2 DDNS Websites behind QNAP Reverse Proxy report "Your connection is not private"

J2TheDay · January 22, 2024, 7:13pm

Please forgive the noob question, if anyone can provide some help it would be greatly appreciated:

I have 2 Raspberry Pi LAMP webservers each hosting wordpress sites.
Each are using DDNS.
I have installed Certbot on each and has successfully issued a certificate for each using the DDNS names.

The server I will use in this example is castingsignin.duckdns.org

My home internet is a dynamic IP address that DDNS keeps track of so castingsignin.duckdns.org will always resolve to the correct address. My router is port forwarding all 80 and 443 traffic to a QNAP server that is running a reverse proxy directing traffic for castingsignin.duckdns.org to the local IP address on my lan where the web server is located. This is working well. However I am getting "Your Connection is Not Private" errors.

If I take out the reverse proxy and port forward from my router directly to the local web server hosting castingsignin.duckdns.org, the SSL certificate works beautifully.

As soon as I forward to the reverse proxy on the QNAP, I get the error:
"This server could not prove that it is castingsignin.duckdns.org ; its security certificate is from example.myqnapcloud.com . This may be caused by a misconfiguration or an attacker intercepting your connection."

My QNAP is running it's own separate Let's Encrypt SSL certificate as well for example.myqnapcloud.com (I changed the name here for security purposes)

It seems the traffic arrives at the web server and goes through the QNAP again before being delivered to the requesting computer. Is the issue with my QNAP Reverse Proxy?

How do other people host multiple websites behind a single IP and use Let's Encrypt for each site?

My domain is: castingsignin.duckdns.org

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.0

MikeMcQ · January 22, 2024, 7:37pm

I assume this is a typo and you meant port 443 ?

Yes. The place the HTTPS (TLS) connection is terminated must have a valid cert. Your reverse proxy is terminating TLS and making another connection to your "backend" server.

A browser on the public internet only knows it is talking to your reverse proxy so needs a valid cert.

You can make any connection you wish from your QNAP to your other devices. You may even choose to use plain HTTP for those if your local network is secure.

J2TheDay · January 22, 2024, 8:19pm

Thanks so much for your response Mike.

Yes, sorry 443. That was a typo. Thanks for catching that.

I tried configuring my reverse proxy to hand off to the server using port 80 instead but I am getting the same error because I if I understand correctly the HTTPS connection is terminated at the reverse proxy again anyhow.

(Request for https://castingsignin.duckdns.org resolves to the IP and the router hands it off to the QNAP that then the reverse proxy hands off to the internal IP http://192.168.XXX.XXX)

Is it possible to issue multiple valid certificates to the same reverse proxy, one for each of the two sites it's serving to, that way the reverse proxy handles all of the SSL transactions?

Sorry, being new to this I realize there may be a fundamental I'm missing.

MikeMcQ · January 22, 2024, 8:44pm

Yes. The certificate is needed at the reverse proxy. If you use HTTP from the proxy to your backend you would not need a cert for that. Which could simplify admin.

Yes.

Are you using Apache in the QNAP as your reverse proxy? If so, do you manage that Apache manually? That is, can you update the VirtualHost statements?

J2TheDay · January 22, 2024, 10:20pm

Each separate backend ubuntu webserver is running Apache and I have full access to manage those manually, but the QNAP is running the reverse proxy from an app based on the QTS OS. Not a lot of configuration options there I don't think. I see online someone else asked if you can install multiple certificates on the QNAP and the answer was no.

Would you recommend I just build my own reverse proxy server and doing away with the QNAP, something like NGINX Reverse Proxy?

Are there reverse proxy options for Apache?

Could I run the reverse proxy on the same server that is hosting one of the websties?

Thanks again for your help. I realize these latter questions are not SSL specific, but I really appreciate your overall knowledge of the scenario.

rg305 · January 22, 2024, 10:33pm

Yes; Pretty much all web servers can.

I wouldn't say build one [solely for that reason/purpose].
Given: That you already have other web servers that can likely do that job as well.
But, yes to "do away with the QNAP" [as the proxy].
And if you do want to build a dedicated proxy, I would go with nginx for that.

MikeMcQ · January 22, 2024, 10:45pm

Well, if QNAP says it can only proxy to one device they would know better.

When I connect to your castingsignin domain I see this cert

subject=CN = jasoncermakts321k.myqnapcloud.com
issuer=C = US, O = Let's Encrypt, CN = R3
notBefore=Jan 22 16:43:57 2024 GMT
notAfter=Apr 21 16:43:56 2024 GMT

Is that cert installed on your QNAP or one of your backend servers?

I thought I saw a self-signed cert earlier but now this is a leaf cert from Let's Encrypt. It is only the leaf and does not have the intermediate chain but that's a different issue.

In general I agree with @rg305 using a "proper" server to proxy is better. You might also look at something like caddy. But, if you know Apache well that should not be hard either.

J2TheDay · January 22, 2024, 11:06pm

The QNAP does proxy to multiple devices; http 80 works perfectly right now, it's just SSL that is the issue.

The QNAP has its own DDNS and its own Let's Encrypt SSL cert for accessing the admin interface remotely, so that's the one that you are seeing there.

I will do away with the QNAP reverse proxy and port forward 443 directly to the castingsignin.duckdns.org server and set up a reverse proxy on that server to handle for it's website as well as for the second website.

I will have to add the second website URL to the castingsignin.duckdns.org VirtualHosts file for the SSL to then work for the second website correct?

MikeMcQ · January 22, 2024, 11:13pm

Do both websites share the same domain name? Or are they the same domain name but just a different URI (the part after the domain name).

J2TheDay · January 23, 2024, 12:13am

Both have completely different domain names, each one DDNS names: dusckdns.org and dyndns.org.

MikeMcQ · January 23, 2024, 2:53am

On your castingsignin server you will make two new VirtualHosts for your other domain name and proxy requests to your other Apache server using its local IP. I'll use jason.duck as your other domain name.

I like to have one cert that has all the names in a single VirtualHost for port 443. In your case you'd have two certs then. One for dyn names and one for ducks. Both certs managed on your casting server.

The new VHost for port 80 on casting will have a ServerName for jason.duck (and maybe ServerAlias www.jason.duck). It will mostly just redirect requests to httpS://jason.duck. And, can handle the HTTP Challenge to get a cert (I presume you are using this kind).

The new VHost for port 443 on casting is also simple. The same ServerName/Alias as the new port 80 one, the basic SSL config and then a proxypass to local IP of jason.duck's Apache. You can even use HTTP if your network between these two is secure. Or, use a self-signed cert in jason.duck for HTTPS if you want. Example:

    ProxyPass "/" "http://ip.for.jason.duck/"
    ProxyPassReverse "/" "http://ip.for.jason.duck/"

See Apache docs for other options

You could also makeup a local name to replace that IP address. Say internal.jason.duck and use that in the proxy statements and in that other server's ServerAlias name. Put this local name in your hosts file on all your local machines.

Does that help?

J2TheDay · January 23, 2024, 4:46pm

@MikeMcQ and @rg305, you guys are amazing. Thank you so much for taking the time to help me understand how the certs work in this scenario. I wasn't able to find anything online that laid it out this well.

I've never set something like this up before but I'll give this a shot and let you know how it goes.

J2TheDay · January 28, 2024, 10:04pm

I got it working thanks to your help!

I found this fantastic post outlining exactly my scenario: multiple Rasperry Pi Apache Ubuntu servers hosting DDNS wordpress websites behind a single home dynamic IP:

It fleshes out very well what you explained to me in this post.

First Apache server serves the webpage it's hosting, and also acts as a reverse proxy server passing on requests for the second webpage on the second Apache server.
As you suggested I have the first server handle all the SSL requests with Let's Encrypt SSL certificates usuing Certbot, and the requests are passed to the http port 80 on the internal network for speed and configuration simplicity.

It's incredible to be able to host multiple websites with no ongoing expenses except power and cost of home internet, and running on inexpensive Rasberry pi servers. For low traffic websites, not having to pay for SSL, Web Hosting and DNS is a game changer.

system · February 27, 2024, 10:04pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.