1

I have a matrix home server and a Django web app sitting on VMs at 192.168.81 and 192.168.83 respectively. The home server is built with matrix-docker-ansible-deploy and runs on nginx. It obtains and renews SSL certificates through Traefik with Let's encrypt.

The web app uses a Let's Encrypt certificate of its own. Though I can get and have gotten them to work independently, I am having trouble getting them to work together, on the same 80 and 443 ports.

After setting up reverse proxy on the web app side to divert traffic from its domain, like so:

        SSLEngine On
        SSLCertificateFile /etc/letsencrypt/live/mysite.org/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/mysite.org/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/mysite.org/fullchain.pem

    # Enable SSL Proxy Engine
    SSLProxyEngine On
    ProxyPass / https://192.168.1.83/
    ProxyPassReverse / https://192.168.1.83/

I get:

[Wed Jan 17 07:13:21.567813 2024] [core:notice] [pid 33994:tid 125031783462784] AH00094: Command line: '/usr/sbin/apache2'
[Wed Jan 17 07:15:23.409061 2024] [proxy:error] [pid 34272:tid 125031640188608] (20014)Internal error (specific information not available): [client 192.168.1.85:44054] AH01084: pass request body failed to 192.168.1.83:443 (192.168.1.83)
[Wed Jan 17 07:15:23.409180 2024] [proxy:error] [pid 34272:tid 125031640188608] [client 192.168.1.85:44054] AH00898: Error during SSL Handshake with remote server returned by /
[Wed Jan 17 07:15:23.409209 2024] [proxy_http:error] [pid 34272:tid 125031640188608] [client 192.168.1.85:44054] AH01097: pass request body failed to 192.168.1.83:443 (192.168.1.83) from 192.168.1.85 ()
[Wed Jan 17 07:15:23.715825 2024] [proxy:error] [pid 34273:tid 125031648581312] (20014)Internal error (specific information not available): [client 192.168.1.85:44070] AH01084: pass request body failed to 192.168.1.83:443 (192.168.1.83), referer: https://192.168.1.83/
[Wed Jan 17 07:15:23.715945 2024] [proxy:error] [pid 34273:tid 125031648581312] [client 192.168.1.85:44070] AH00898: Error during SSL Handshake with remote server returned by /favicon.ico, referer: https://192.168.1.83/
[Wed Jan 17 07:15:23.715970 2024] [proxy_http:error] [pid 34273:tid 125031648581312] [client 192.168.1.85:44070] AH01097: pass request body failed to 192.168.1.83:443 (192.168.1.83) from 192.168.1.85 (), referer: https://192.168.1.83/

Update:

Since running the two servers on the same port would almost certainly mess up the SSL certification (unless we want them to share the same cert and use a reverse proxy on a separate server to redirect traffic from the separate domains to their own respective internal servers), I would like to use ports other than 80 and 443 to host my web app.

How should I go about doing this?

Sati
  • 119

1 Answers1

1

This is because the SSL/TLS certificate presented by the backend, 192.168.1.83:443, is not valid because for a valid certificate you always need a domain name.

I believe if you where to open https://192.168.1.83/ in a browser (given of course the IP 192.168.1.83 is accessible), you would get the "Connection not secure" warning.

Your options are (roughly in order of difficulty):

  1. Blindly trust the backend network and use SSL only on the forward proxy, connecting to the backends via plain http. If your apache forward proxy is running on the same machine as those VMs, and you control both the forward proxy and the VMs, this is what I would do.
  2. Not trust the backend network and do encrypt both on the frontend and the backend end, then you either need to
    • use domain names valid for the certificate to connect to the backend (potentially configuring the IP for the domain in your hosts file), ensure the certificate is itself valid and gets renewed
    • set trust on the certificates explicitly for this connection in the apache config
    • set up your own ca for the backend-services and configure it as trusted on the forward proxy (but be aware that you easily get yourself deeply into danger zone once handling your own CA!)
    • I would not recommend to configure the forward proxy to connect via SSL without properly validating the certificate (e.g. disabling SSLProxy* options) and instead go for Option 1 when the backend network is trusted and one of the three above if not.
  3. Encrypt on the backend only and use SNI load balancing in place of your Apache forward proxy to forward the https traffic to your backend without re-encryption (in my opinion a more advanced setup than option 1 and I don't know whether apache is suited for this application).
Gamification
  • 186