Server Fault Asked by Julien G on January 26, 2021
I’m no expert and can’t see what’s the problem, but obviously this error is caused by a tiny detail it seems I can’t debug. Any idea?
What I have:
I have multiple virtual hosts configured with Apache2 that manage trafic to different websites. All with https thanks to Let’sEncrypt certbot and it works fine.
Apache 2.4.18 (Ubuntu)
Server: Ubuntu 16.04
Docker version: 19.03.5
What i’m trying to do:
I want to add a docker container to the mix while keeping my current configuration with Apache. I know I can use someting like nginx reverse companion and I already do on another server but I don’t want to in this case.
On this setup I’m trying to configure a virtual host acting as reverse proxy in Apache that will redirect traffic into the corresponding Docker Container (running a WordPress container as a test but I would want to do that with multiple applications in the future).
I know it’s in French but i found this guy that tries to do exactly the same thing as me here
What I did:
I did about the same thing as in the tutorial linked above.
version: '3.3'
services:
wordpress:
depends_on:
- db
container_name: ${CONTAINER_WP_NAME}
image: wordpress:${WORDPRESS_IMAGE}
ports:
# - 8080:80
- 8081:443
restart: always
environment:
WORDPRESS_DB_HOST: ${CONTAINER_DB_NAME}:3306
WORDPRESS_DB_USER: ${MYSQL_USER}
WORDPRESS_DB_PASSWORD: ${MYSQL_PASSWORD}
WORDPRESS_DB_NAME: ${MYSQL_DATABASE}
WORDPRESS_TABLE_PREFIX: ${WORDPRESS_TABLE_PREFIX}
volumes:
- ${WP_CORE}:/var/www/html
- ${WP_CONTENT}:/var/www/html/wp-content
- ./docker/config/vhost.conf:/etc/apache2/sites-enabled/vhost-ssl.conf
- /etc/letsencrypt:/etc/letsencrypt:ro
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName mydomaine.tld
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/mydomaine.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomaine.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/mydomaine.tld/chain.pem
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
<VirtualHost *:80>
ServerName mydomaine.tld
ProxyPreserveHost On
ProxyPass / http://localhost:8081/ retry=1 acquire=3000 timeout=600 Keepalive=On
ProxyPassReverse / http://localhost:8081/
ProxyPassReverseCookieDomain localhost mydomaine.tld
ErrorLog /srv/logs/error/mydomaine.log
CustomLog /srv/logs/access/mydomaine.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =mydomaine.tld
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName mydomaine.tld
ProxyPreserveHost On
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass / https://localhost:8081/ retry=1 acquire=3000 timeout=600 Keepalive=On
ProxyPassReverse / https://localhost:8081/
ProxyPassReverseCookieDomain locahost mydomaine.tld
ProxyRequests Off
ErrorLog /srv/logs/error/slice.log
CustomLog /srv/logs/access/slice.log combined
SSLCertificateFile /etc/letsencrypt/live/mydomaine.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomaine.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/mydomaine.tld/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
My problem: Without SSL it works fine but once I activate SSL and plug into the 443 port to connect to the website via HTTPS, I have 502 Proxy Error in the browser:
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request
Reason: Error reading from remote server
And the website logs return this error:
AH00898: Error reading from remote server returned by /
AH01102: error reading status line from remote server localhost:8081
What I tried:
I read almost every issue on this kind of error and could not debug it. I see this user has exactly the same errors as me, but his solution did not solve my problem. I tried using 80 AND 443 ports in the docker container but it does not change anything; without redirection http:// works but not https://. Everytime I have the same error.
I activated the necessary and recommanded packages and I don’t have any other error than those I described.
I've also digged deep around the web and tried all solutions and suggestions that I could find to date.
The error in the log does not give much of a pointer but what solved it for me was adding a directive allowing some deprecated ciphersuites for the proxied server, apache coyote in my case.
Add SSLProxyCipherSuite directive. https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxyciphersuite
Values can be cut and pasted from here: https://wiki.mozilla.org/Security/Server_Side_TLS
Probably try Cipher suites (TLS 1.0 - 1.2): ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
And see if it gets things running and harden up from there.
Answered by Glh on January 26, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP