I just set up a JupyterHub and wanted to proxy a subdomain to the according port (sub.domain.com should point to 127.0.0.1:5000) in this case.
So I used ProxyPass and ProxyPassReverse in my server.conf. To my confusion, when setting up the redirect for the SSL-Site, it did not work when i proxied to https://127.0.0.1:5000 but I had to proxy to http://127.0.0.1:5000. Otherwise my browser would show a 500 - Proxy Error ("Error during SSL Handshake with remote server".)
So: Is the security of my connection in any way compromised when redirecting to http? And more important: Why does it not work when I redirect to https://?
This is my full .conf:
<VirtualHost XX.XXX.XXX:XX:80>
SuexecUserGroup "#1000" "#1000"
ServerName sub.domain.com
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
</VirtualHost>
<VirtualHost XX.XXX.XXX:XX:443>
SuexecUserGroup "#1000" "#1000"
ServerName sub.domain.com
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/sub.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sub.domain.com/privkey.pem
#Include /etc/letsencrypt/options-ssl-apache.conf
SSLProxyEngine On
#SSLProxyVerify none
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
</VirtualHost>
I already played around with the ProxyEngine Options, but couldn't make it work.
CodePudding user response:
Since your JupiterHub is running with plain HTTP on 127.0.0.1:5000 you need to use ProxyPass http://127.0.0.1:5000
. Using https://...
instead would mean that Apache would try to connect to your JupiterHub by HTTPS, which fails because it does not speak HTTPS.
This plain HTTP connection is internal on your machine only though. For external access you have Apache as reverse proxy which based on your configuration provides both HTTP and HTTPS access from outside and proxies it internally to your JupiterHub. Proxying plain HTTP directly to your JupiterHub is likely a bad idea though, instead it should redirect to the HTTPS version of your site with something like this:
<VirtualHost XX.XXX.XXX:XX:80>
ServerName sub.example.com
Redirect permanent / https://subexample.com/
</VirtualHost>
Additionally it is recommended to enforce HTTPS for the site by setting HSTS.
So: Is the security of my connection in any way compromised when redirecting to http?
The traffic can be intercepted if you keep proxying plain HTTP from outside directly to your JupiterHub instead of redirecting it to HTTPS. As for needing HTTPS on localhost itself see Is there a benefit to having SSL connections on localhost?