3.1 update reverse proxypass (apache)

Discussion in 'Developers' Forum' started by Rein van 't Veer, Jun 10, 2016.

  1. Hi,

    I'm using the following apache directive to give my clients the control panel over https (port 443) instead of 9999

    Code:
    SSLProxyEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    ProxyPass / https://127.0.0.1:9999/
    ProxyPassReverse / https://127.0.0.1:9999/
    The SSLChecks are just to bypass a false certificate ;-).

    my firewall is blocking port 9999, so it's not less secure imo.

    But: something goes wrong with the loading of the page.

    Chrome gives adds /login/ (as expected; otherwise a session would already exist)
    BUT: other URL's are also with the /login/ ending

    Code:
    jquery.min.js:4 GET https://control.ichtushosting.com/login/nav.php?nav=side 404 (Not Found)send @ jquery.min.js:4ajax @ jquery.min.js:4loadMenus @ ispconfig.min.js:1loadInitContent @ ispconfig.min.js:1(anonymous function) @ ispconfig.min.js:1dispatch @ jquery.min.js:3r.handle @ jquery.min.js:3trigger @ jquery.min.js:3triggerHandler @ jquery.min.js:3ready @ jquery.min.js:2I @ jquery.min.js:2
    jquery.min.js:4 GET https://control.ichtushosting.com/login/dashboard/dashboard.php 404 (Not Found)send @ jquery.min.js:4ajax @ jquery.min.js:4loadInitContent @ ispconfig.min.js:1(anonymous function) @ ispconfig.min.js:1dispatch @ jquery.min.js:3r.handle @ jquery.min.js:3trigger @ jquery.min.js:3triggerHandler @ jquery.min.js:3ready @ jquery.min.js:2I @ jquery.min.js:2
    jquery.min.js:4 GET https://control.ichtushosting.com/login/keepalive.php 404 (Not Found)send @ jquery.min.js:4ajax @ jquery.min.js:4keepalive @ ispconfig.min.js:1loadInitContent @ ispconfig.min.js:1(anonymous function) @ ispconfig.min.js:1dispatch @ jquery.min.js:3r.handle @ jquery.min.js:3trigger @ jquery.min.js:3triggerHandler @ jquery.min.js:3ready @ jquery.min.js:2I @ jquery.min.js:2
    jquery.min.js:4 GET https://control.ichtushosting.com/login/nav.php?nav=top 404 (Not Found)send @ jquery.min.js:4ajax @ jquery.min.js:4loadMenus @ ispconfig.min.js:1loadInitContent @ ispconfig.min.js:1(anonymous function) @ ispconfig.min.js:1dispatch @ jquery.min.js:3r.handle @ jquery.min.js:3trigger @ jquery.min.js:3triggerHandler @ jquery.min.js:3ready @ jquery.min.js:2I @ jquery.min.js:2
    This should be:
    Code:
    https://control.ichtushosting.com/dashboard/dashboard.php
    https://control.ichtushosting.com/nav.php?nav=top
    https://control.ichtushosting.com/keepalive.php
    
    Right?
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    I just set this up earlier this week, what I have and seems to work fine (haven't seen any session issues) using port 8080 is:
    Code:
    # cat /etc/apache2/conf-enabled/local.conf
    # local (to this server) config snippets
    
    Alias /webmail /var/lib/roundcube
    
    <IfModule mod_proxy.c>
        ProxyRequests Off
    </IfModule>
    
    Code:
    # cat /etc/apache2/sites-enabled/000-default.conf
    <VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName default
    
        ServerAdmin [email protected]
        DocumentRoot /var/www/html
    
        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn
    
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    
        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
    </VirtualHost>
    
    <VirtualHost *:80>
        ServerName controlpanel.domain.com
        ServerAdmin [email protected]
    
        <IfModule mod_rewrite.c>
            RewriteEngine on
            RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
            RewriteRule ^ - [END]
            RewriteCond %{HTTPS} off
            RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
        </IfModule>
    
        DocumentRoot /var/www/html
    
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>
    
    # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
    Code:
    # cat /etc/apache2/sites-enabled/000-default-ssl.conf
    <IfModule mod_ssl.c>
        ## This is the default *:443 host, displaying a placeholder page
        <VirtualHost *:443>
            ServerName default
            ServerAdmin [email protected]
    
            ServerSignature Off
    
            SSLEngine on
            SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
            SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
            #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
    
            SSLProtocol All -SSLv3
    
            SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
            SSLHonorCipherOrder On
    
            DocumentRoot /var/www/html
    
            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                    SSLOptions +StdEnvVars
            </FilesMatch>
            <Directory /usr/lib/cgi-bin>
                    SSLOptions +StdEnvVars
            </Directory>
    
            BrowserMatch "MSIE [2-6]" \
                    nokeepalive ssl-unclean-shutdown \
                    downgrade-1.0 force-response-1.0
            BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    
            <IfModule mod_headers.c>
              Header always add Strict-Transport-Security "max-age=15768000"
            </IfModule>
    
        </VirtualHost>
    
        ## This is the default controlpanel.domain.com for https (port 443),
        ## proxy to the real control panel on port 8080
        <VirtualHost *:443>
            ServerName controlpanel.domain.com
            ServerAdmin [email protected]
    
            ServerSignature Off
    
            SSLEngine on
            SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
            SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
            #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
    
            SSLProtocol All -SSLv3
    
            SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
            SSLHonorCipherOrder On
    
            DocumentRoot /var/www/html
    
            SSLProxyEngine on
            <IfModule mod_proxy.c>
                ProxyRequests Off
                ProxyPreserveHost On
                ProxyPass /webmail "!"
                ProxyPass /roundcube "!"
                ProxyPass /squirrelmail "!"
                ProxyPass /phpmyadmin "!"
                ProxyPass / https://127.0.0.1:8080/
                ProxyPassReverse / https://127.0.0.1:8080/
            </IfModule>
    
            BrowserMatch "MSIE [2-6]" \
                    nokeepalive ssl-unclean-shutdown \
                    downgrade-1.0 force-response-1.0
            BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    
            <IfModule mod_headers.c>
              Header always add Strict-Transport-Security "max-age=15768000"
            </IfModule>
    
        </VirtualHost>
    </IFModule>
    
    # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
    
    I had to enable the proxy and proxy_http apache modules.

    The 000-default-ssl.conf contents are mostly from 000-ispconfig.vhost (I'd love it if the SSL settings were in a common file included by both 000-ispconfig.vhost and 000-default-ssl.conf, so I don't have to try to manually track SSLCipherSuite changes and such).

    I think letsencrypt is still working with this (need to test more), but webmail and other things are fine so far. If you're running 3.1, you can easily setup letsencrypt for your control panel as well, and get rid of the certificate errors.
     
  3. It was a bit more complicated for my setup, but I made it work :).

    Control panel = https://control.domain.com
    not listening on port 9999 anywhere
    Uses the default 000-ispconfig.vhost
    At the moment uses Let's encrypt certificates

    Todo: configure let'secrypt to auto renew these certificates.
     
  4. luisdyablo619

    luisdyablo619 New Member

    Rein, how did you achieve for the control panel to be in a subdomain?
     
  5. I added a new website (not subdomain) with control.domain.com as name.
    Afterwards I added this into the Apache options (on the Options tab, apache directives):

    Code:
    SSLProxyEngine On
    ProxyPreserveHost On
    SSLProxyVerify                      none
    SSLProxyCheckPeerCN         off
    SSLProxyCheckPeerName     off
    SSLProxyCheckPeerExpire    off
    ProxyPass /.well-known/ !
    ProxyPass / https://localhost:8099/
    ProxyPassReverse / https://localhost:8099/
    
    the ssl options are needed because ispconfig listens on https, the Proxypass /.well-known/! makes sure the request from lets encrypt is not forwarded.

    The other proxy pass options are there to forward the request to the internal localhost on port 8099 :)
     
    luisdyablo619 likes this.
  6. luisdyablo619

    luisdyablo619 New Member

    So I did as you mentioned above but I got the following error:

    Code:
    Internal Server Error
    The server encountered an internal error or misconfiguration and was unable to complete your request.
    
    Please contact the server administrator at [email protected] to inform them of the time this error occurred, and the actions you performed just before this error.
    
    More information about this error may be available in the server error log.
    
    Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
    
    Apache/2.4.29 (Ubuntu) Server at wpanel.domain.com  Port 443
     
  7. on which port is your ispconfig control panel currently accessible?
     
  8. luisdyablo619

    luisdyablo619 New Member

    I believe only in 8080.

    I changed the code to 8080 from 8099.
     
  9. check your error logs, maybe you need to enable the proxy modules in apache?
     
    luisdyablo619 likes this.
  10. luisdyablo619

    luisdyablo619 New Member

    Yes it worked perfectly, just had to enable the proxy modules, I thought I had already done so. Thanks!
     

Share This Page