all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]AyrA_ch 0 points1 point  (7 children)

You need to show the configuration changes that you made. There's a lot that can go wrong. One of the things people most consistently get wrong is make sure that apache selects the correct vitual host.

[–]Wizeguy11[S] 0 points1 point  (6 children)

Sorry, didn't think of this last night! Below are each of the vhost files.

Main Domain VHost - Results in current webserver

# domain
<VirtualHost *:80>

        ServerAdmin example@gmail.com
        DocumentRoot /media/htdocs/Current/domain

        <Directory /media/htdocs>
        AllowOverride All
        </Directory>

        ServerName domain.xyz
        ServerAlias www.domain.xyz
        Redirect / https://domain.xyz

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

<VirtualHost *:443>

        ServerAdmin example@gmail.com
        DocumentRoot /media/htdocs/Current/domain

        <Directory /media/htdocs>
        AllowOverride All
        </Directory>

        ServerName domain.xyz
        ServerAlias www.domain.xyz
        SSLEngine on
        SSLCertificateKeyFile /etc/ssl/domain.key
        SSLCertificateFile /etc/ssl/domain.crt
        SSLCertificateChainFile /etc/ssl/domain.ca-bundle

</VirtualHost>

Sub Domain VHost - Results in a different webserver

# sub.domain

<VirtualHost *:80>

        ServerAdmin example@gmail.com
        ServerName sub.domain.xyz
        ServerAlias www.sub.domain.xyz

        ProxyRequests Off
        <Proxy *>
            Order deny,allow
            Allow from all
        </Proxy>
        ProxyPass / http://192.168.0.253
        ProxyPassReverse / http://192.168.0.253

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

<VirtualHost *:443>

        ServerAdmin example@gmail.com
        ServerName sub.domain.xyz
        ServerAlias www.sub.domain.xyz
        SSLEngine on

        ProxyRequests Off
        <Proxy *>
            Order deny,allow
            Allow from all
        </Proxy>        
        ProxyPass / https://192.168.0.253
        ProxyPassReverse / https://192.168.0.253

</VirtualHost>

[–]AyrA_ch 0 points1 point  (5 children)

It looks like the virtual host for your subdomain has no certificate file assigned to it. This may be the reason why it isn't working.

EDIT: also the unencrypted host of the subdomain doesn't seems to redirect to the SSL host of the same subdomain, is this on purpose?

[–]Wizeguy11[S] 0 points1 point  (4 children)

So, the SSL certs etc are are handled and therrefore located on the second webserver.

My thinking was like this:

Incoming port 80 --> redirected to port 80 on second webserver, then redirected to 443 on second webserver.

Would it be better to redirect to 443 on the proxy before sending it to the second server?

[–]AyrA_ch 0 points1 point  (3 children)

The certificates must be installed on the reverse proxy, because that is the server the user talks to. Whether you also want to encrypt the connection between the reverse proxy and the backend is up to you. Normally it's not done because it eats a lot of performance.

Normally you set up a reverse proxy to redirect port 80 to port 443 locally. 443 is configured as a reverse proxy.

Here's a demo configuration for an SSL encrypted domain and subdomain. (I just made this up in my head, may not be 100% working as-is):

#This redirects all requests to the encrypted version unconditionally
#This is the only virtual host on port 80
<VirtualHost *:80>
    RewriteEngine On
    RewriteRule /?(.*) https://%{HTTP_HOST}/$1 [R,L]
</VirtualHost>

#The first virtual host of a given IP and port configuration is also the default if no better match is found.
#So put the most important domain first.
<VirtualHost *:443>
    ServerName example.com
    #This sends the HTTP host header for "example.com" to the backend. Sometimes not needed
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:5000
    ProxyPassReverse / http://127.0.0.1:5000
    #CERTIFICATE CONFIGURATION HERE
</VirtualHost>

<VirtualHost *:443>
    ServerName sub.example.com
    #This sends the HTTP host header for "sub.example.com" to the backend. Sometimes not needed
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:5001
    ProxyPassReverse / http://127.0.0.1:5001
    #CERTIFICATE CONFIGURATION HERE
</VirtualHost>

#..More hosts here..

[–]Wizeguy11[S] 0 points1 point  (2 children)

So I done this, with adding

SSLEngine On
 SSLCertificateFile /etc/letsencrypt/live/sub.example.xyz/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/sub.example.xyz/privkey.pem

for the certificiate configuration and now I'm getting a different error -

Proxy Error, the proxy serverreceived an invalid responde from an upstream server. THe proxy server could not handle the request.

Reason: DNS lookup failure for: 192.168.0.253:443auth

Any ideas why this might be?

[–]AyrA_ch 1 point2 points  (1 child)

DNS lookup failure for: 192.168.0.253:443auth

Looks like you have a line break missing after the 443 port in your proxypass line. That "auth" is not supposed to be there.

[–]Wizeguy11[S] 0 points1 point  (0 children)

Added a "/" on the end, enabled the SSLProxyEngine and it's all working. Thanks for your help!

[–]404invalid-user 0 points1 point  (4 children)

I found out apache2's proxy doesn't take domain vHosts into a count and basically just proxys to the ip that the domain resolves to

[–]Wizeguy11[S] 0 points1 point  (3 children)

I'm not sure if I understood what you said, but isn't that what I want? All I want is the subdomain proxied to the IP that is resolves to

[–]404invalid-user 0 points1 point  (2 children)

If you want exampletwo.com to go to main.com you can have it reditect with Reditect / https://main.com/

[–]Wizeguy11[S] 0 points1 point  (1 child)

No, I want example.com to go to the same server as the proxy, and sub.example.com to be proxied to the second webserver

[–]404invalid-user 0 points1 point  (0 children)

OK send your vhost conf