Problems with Apache proxy with Let's encrypt

Helo
I am experiencing problems accessing a site with Apache Proxy Server with SSL access.

Configuration:

Internet → (https) → Apache Proxy → (http) → Joomla (Apache)
Display does not work properly.

Internet → (http) → Apache Proxy → (http) → Joomla (Apache)
Representation works correctly.

VirtualHost Proxy without SSL (test.koller.ch)
<VirtualHost *:80>
ServerName test.koller.ch
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

ProxyPreserveHost On
	ProxyRequests Off
	ProxyVia full
	ProxyPass / http://192.168.1.34/
	ProxyPassReverse / http://192.168.1.34/

VirtualHost Proxy with SSL

<VirtualHost *:443>
ServerName oc.koller.ch
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

ProxyPreserveHost On
ProxyPass / http://192.168.1.34:80/
ProxyPassReverse / http://192.168.1.34:80/

SSLCertificateFile /etc/letsencrypt/live/koller.ch/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/koller.ch/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

Apache log see attachment
LogApacheMitOhneSSL-EN.txt (10.3 KB)

Does anyone have any ideas to help solve this?

Thanks in advance for your efforts.

Can you explain what the problem is? I see many HTTP 200 OK responses in your log for both domain names. I also successfully connect to both of your domain names.

5 Likes

Your certificate is not valid for the test subdomain.

2 Likes

It is not. But, in the log they used test domain with http and robert domain (*) for https. They both work like that but I agree the test domain is not in the cert so would show errors if tried with https.

(*) The first post shows VirtualHost for oc domain but the log is robert for https. I see both oc and robert working fine and both those names are in the cert.

5 Likes

Yes. I therefore only use test.koller.ch with http.

Yes, the log is different. Sorry for the confusion. I first tested the configuration with robert.koller.ch and extracted the log. But to continue using robert.koller.ch, I set up oc.koller.ch as domain name for https. It behaves exactly the same.

So testing is now possible with

or
http:test.koller.ch

But what is the problem? Please explain.

And, did you mean to type oc rather than nc? Because I do see a problem with the nc domain in that it redirects to HTTP from HTTPS.

curl -I https://nc.koller.ch
HTTP/1.1 302 Found
Server: Apache/2.4.41 (Ubuntu)
Location: http://nc.koller.ch/index.php/login

Many http headers omitted for readability

5 Likes

This site has mixed content (CSS), which is blocked by the browser.

3 Likes

With http://test.koller.ch the display of the website of the internal server 192.168.1.34 works.

With encryption https://oc.koller.ch the display of the website of the internal server 192.168.1.34 does NOT work correctly.

What does that do?
And why are they only used on the HTTP server block?

And just for overall neatness, you can remove the :80 form these:

3 Likes

I can't relate to that. Wouldn't the log be identical then?
Thanks for the answer.

As osiris pointed out you have mixed content. Your website can be connected with HTTPS just fine. That means your certificates are fine. But take a look at this site

7 Likes

Please check your log yourself: in one of the two parts there are requests for .css files visible while in the other part there are none. They are blocked by the client, so no, the logs wouldn't be identical.

3 Likes

Thank you Osiris. I now understand that this is a source of error.

Do you have any idea how I can fix it? And why this error does not occur without encryption (http)?

1 Like

Change http:// in your code to https://. Note that HTML/server side scripting is not the expertise of this Community :wink:

Because without HTTPS there is no mixed content possible? Please search the meaning of "mixed content" if you don't know what it is and educate yourself :slight_smile:

3 Likes

The WhyNoPadlock link I provided earlier describes exactly what changes are needed. Even shows the line numbers.

6 Likes

@Osiris
Thank you Osiris. You have helped my understanding a lot. In this respect I am now closer to a solution :wink:

2 Likes

Thank you Mike McQ. This website is really a help.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.