TransWikia.com

Proxy Error 502 "Error reading from remote server" Apache 2.4.18 Ubuntu with HTTPS into Docker container

Server Fault Asked by Julien G on January 26, 2021

I’m no expert and can’t see what’s the problem, but obviously this error is caused by a tiny detail it seems I can’t debug. Any idea?

What I have:
I have multiple virtual hosts configured with Apache2 that manage trafic to different websites. All with https thanks to Let’sEncrypt certbot and it works fine.

Apache 2.4.18 (Ubuntu)
Server: Ubuntu 16.04
Docker version: 19.03.5

What i’m trying to do:

I want to add a docker container to the mix while keeping my current configuration with Apache. I know I can use someting like nginx reverse companion and I already do on another server but I don’t want to in this case.

On this setup I’m trying to configure a virtual host acting as reverse proxy in Apache that will redirect traffic into the corresponding Docker Container (running a WordPress container as a test but I would want to do that with multiple applications in the future).
I know it’s in French but i found this guy that tries to do exactly the same thing as me here

What I did:

I did about the same thing as in the tutorial linked above.

  • Docker-compose file:
version: '3.3'

services:

    wordpress:
        depends_on:
            - db
        container_name: ${CONTAINER_WP_NAME}
        image: wordpress:${WORDPRESS_IMAGE}
        ports:
#            - 8080:80
            - 8081:443
        restart: always
        environment:
            WORDPRESS_DB_HOST: ${CONTAINER_DB_NAME}:3306
            WORDPRESS_DB_USER: ${MYSQL_USER}
            WORDPRESS_DB_PASSWORD: ${MYSQL_PASSWORD}
            WORDPRESS_DB_NAME: ${MYSQL_DATABASE}
            WORDPRESS_TABLE_PREFIX: ${WORDPRESS_TABLE_PREFIX}
        volumes:
            - ${WP_CORE}:/var/www/html
            - ${WP_CONTENT}:/var/www/html/wp-content
            - ./docker/config/vhost.conf:/etc/apache2/sites-enabled/vhost-ssl.conf
            - /etc/letsencrypt:/etc/letsencrypt:ro

  • config/vhost file for container

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerName mydomaine.tld

        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on

        SSLCertificateFile /etc/letsencrypt/live/mydomaine.tld/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/mydomaine.tld/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/mydomaine.tld/chain.pem

        <FilesMatch ".(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

    </VirtualHost>
</IfModule>

  • sites-availabe/mydomaine.conf for apache2

<VirtualHost *:80>

       ServerName mydomaine.tld
       ProxyPreserveHost On

       ProxyPass / http://localhost:8081/ retry=1 acquire=3000 timeout=600 Keepalive=On
       ProxyPassReverse / http://localhost:8081/
       ProxyPassReverseCookieDomain localhost mydomaine.tld


       ErrorLog /srv/logs/error/mydomaine.log
       CustomLog /srv/logs/access/mydomaine.log combined


RewriteEngine on
RewriteCond %{SERVER_NAME} =mydomaine.tld
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

  • sites-available/mydomaine-le-ssl.conf for apache2
<IfModule mod_ssl.c>
<VirtualHost *:443>

       ServerName mydomaine.tld
       ProxyPreserveHost On

       SSLProxyEngine On
       SSLProxyVerify none
       SSLProxyCheckPeerCN off
       SSLProxyCheckPeerName off
       SSLProxyCheckPeerExpire off

       ProxyPass / https://localhost:8081/ retry=1 acquire=3000 timeout=600 Keepalive=On
       ProxyPassReverse / https://localhost:8081/
       ProxyPassReverseCookieDomain locahost mydomaine.tld

       ProxyRequests Off

       ErrorLog /srv/logs/error/slice.log
       CustomLog /srv/logs/access/slice.log combined


       SSLCertificateFile /etc/letsencrypt/live/mydomaine.tld/fullchain.pem
       SSLCertificateKeyFile /etc/letsencrypt/live/mydomaine.tld/privkey.pem
       SSLCertificateChainFile /etc/letsencrypt/live/mydomaine.tld/chain.pem
       Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>
</IfModule>

My problem: Without SSL it works fine but once I activate SSL and plug into the 443 port to connect to the website via HTTPS, I have 502 Proxy Error in the browser:

Proxy Error

The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request

Reason: Error reading from remote server

And the website logs return this error:

AH00898: Error reading from remote server returned by /
AH01102: error reading status line from remote server localhost:8081

What I tried:

I read almost every issue on this kind of error and could not debug it. I see this user has exactly the same errors as me, but his solution did not solve my problem. I tried using 80 AND 443 ports in the docker container but it does not change anything; without redirection http:// works but not https://. Everytime I have the same error.

I activated the necessary and recommanded packages and I don’t have any other error than those I described.

One Answer

I've also digged deep around the web and tried all solutions and suggestions that I could find to date.

The error in the log does not give much of a pointer but what solved it for me was adding a directive allowing some deprecated ciphersuites for the proxied server, apache coyote in my case.

Add SSLProxyCipherSuite directive. https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyciphersuite

Values can be cut and pasted from here: https://wiki.mozilla.org/Security/Server_Side_TLS

Probably try Cipher suites (TLS 1.0 - 1.2): ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA

And see if it gets things running and harden up from there.

Answered by Glh on January 26, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP