SSL Apache

But surely it's a conflict between my vhost config on apache and CF

17 Replies

What is the error you are getting from Cloudflare?

B. IhabOP•3y ago

Multiple error depending on the tweak I didn't in the config, per example

 SSL handshake failed Error code 525

 SSL handshake failed Error code 525

When I'm using that :

<VirtualHost *:80>
  ServerName annuaire.debtechnology.ma
  Redirect / https://annuaire.debtechnology.ma
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =annuaire.debtechnology.ma
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
        <VirtualHost *:443>

                ServerName annuaire.debtechnology.ma
                ServerAdmin webmaster@localhost

                DocumentRoot /opt/Annuaire-Ecoles/frontend

                ProxyPass / http://localhost:8081/
                ProxyPassReverse / http://localhost:8081/

                #SSLEngine on

                #SSLCertificateFile /etc/letsencrypt/live/annuaire.debtechnology.ma/fullchain.pem
                #SSLCertificateKeyFile /etc/letsencrypt/live/annuaire.debtechnology.ma/privkey.pem
                #Include /etc/letsencrypt/options-ssl-apache.conf
        </VirtualHost>
</IfModule>

<VirtualHost *:80>
  ServerName annuaire.debtechnology.ma
  Redirect / https://annuaire.debtechnology.ma
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =annuaire.debtechnology.ma
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
        <VirtualHost *:443>

                ServerName annuaire.debtechnology.ma
                ServerAdmin webmaster@localhost

                DocumentRoot /opt/Annuaire-Ecoles/frontend

                ProxyPass / http://localhost:8081/
                ProxyPassReverse / http://localhost:8081/

                #SSLEngine on

                #SSLCertificateFile /etc/letsencrypt/live/annuaire.debtechnology.ma/fullchain.pem
                #SSLCertificateKeyFile /etc/letsencrypt/live/annuaire.debtechnology.ma/privkey.pem
                #Include /etc/letsencrypt/options-ssl-apache.conf
        </VirtualHost>
</IfModule>

Cyb3r-Jak3•3y ago

This config isn't using SSL at all which is why you see 525

B. IhabOP•3y ago

And the subdomain is proxied in the side of CF If I uncomment the SSL lines, I got Network protocol error :/

Cyb3r-Jak3•3y ago

What network protocol error?

B. IhabOP•3y ago

Nothing clear in the message

Network protocol error

An error occurred during a connection to annuaire.debtechnology.ma.

The page you are trying to access cannot be displayed because a network protocol error has been detected.

    Please contact the website owners to let them know about this issue.

Network protocol error

An error occurred during a connection to annuaire.debtechnology.ma.

The page you are trying to access cannot be displayed because a network protocol error has been detected.

    Please contact the website owners to let them know about this issue.

Cyb3r-Jak3•3y ago

Is there anything in the apache error log for the network protocol error?

B. IhabOP•3y ago

I'll activate the log in the config and I'll be back to you in no time I found no error in the logs :/

Cyb3r-Jak3•3y ago

No error in the access or error logs of apache?

B. IhabOP•3y ago

Error log :

[Sun Nov 06 23:02:44.290288 2022] [mpm_prefork:notice] [pid 6221] AH00171: Graceful restart requested, doing restart
[Sun Nov 06 23:02:44.332577 2022] [mpm_prefork:notice] [pid 6221] AH00163: Apache/2.4.54 (Ubuntu) OpenSSL/3.0.2 configured -- resuming normal operations
[Sun Nov 06 23:02:44.333176 2022] [core:notice] [pid 6221] AH00094: Command line: '/usr/sbin/apache2'

[Sun Nov 06 23:02:44.290288 2022] [mpm_prefork:notice] [pid 6221] AH00171: Graceful restart requested, doing restart
[Sun Nov 06 23:02:44.332577 2022] [mpm_prefork:notice] [pid 6221] AH00163: Apache/2.4.54 (Ubuntu) OpenSSL/3.0.2 configured -- resuming normal operations
[Sun Nov 06 23:02:44.333176 2022] [core:notice] [pid 6221] AH00094: Command line: '/usr/sbin/apache2'

Access log:

162.158.22.95 - - [06/Nov/2022:23:02:52 +0100] "GET / HTTP/1.1" 200 18523 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
162.158.22.95 - - [06/Nov/2022:23:03:32 +0100] "GET / HTTP/1.1" 200 18524 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
172.70.110.109 - - [06/Nov/2022:23:03:35 +0100] "GET / HTTP/1.1" 200 18537 "-" "curl/7.58.0"
162.158.22.94 - - [06/Nov/2022:23:03:44 +0100] "GET / HTTP/1.1" 200 18522 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"

162.158.22.95 - - [06/Nov/2022:23:02:52 +0100] "GET / HTTP/1.1" 200 18523 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
162.158.22.95 - - [06/Nov/2022:23:03:32 +0100] "GET / HTTP/1.1" 200 18524 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
172.70.110.109 - - [06/Nov/2022:23:03:35 +0100] "GET / HTTP/1.1" 200 18537 "-" "curl/7.58.0"
162.158.22.94 - - [06/Nov/2022:23:03:44 +0100] "GET / HTTP/1.1" 200 18522 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"

That seems normal to me If I remove the proxy on CF, all work fine Should I just disable the proxied option?

Cyb3r-Jak3•3y ago

If you disable the proxy then you get none of the benefits of Cloudflare. I almost want to say this is an http/2 thing but I'm not certain and it certainly seems over my head for now. It seems like Cloudflare is messing up the HTTP/2 to users

B. IhabOP•3y ago

I've been trying to fix this problem for a while now, but without success, I'll try to dig more on that in the future but for now I think I'll just disable the proxied option, that a lot for your time ^^

Cyb3r-Jak3•3y ago

Just curious. What is the application that you are trying to proxy? I want to see if I can recreate it

B. IhabOP•3y ago

A nuxt3 app

Cyb3r-Jak3•3y ago

Thanks!

Unknown User•3y ago

Message Not Public

Cyb3r-Jak3•3y ago

Cloudflare is using http1.1 to origin It is using HTTP2 to client

Gaming

Programming

SSL Apache