0

I have a Django web app sharing external ports 80 and 443 with another server. localhost works fine without the reverse proxy, but when it is enabled, I run into all kinds of errors.

How to make reverse proxy work properly?

reverse-proxy.conf:

      # SSL Certificate and other SSL configurations
      SSLProxyEngine on
      ProxyRequests on
      SSLProxyVerify require 
      SSLProxyCheckPeerCN on
      SSLProxyCheckPeerName on
      SSLProxyCheckPeerExpire on
      ProxyPreserveHost on
      RequestHeader set X-Forwarded-Proto https

      # Reverse Proxy Configuration
      ProxyPass "/" "https://192.168.1.83/"
      ProxyPassReverse "/" "https://192.168.1.83/"

      # Additional SSL configurations if needed

I redirect all http to https and included the above proxy in my ssl-https conf file. The site runs normally without the inclusion (i.e. when Include .../reverse-proxy.conf is commented out). When reverse proxy is included, I get:

[Thu Jan 18 07:09:39.835368 2024] [ssl:error] [pid 46505:tid 133251102926528] [remote 192.168.1.83:443] AH02039: Certificate Verification: Error (20): unable to get local issuer certificate
[Thu Jan 18 07:09:39.835470 2024] [ssl:error] [pid 46505:tid 133251102926528] [remote 192.168.1.83:443] AH02040: Certificate Verification: Certificate Chain too long (chain has 2 certificates, but maximum allowed are only 1)
[Thu Jan 18 07:09:39.835773 2024] [proxy:error] [pid 46505:tid 133251102926528] (20014)Internal error (specific information not available): [client 119.74.38.81:51224] AH01084: pass request body failed to 192.168.1.83:443 (192.168.1.83), referer: https://acupunctureclassique.duckdns.org/
[Thu Jan 18 07:09:39.835832 2024] [proxy:error] [pid 46505:tid 133251102926528] [client 119.74.38.81:51224] AH00898: Error during SSL Handshake with remote server returned by /login/, referer: https://acupunctureclassique.duckdns.org/
[Thu Jan 18 07:09:39.835861 2024] [proxy_http:error] [pid 46505:tid 133251102926528] [client 119.74.38.81:51224] AH01097: pass request body failed to 192.168.1.83:443 (192.168.1.83) from 119.74.38.81 (), referer: https://acupunctureclassique.duckdns.org/

On the front end:

Proxy Error
The proxy server could not handle the request

Reason: Error during SSL Handshake with remote server

Apache/2.4.58 (Ubuntu) Server at acupunctureclassique.duckdns.org Port 443

Update:

apachectl -S

VirtualHost configuration:
*:443                  acupunctureclassique.duckdns.org (/etc/apache2/sites-enabled/acu-le-ssl.conf:2)
*:80                   acupunctureclassique.duckdns.org (/etc/apache2/sites-enabled/acu.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used
15
  • Please provide your full running config with apachectl -S
    – Turdie
    Commented Jan 18 at 7:51
  • 1
    There is also an issue with the certificate the logs say there are two certificates in there
    – Turdie
    Commented Jan 18 at 7:56
  • @Turdie updated with new info.
    – Sati
    Commented Jan 18 at 9:15
  • I think you saved the reverse proxy in the wrong directory, usually in apache an reverse proxy config is saved as a VirtualHost in /etc/apache2/sites-available and then with a2ensite it creates a symlink to sites-enabled. Usually you don't touch any other config files in other directories. Please also read the docs of apache a bit more.
    – Turdie
    Commented Jan 18 at 9:33
  • I already have 2 virtual hosts set up. One for http, one for https. I just Include the above reverse-proxy.conf to my https conf file because http traffic would be redirected to https.
    – Sati
    Commented Jan 18 at 9:44

2 Answers 2

3

The actual problem here turned out to be - after discussions in chat - that the user was using nginx to proxy traffic to the same nginx instance, creating a neat redirect loop, which eventually lead to a too large header-error message.

> ProxyPass "/" "https://192.168.1.83/"

You send your traffic to https://192.168.1.83. You claim this is a certificate issued by Let's encrypt, but LE will never issue a certificate for 192.168.1.83, nor will any public CA issue such a certificate. Remember that a valid certificate is not enough, it has to match the expected name - which in this case is 192.168.1.83. Your logs are pretty explicit about this as well.

You have a few alternatives:

  1. Use HTTP
  2. Use a self signed certificate and make Apache trust it using SSLProxyCACertificate directive.
  3. Use a valid domain name and acquire a valid certificate for the domain name. The domain name may resolve to 192.168.1.83, or it may be added to /etc/hosts, but Apache will match hostname and Common Name (or SAN) in certificate.
  4. Disable verification of name using SSLProxyCheckPeerName = off
  5. Disable verification using SSLProxyVerify = none, effectively disabling verification. This is more or less equivalent with using http...
-2

To reverse proxy you need to create an virtual host in /etc/apache2/sites-available. Here an example of such an VirtualHost configuration

<VirtualHost *:80>
    ServerName yourdomain.com
    ServerAlias www.yourdomain.com

    DocumentRoot /path/to/your/django/static/files

    Alias /static/ /path/to/your/django/static/files/
    <Directory /path/to/your/django/static/files>
        Require all granted
    </Directory>

    ProxyPass / http://localhost:8000/
    ProxyPassReverse / http://localhost:8000/

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<VirtualHost *:443>
    ServerName yourdomain.com
    ServerAlias www.yourdomain.com

    DocumentRoot /path/to/your/django/static/files

    Alias /static/ /path/to/your/django/static/files/
    <Directory /path/to/your/django/static/files>
        Require all granted
    </Directory>

    SSLEngine on
    SSLCertificateFile /path/to/your/ssl/certificate.crt
    SSLCertificateKeyFile /path/to/your/ssl/private.key
    SSLCertificateChainFile /path/to/your/ssl/chainfile.pem

    ProxyPass / https://localhost:8000/
    ProxyPassReverse / https://localhost:8000/

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

The https part is optional you can leave that out if you don't need https

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .