I have problem with the “Reverse Proxy” module, in particular for SSL load-balancing.
I configured reverse proxy on NS with just virtual hosts and a wildcard certificate. The websites are hosted in dedicated VM’s.
This module works great with hostnames in HTTP request, and I’m using it for over 10 websites.
But when I try to enable the HTTPS on websites, it gives me always this message if I try to open outside:
Bad Request
" Your browser sent a request that this server could not understand. Reason: You’re speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. "
I’ve a phisical Fortigate firewall with HTTP load-balancing and the wildcart certificate installed on it.
With this enabled, everything works ok (on HTTP port of course). If I change the balancing to HTTPS, it gives me that error.
Every websites work ok with HTTPS: If i try to disable the balancer and I create a firewall rule to make one website open with HTTPS port (TCP 443), and works perfectly. But I need to use several websites with HTTPS port.
Hoping there’s a solution, I’m waiting for your reply
Regards
The way I read it is that http points to an internal IP, whereas
https points to itself…
This COULD mean, it is hitting some other host - or the firewall itself (Fortinet)…
Where does crm.software360.it point to, when seen from NethServer?
(nslookup crm.software360.it)
Yeah, that’s clear. So I made the change you suggested and now with the nslookup, it replies to the internal IP. But unfortunately it gives me again the 400 error externally. I’ve tried another browser with cache cleared but nothing changed…
Did you try to use IP address (10.10.10.120) instead of hostname (crm.software360.it) in the <VirtualHost *:443> reverse proxy?
This way you don’t have to fight with split DNS.
Your reverse proxy conf looks like you wrote it manually.
Nethserver could do that for you, following settings…
…result in following config in /etc/httpd/conf.d/virtualhosts.conf. Many caveats, like letsencrypt and SSL check are avoided by preconfiguration this way.
#
# Virtual Host crm.software360.it - *:443
# Description :
<VirtualHost *:443>
ServerName crm.software360.it
# forcessl_redirect
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]
#20ssl_engine
SSLEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
# Reverse Proxy (with exclusion of local Letsencrypt challenge path)
ProxyPassMatch ^/.well-known/acme-challenge/ !
ProxyPass / http://10.10.10.120/ max=3 retry=30
ProxyPassReverse / http://10.10.10.120/
ProxyPreserveHost On
<Location "/">
<RequireAll>
Require all granted
SSLRequireSSL
</RequireAll>
</Location>
</VirtualHost>
#
# Virtual Host crm.software360.it - *:80
# Description :
<VirtualHost *:80>
ServerName crm.software360.it
# forcessl_redirect
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{SERVER_NAME}$1 [R,L]
# Reverse Proxy (with exclusion of local Letsencrypt challenge path)
ProxyPassMatch ^/.well-known/acme-challenge/ !
ProxyPass / http://10.10.10.120/ max=3 retry=30
ProxyPassReverse / http://10.10.10.120/
ProxyPreserveHost On
<Location "/">
<RequireAll>
Require all granted
SSLRequireSSL
</RequireAll>
</Location>
</VirtualHost>
Sorry for the late reply. So I solved the problem and firewall and NS was not the guilty. Our website are based on Symfony framework, and it seems that I have to enable a string called “trusted_proxy” when I have to specified the NS IP address. After that, they work in full SSL encryption.