SSL Apache - Cloudflare Developers

B. Ihab · 2022-11-06T21:47:14.155Z

But surely it's a conflict between my vhost config on apache and CF

C

Cyb3r-Jak3•11/6/22, 9:47 PM

What is the error you are getting from Cloudflare?

B

B. IhabOP•11/6/22, 9:48 PM

Multiple error depending on the tweak I didn't in the config, per example

B

B. IhabOP•11/6/22, 9:48 PM

 SSL handshake failed Error code 525

 SSL handshake failed Error code 525

 SSL handshake failed Error code 525

 SSL handshake failed Error code 525

B

B. IhabOP•11/6/22, 9:48 PM

When I'm using that :

B

B. IhabOP•11/6/22, 9:49 PM

<VirtualHost *:80>
  ServerName annuaire.debtechnology.ma
  Redirect / https://annuaire.debtechnology.ma
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =annuaire.debtechnology.ma
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
        <VirtualHost *:443>

                ServerName annuaire.debtechnology.ma
                ServerAdmin webmaster@localhost

                DocumentRoot /opt/Annuaire-Ecoles/frontend

                ProxyPass / http://localhost:8081/
                ProxyPassReverse / http://localhost:8081/

                #SSLEngine on

                #SSLCertificateFile /etc/letsencrypt/live/annuaire.debtechnology.ma/fullchain.pem
                #SSLCertificateKeyFile /etc/letsencrypt/live/annuaire.debtechnology.ma/privkey.pem
                #Include /etc/letsencrypt/options-ssl-apache.conf
        </VirtualHost>
</IfModule>

<VirtualHost *:80>
  ServerName annuaire.debtechnology.ma
  Redirect / https://annuaire.debtechnology.ma
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =annuaire.debtechnology.ma
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
        <VirtualHost *:443>

                ServerName annuaire.debtechnology.ma
                ServerAdmin webmaster@localhost

                DocumentRoot /opt/Annuaire-Ecoles/frontend

                ProxyPass / http://localhost:8081/
                ProxyPassReverse / http://localhost:8081/

                #SSLEngine on

                #SSLCertificateFile /etc/letsencrypt/live/annuaire.debtechnology.ma/fullchain.pem
                #SSLCertificateKeyFile /etc/letsencrypt/live/annuaire.debtechnology.ma/privkey.pem
                #Include /etc/letsencrypt/options-ssl-apache.conf
        </VirtualHost>
</IfModule>

<VirtualHost *:80>
  ServerName annuaire.debtechnology.ma
  Redirect / https://annuaire.debtechnology.ma
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =annuaire.debtechnology.ma
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
        <VirtualHost *:443>

                ServerName annuaire.debtechnology.ma
                ServerAdmin webmaster@localhost

                DocumentRoot /opt/Annuaire-Ecoles/frontend

                ProxyPass / http://localhost:8081/
                ProxyPassReverse / http://localhost:8081/

                #SSLEngine on

                #SSLCertificateFile /etc/letsencrypt/live/annuaire.debtechnology.ma/fullchain.pem
                #SSLCertificateKeyFile /etc/letsencrypt/live/annuaire.debtechnology.ma/privkey.pem
                #Include /etc/letsencrypt/options-ssl-apache.conf
        </VirtualHost>
</IfModule>

<VirtualHost *:80>
  ServerName annuaire.debtechnology.ma
  Redirect / https://annuaire.debtechnology.ma
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =annuaire.debtechnology.ma
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
        <VirtualHost *:443>

                ServerName annuaire.debtechnology.ma
                ServerAdmin webmaster@localhost

                DocumentRoot /opt/Annuaire-Ecoles/frontend

                ProxyPass / http://localhost:8081/
                ProxyPassReverse / http://localhost:8081/

                #SSLEngine on

                #SSLCertificateFile /etc/letsencrypt/live/annuaire.debtechnology.ma/fullchain.pem
                #SSLCertificateKeyFile /etc/letsencrypt/live/annuaire.debtechnology.ma/privkey.pem
                #Include /etc/letsencrypt/options-ssl-apache.conf
        </VirtualHost>
</IfModule>

BB. Ihab ``` <VirtualHost *:80> ServerName annuaire.debtechnology.ma Redirect / https...

C

Cyb3r-Jak3•11/6/22, 9:49 PM

This config isn't using SSL at all which is why you see 525

B

B. IhabOP•11/6/22, 9:49 PM

And the subdomain is proxied in the side of CF

CCyb3r-Jak3 This config isn't using SSL at all which is why you see 525

B

B. IhabOP•11/6/22, 9:50 PM

If I uncomment the SSL lines, I got Network protocol error :/

C

Cyb3r-Jak3•11/6/22, 9:51 PM

What network protocol error?

B

B. IhabOP•11/6/22, 9:51 PM

Nothing clear in the message

B

B. IhabOP•11/6/22, 9:52 PM

Network protocol error

An error occurred during a connection to annuaire.debtechnology.ma.

The page you are trying to access cannot be displayed because a network protocol error has been detected.

    Please contact the website owners to let them know about this issue.

Network protocol error

An error occurred during a connection to annuaire.debtechnology.ma.

The page you are trying to access cannot be displayed because a network protocol error has been detected.

    Please contact the website owners to let them know about this issue.

Network protocol error

An error occurred during a connection to annuaire.debtechnology.ma.

The page you are trying to access cannot be displayed because a network protocol error has been detected.

    Please contact the website owners to let them know about this issue.

Network protocol error

An error occurred during a connection to annuaire.debtechnology.ma.

The page you are trying to access cannot be displayed because a network protocol error has been detected.

    Please contact the website owners to let them know about this issue.

C

Cyb3r-Jak3•11/6/22, 9:53 PM

Is there anything in the apache error log for the network protocol error?

B

B. IhabOP•11/6/22, 9:55 PM

I'll activate the log in the config and I'll be back to you in no time

B

B. IhabOP•11/6/22, 10:02 PM

I found no error in the logs :/

C

Cyb3r-Jak3•11/6/22, 10:04 PM

No error in the access or error logs of apache?

B

B. IhabOP•11/6/22, 10:07 PM

Error log :

[Sun Nov 06 23:02:44.290288 2022] [mpm_prefork:notice] [pid 6221] AH00171: Graceful restart requested, doing restart
[Sun Nov 06 23:02:44.332577 2022] [mpm_prefork:notice] [pid 6221] AH00163: Apache/2.4.54 (Ubuntu) OpenSSL/3.0.2 configured -- resuming normal operations
[Sun Nov 06 23:02:44.333176 2022] [core:notice] [pid 6221] AH00094: Command line: '/usr/sbin/apache2'

[Sun Nov 06 23:02:44.290288 2022] [mpm_prefork:notice] [pid 6221] AH00171: Graceful restart requested, doing restart
[Sun Nov 06 23:02:44.332577 2022] [mpm_prefork:notice] [pid 6221] AH00163: Apache/2.4.54 (Ubuntu) OpenSSL/3.0.2 configured -- resuming normal operations
[Sun Nov 06 23:02:44.333176 2022] [core:notice] [pid 6221] AH00094: Command line: '/usr/sbin/apache2'

[Sun Nov 06 23:02:44.290288 2022] [mpm_prefork:notice] [pid 6221] AH00171: Graceful restart requested, doing restart
[Sun Nov 06 23:02:44.332577 2022] [mpm_prefork:notice] [pid 6221] AH00163: Apache/2.4.54 (Ubuntu) OpenSSL/3.0.2 configured -- resuming normal operations
[Sun Nov 06 23:02:44.333176 2022] [core:notice] [pid 6221] AH00094: Command line: '/usr/sbin/apache2'

[Sun Nov 06 23:02:44.290288 2022] [mpm_prefork:notice] [pid 6221] AH00171: Graceful restart requested, doing restart
[Sun Nov 06 23:02:44.332577 2022] [mpm_prefork:notice] [pid 6221] AH00163: Apache/2.4.54 (Ubuntu) OpenSSL/3.0.2 configured -- resuming normal operations
[Sun Nov 06 23:02:44.333176 2022] [core:notice] [pid 6221] AH00094: Command line: '/usr/sbin/apache2'

Access log:

B

B. IhabOP•11/6/22, 10:07 PM

162.158.22.95 - - [06/Nov/2022:23:02:52 +0100] "GET / HTTP/1.1" 200 18523 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
162.158.22.95 - - [06/Nov/2022:23:03:32 +0100] "GET / HTTP/1.1" 200 18524 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
172.70.110.109 - - [06/Nov/2022:23:03:35 +0100] "GET / HTTP/1.1" 200 18537 "-" "curl/7.58.0"
162.158.22.94 - - [06/Nov/2022:23:03:44 +0100] "GET / HTTP/1.1" 200 18522 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"

162.158.22.95 - - [06/Nov/2022:23:02:52 +0100] "GET / HTTP/1.1" 200 18523 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
162.158.22.95 - - [06/Nov/2022:23:03:32 +0100] "GET / HTTP/1.1" 200 18524 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
172.70.110.109 - - [06/Nov/2022:23:03:35 +0100] "GET / HTTP/1.1" 200 18537 "-" "curl/7.58.0"
162.158.22.94 - - [06/Nov/2022:23:03:44 +0100] "GET / HTTP/1.1" 200 18522 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"

162.158.22.95 - - [06/Nov/2022:23:02:52 +0100] "GET / HTTP/1.1" 200 18523 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
162.158.22.95 - - [06/Nov/2022:23:03:32 +0100] "GET / HTTP/1.1" 200 18524 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
172.70.110.109 - - [06/Nov/2022:23:03:35 +0100] "GET / HTTP/1.1" 200 18537 "-" "curl/7.58.0"
162.158.22.94 - - [06/Nov/2022:23:03:44 +0100] "GET / HTTP/1.1" 200 18522 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"

162.158.22.95 - - [06/Nov/2022:23:02:52 +0100] "GET / HTTP/1.1" 200 18523 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
162.158.22.95 - - [06/Nov/2022:23:03:32 +0100] "GET / HTTP/1.1" 200 18524 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"
172.70.110.109 - - [06/Nov/2022:23:03:35 +0100] "GET / HTTP/1.1" 200 18537 "-" "curl/7.58.0"
162.158.22.94 - - [06/Nov/2022:23:03:44 +0100] "GET / HTTP/1.1" 200 18522 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0"

B

B. IhabOP•11/6/22, 10:07 PM

That seems normal to me

B

B. IhabOP•11/6/22, 10:08 PM

If I remove the proxy on CF, all work fine

B

B. IhabOP•11/6/22, 10:09 PM

Should I just disable the proxied option?

C

Cyb3r-Jak3•11/6/22, 10:17 PM

If you disable the proxy then you get none of the benefits of Cloudflare. I almost want to say this is an http/2 thing but I'm not certain and it certainly seems over my head for now.

C

Cyb3r-Jak3•11/6/22, 10:17 PM

It seems like Cloudflare is messing up the HTTP/2 to users

B

B. IhabOP•11/6/22, 10:20 PM

I've been trying to fix this problem for a while now, but without success, I'll try to dig more on that in the future but for now I think I'll just disable the proxied option, that a lot for your time ^^

C

Cyb3r-Jak3•11/6/22, 10:21 PM

Just curious. What is the application that you are trying to proxy? I want to see if I can recreate it

B

B. IhabOP•11/6/22, 10:21 PM

A nuxt3 app

C

Cyb3r-Jak3•11/6/22, 10:22 PM

Thanks!

C

Cyb3r-Jak3•11/6/22, 10:33 PM

Cloudflare is using http1.1 to origin

C

Cyb3r-Jak3•11/6/22, 10:33 PM

It is using HTTP2 to client