Force ssl on reverse proxy?

Hello,

I'm using a Virtualmin virtual host site as a reverse proxy to our Rocket.Chat server. I have a Let's Encrypt cert generated through Virtualmin. However, I'm having a hard time trying to figure out how to force SSL. When I put in https://myserver.com:3000 on the destination, the site fails. http://myserver.com:3000 works just fine, though. Only Safari seems to automatically try https. Firefox and Chrome do not so I'd like to ensure all users are going over https.

Thanks in advance for any advice on how to do this!

Ryan

Status: 
Active

Comments

What goes wrong when you try an https URL exactly?

I think the issue is the destination is not really running https. The reverse proxy takes care of that, right? So if you go to chat.cloudapps.northwesterrn.edu, depending on the browser, it is not always over SSL. So far Safari is the only browser that auto redirects. I also put a .htaccess file in the virtualmin host to force the redirect but that doesn't force SSL.

I think this is where I'm supposed to force the redirect, right? Just not sure what values I should plug-in.

https://owncloud.sesp.northwestern.edu/index.php/s/d8IvVV0Ij5oOSY8

I'm looking at the sites-enabled config, and this is what is listed:

ProxyPass /git/ ! ProxyPassReverse /git/ ! ProxyPass / http://chat.apps.northwestern.edu:3000/ ProxyPassReverse / http://chat.apps.northwestern.edu:3000/

Is there something I can add?

Maybe the issue is that the chat app doesn't know it is being accessed via SSL, and is issuing redirects via javascript or HTML to the wrong protocol? If that's the case, Apache won't correct them automatically.

Actually, if you manually put https:// in the address is fine. I'm just trying to ensure everyone accesses the Rocket.Chat site through https://. With a normal Virtualmin hosted site is use place this .htaccess file in the root of public_html.

RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

So I'm just wondering how I force this kind of behavior with the reverse proxy function in Virtualmin.

Does it make sense what I'm trying to do?

I think what you really want to do is instead setup an HTTP -> HTTPS redirect in virtualmin. This can be done on the Aliases and Redirects page, by creating a redirect from / for the HTTP website only.

Can I access your actual website to see what's going on with the redirects?

Sorry for the late response. The site in question is chat.cloudapps.northwestern.edu which should auto redirect to https://chat.cloudapps.northwestern.edu

Or are you asking to access our Webmin/Virtualin Pro instance?

Yes, it would be very useful if I could login to your system and take a look at the configs to see why the redirect isn't working.

Unfortunately we can't do that on our side without opening port 10000 on the firewall. Let's table the issue for now. Thanks, Jamie!

Ok .. the issue may be that Apache does the proxying before it applies any redirects. I don't have a good solution to that, sorry :-(

I had exactly the same issue on the domains that have a proxy to Tomcat. Here's what I have done in VIrtualmin:

in Virtualmin, open the domain virtualhost -> Server Configuration -> Website Redirects ->Add a news website redirect Choose Source URL path "/" and as destination URL at other website "https://yourdomain.com"; uncheck SSL website

Then go to Services -> Configure Website for SSL -> Aliases and Redirects In "Map local to remote URLs" and "Map remote Location: headers to a local" write "/" as local source URL path and "http://yourproxy.com" (in my case I don't have a proxy to https, only the source domain has to be https - that's fine as apache2 and tomcat are running on the same server)

That's it! This avoids the issue of the proxy being activated before the redirect. If http://yourdomain.com is opened, there is a redirect to https://yourdomain.com and from (only) https://yourdomain.com the proxy is activated.

As the proxying seems to happen before redirects are applied, it would be great if the Edit Proxy Website feature in Virtualmin could be configured for HTTPS only, allowing the redirect to take place.

unborn's picture
Submitted by unborn on Sat, 05/06/2017 - 11:04 Pro Licensee

@sespit

perhaps its all right - been there its just one thing to be moded - If you using proxy but still need to use lets encrypt - you should setup in virtualmin proxy website to go on http://localhost:port save it and apply it. that should work for non https. Then you should go and edit in Webmin > Servers > apache > global configuration > Edit Config Files and there select the config file for the domain you using for that rocket chat app and tell apache to not poxying .well-known (example: ProxyPass /.well-known ! Alias.....etc - all can be found on apache website docs.) folder so lets enctrypt auto renewal will work in future. That will give you https with lets encrypt enabled without issues in future also redirect your domain.com to whatever :3000 port to looking just like domain.com.

There is no point to have https from your domain hosted on your server pointing to localhost:3000 via https as connection is already happening on your server only so http between app and apache can be safely established as anything between client/web browser needs to be https..

I know I am late too this party but I had this problem aswell. @unborn solution worked for me Went and edited manually the configuration file of the domain i am using for the rocket chat. Removed the reverseproxy completely from the *:80 and added the Redirect from http:// to https:// there. Saved , applied the new settings to apache and voila! it worked!

unborn's picture
Submitted by unborn on Mon, 01/29/2018 - 10:48 Pro Licensee

@d3sync great to hear that.. from what I was saying it was - public domain should be on https: from there going on same lan via https since its local net so it should be http - simple proxying should be secure and enough - however I dont know if your web app behind the proxy on local net supports this (you know logins etc but I guess it did) :)

thanks.