Join Log in
Score:1
Johnnii360 avatar Server

Local Apache TLS Proxy error on Reverse Proxy for local services

cn flag
Johnnii360

I'm struggle now for a longer time with the following issue:

[gnutls:error] [pid 1878860] [remote 127.0.0.1:8282] ssl_engine_set: mod_proxy requested TLS proxy, but not enabled for piped.[CENSORED].de:443

I tried a lot to fix this but nothing helped. In this case I host Piped by myself and did a Let's Encrypt Certificate.

Here's the Apache Site Config of this service:

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerName piped.[CENSORED].de
        ServerAlias pipedapi.[CENSORED].de pipedproxy.[CENSORED].de
        ServerAdmin netzmeister@[CENSORED].de

        Protocols h2 h2c http/1.1

        SSLProxyEngine On
        ProxyPreserveHost On
        ProxyPass / http://127.0.0.1:8282/
        ProxyPassReverse / http://127.0.0.1:8282/
        ProxyRequests Off
        ProxyAddHeaders On
        RequestHeader set X-Forwarded-Proto "https"

        <LocationMatch "^/(/videoplayback|/api/v4/|/api/manifest/)">
            Header always set Cache-Control "private"
            Require all granted
        </LocationMatch>

        <Location "/">
            Header always set Cache-Control "public, max-age=604800"
            Require all granted
        </Location>

        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/pipedapi.[CENSORED].de/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/pipedapi.[CENSORED].de/privkey.pem
    </VirtualHost>
</IfModule>

I did already:

  • Set SSLProxyEngine to Off and just used ProxyAddHeaders On and RequestHeader set X-Forwarded-Proto "https".
  • Placed Include /etc/letsencrypt/options-ssl-apache.conf above SSLProxyEngine.
  • Added an s behind http at ProxyPass and ProxyPassReverse but got after an error:
[Sun Apr 09 19:15:35.915182 2023] [gnutls:error] [pid 1881378] [remote 127.0.0.1:8282] ssl_engine_set: mod_proxy requested TLS proxy, but not enabled for piped.[CENSORED].de:443
943 [Sun Apr 09 19:15:35.915210 2023] [core:error] [pid 1881378] [remote 127.0.0.1:8282] AH01961:  failed to enable ssl support [Hint: if using mod_ssl, see SSLProxyEngine]
944 [Sun Apr 09 19:15:35.915229 2023] [proxy:error] [pid 1881378] AH00961: https: failed to enable ssl support for 127.0.0.1:8282 (127.0.0.1)

The problem is only Caddy or nginx config snippets are on https://docs.piped.video/docs/self-hosting/ and didn't found any for apache. Piped will work almost fine (can't import lists) with this error but if it's possible I will kill this error to have a proper config/log.

Any ideas?

182
1 + 4
ssl
HBruijn avatar
in flag
HBruijn
For starters, does your back-end actually support https on that port and can you actually make a HTTPS connection to httpS://127.0.0.1:8282/ with for example `curl` or `wget` ? Because that doesn't work then it won't work for Apache either.
0
Reply
Johnnii360 avatar
cn flag
Johnnii360
@HBrujin: I get this with curl: `* Trying 127.0.0.1:8282... * Connected to 127.0.0.1 (127.0.0.1) port 8282 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * error:1408F10B:SSL routines:ssl3_get_record:wrong version number * Closing connection 0 curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number`
0
Reply
HBruijn avatar
in flag
HBruijn
As a comment (rather than an edit into your question) that is a bit hard to read, but I *think* that looks like an error. That suggests the problem is in the back-end and you need to address that first. (before you can see if you need to change Apache reverse proxy configuration to connect over https to your back-end) - **Note** that generally there is no security benefit to enable TLS for connections to localhost and off-loading HTTPS and let Apache connect with plain http to your back-end does not compromise your security.
0
Reply
Johnnii360 avatar
cn flag
Johnnii360
@HBruijn My goal is to eliminate the error message mentioned in my initial post. I also think that it isn't necessary to establish an internal TLS connection but the visitor have to. I got this error on every proxy reversed service on my server. But I have no clue to fix this.
0
Reply
Score:0
Johnnii360 avatar Server
cn flag
Johnnii360

Found now the solution by a tip of person that I asked.

Just disable mod_gnutls by a2dismod gnutls and renew all Let's Encrypt Certificates. And it's gone!

It's really weak for such a huge user community that no one come up with that idea to do that. Why brings to pick a specific person from a search engine result the best solutions?!

But it's honorable that at least one person tried to help me!

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.