy

5

I’ve tried but nothing changed.

Immagine400

Here is also the VirtualHost configuration on that web server

<VirtualHost *:443>

	ServerName crm.software360.it

	DocumentRoot /var/www/gestionale/web
			<Directory /var/www/gestionale/web>
   			 AllowOverride All
    		 Order Allow,Deny
   			 Allow from All
		 </Directory>


	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	
	SSLEngine on

	<FilesMatch "\.(cgi|shtml|phtml|php)$">
			SSLOptions +StdEnvVars
	</FilesMatch>
	<Directory /usr/lib/cgi-bin>
			SSLOptions +StdEnvVars
	</Directory>

SSLCertificateFile /etc/letsencrypt/live/crm.software360.it/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/crm.software360.it/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

6

Yes it does because the HTTP request works perfectly on that server

7

@360_Consulenza

The way I read it is that http points to an internal IP, whereas
https points to itself…
This COULD mean, it is hitting some other host - or the firewall itself (Fortinet)…
Where does crm.software360.it point to, when seen from NethServer?
(nslookup crm.software360.it)

Bildschirmfoto 2020-03-30 um 16.00.17
Bildschirmfoto 2020-03-30 um 16.00.17848×604 92.5 KB

1 Like
8

Doing the nslookup on NS, the hostname points to my external IP address.
The private IP you see is the address of the local webserver

9

And isn’t that the problem?
Both should point to the same IP!

Technically, you’re doing a “circular” resolution…
The traffic passes through your firewall twice, and goes into a circle…

Just to make things clearer:

If a http request comes, it goes thru your firewall, hit’s your NethServer, and get’s redirected to the right internal server. -> All works!

If a https request comes, your firewall forwards that to your NethServer, which points it back to the external IP. The loop goes on and on…

Andy

Andy

10

Yeah, that’s clear. So I made the change you suggested and now with the nslookup, it replies to the internal IP. But unfortunately it gives me again the 400 error externally. I’ve tried another browser with cache cleared but nothing changed…

11

You may also need a DNS entry on your NethServer, pointing to the internal IP (instead of the external IP)…

Andy

12

Did you try to use IP address (10.10.10.120) instead of hostname (crm.software360.it) in the <VirtualHost *:443> reverse proxy?
This way you don’t have to fight with split DNS.

Your reverse proxy conf looks like you wrote it manually.

Nethserver could do that for you, following settings…

image
image589×713 21.4 KB

…result in following config in /etc/httpd/conf.d/virtualhosts.conf. Many caveats, like letsencrypt and SSL check are avoided by preconfiguration this way.

#
# Virtual Host crm.software360.it - *:443
# Description :
<VirtualHost *:443>
    ServerName crm.software360.it
    # forcessl_redirect
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]
    #20ssl_engine
    SSLEngine On
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    # Reverse Proxy (with exclusion of local Letsencrypt challenge path)
    ProxyPassMatch ^/.well-known/acme-challenge/ !
    ProxyPass  / http://10.10.10.120/ max=3 retry=30
    ProxyPassReverse / http://10.10.10.120/
    ProxyPreserveHost On
    <Location "/">
      <RequireAll>
        Require all granted
        SSLRequireSSL
      </RequireAll>
    </Location>
</VirtualHost>
#
# Virtual Host crm.software360.it - *:80
# Description :
<VirtualHost *:80>
    ServerName crm.software360.it
    # forcessl_redirect
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]
    # Reverse Proxy (with exclusion of local Letsencrypt challenge path)
    ProxyPassMatch ^/.well-known/acme-challenge/ !
    ProxyPass  / http://10.10.10.120/ max=3 retry=30
    ProxyPassReverse / http://10.10.10.120/
   ProxyPreserveHost On
    <Location "/">
      <RequireAll>
        Require all granted
        SSLRequireSSL
      </RequireAll>
    </Location>
</VirtualHost>
2 Likes
13

Hi!

Sorry for the late reply. So I solved the problem and firewall and NS was not the guilty. Our website are based on Symfony framework, and it seems that I have to enable a string called “trusted_proxy” when I have to specified the NS IP address. After that, they work in full SSL encryption.

Thank you so much for your support, I love NS :heart_eyes:

2 Likes