0

In debian jessie I'm trying to serve https with a varnish reverse proxy, and I found the following solution: http://davidbu.ch/mann/blog/2015-03-20/varnish-and-https-apache.html : apache manages ssl stuff on port 443, then passes to varnish on port 80, which passes to apache at port 8080.

However, requesting https://myserver.com/index.html I get in the browser:

403 Forbidden

You don't have permission to access / on this server.

Apache's error.log says:

[authz_core:error] [pid 12662] [client 151.16.175.15:38240] AH01630: client denied by server configuration: proxy:http://127.0.0.1:80/index.html

What am I missing?

My vhost definition

<VirtualHost *:8080>
    ServerAdmin mymail@gmail.com
    ServerName myserver.com

    DocumentRoot /home/paolo/weewx
    <Directory /home/paolo/weewx/>
        DirectoryIndex index.html
        Options FollowSymLinks
        AllowOverride All
        Require all granted
        order allow,deny
        allow from all
    </Directory>

    ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    # ErrorDocument 404 /index.html

    CustomLog /var/log/apache2/access.log combined

</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin mymail@gmail.com
    ServerName myserver.com

    DocumentRoot /home/paolo/weewx/
    <Directory /home/paolo/weewx/>
        DirectoryIndex index.html
        Options FollowSymLinks
        AllowOverride All
        order allow,deny
        allow from all
    </Directory>

    ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    # ErrorDocument 404 /index.html

    CustomLog /var/log/apache2/access.log combined

    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:80/
    ProxyPassReverse / http://127.0.0.1:80/
    RequestHeader set X-Forwarded-Port "443"
    RequestHeader set X-Forwarded-Proto "https"

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/qumran2/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/qumran2/privkey.pem
</VirtualHost>


</IfModule>
HBruijn
  • 77,029
  • 24
  • 135
  • 201
Paolo Benvenuto
  • 241
  • 5
  • 13

1 Answers1

0

I wouldn't set a document root in a Virtual Host entry that will only be a used to proxy requests. Especially when you include an AllowOverride All directive tehre and .htaccess files can come into play.

For debugging it may also help to define separate log files for each Virtual Host entry as well. 

<VirtualHost *:443>
    ServerAdmin mymail@gmail.com
    ServerName example.com
    LogLevel warn
    ErrorLog /var/log/apache2/example.com-ssl-error.log
    CustomLog /var/log/apache2/example.com-ssl-access.log combined
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:80/
    ProxyPassReverse / http://127.0.0.1:80/
    RequestHeader set X-Forwarded-Port "443"
    RequestHeader set X-Forwarded-Proto "https"
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/qumran2/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/qumran2/privkey.pem
</VirtualHost>

And you can debug by requesting the resource directly from port 8080 with for instance curl --verbose --header 'Host: example.com' 'http://localhost:8080/index.html' to see if that VirtualHost is the problem.

If it is not; then try varnish on port 80, to see if the problem is in Varnish. curl --verbose --header 'Host: example.com' 'http://localhost:80/index.html

HBruijn
  • 77,029
  • 24
  • 135
  • 201