Home > Net >  Apache2 Proxy Pass: Why don't I need to redirect to http*s*:// for SSL?
Apache2 Proxy Pass: Why don't I need to redirect to http*s*:// for SSL?

Time:01-10

I just set up a JupyterHub and wanted to proxy a subdomain to the according port (sub.domain.com should point to 127.0.0.1:5000) in this case.

So I used ProxyPass and ProxyPassReverse in my server.conf. To my confusion, when setting up the redirect for the SSL-Site, it did not work when i proxied to https://127.0.0.1:5000 but I had to proxy to http://127.0.0.1:5000. Otherwise my browser would show a 500 - Proxy Error ("Error during SSL Handshake with remote server".)

So: Is the security of my connection in any way compromised when redirecting to http? And more important: Why does it not work when I redirect to https://?

This is my full .conf:

<VirtualHost XX.XXX.XXX:XX:80>
    SuexecUserGroup "#1000" "#1000"
    ServerName sub.domain.com
    
    ProxyPass / http://127.0.0.1:5000/
    ProxyPassReverse / http://127.0.0.1:5000/
</VirtualHost>
<VirtualHost XX.XXX.XXX:XX:443>
    SuexecUserGroup "#1000" "#1000"
    ServerName sub.domain.com

    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/sub.domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/sub.domain.com/privkey.pem
    #Include /etc/letsencrypt/options-ssl-apache.conf

    SSLProxyEngine On
    #SSLProxyVerify none
    ProxyPass / http://127.0.0.1:5000/
    ProxyPassReverse / http://127.0.0.1:5000/
</VirtualHost>

I already played around with the ProxyEngine Options, but couldn't make it work.

CodePudding user response:

Since your JupiterHub is running with plain HTTP on 127.0.0.1:5000 you need to use ProxyPass http://127.0.0.1:5000. Using https://... instead would mean that Apache would try to connect to your JupiterHub by HTTPS, which fails because it does not speak HTTPS.

This plain HTTP connection is internal on your machine only though. For external access you have Apache as reverse proxy which based on your configuration provides both HTTP and HTTPS access from outside and proxies it internally to your JupiterHub. Proxying plain HTTP directly to your JupiterHub is likely a bad idea though, instead it should redirect to the HTTPS version of your site with something like this:

<VirtualHost XX.XXX.XXX:XX:80>
    ServerName sub.example.com
    Redirect permanent / https://subexample.com/
</VirtualHost>

Additionally it is recommended to enforce HTTPS for the site by setting HSTS.

So: Is the security of my connection in any way compromised when redirecting to http?

The traffic can be intercepted if you keep proxying plain HTTP from outside directly to your JupiterHub instead of redirecting it to HTTPS. As for needing HTTPS on localhost itself see Is there a benefit to having SSL connections on localhost?

  • Related