I am running Gitea on a Debian 10 LAMP machince with an ISPConfig / Apache2 Reverse-Proxy. I managed to get Gitea working on my test server, that doesn't have SSL, using the apache directives below:
ProxyPreserveHost On
ProxyRequests off
AllowEncodedSlashes NoDecode
ProxyPass / http://localhost:3000/ nocanon
ProxyPassReverse / http://localhost:3000/
However, I have not been able to get the reverse proxy to work on my production server because of SSL issues.
Currently, I am attempting to use the following apache directives for the vhost:
ProxyPreserveHost On
ProxyRequests off
AllowEncodedSlashes NoDecode
SSLProxyEngine On
ProxyPass / https://localhost:3000/ nocanon
ProxyPassReverse / https://localhost:3000/
But, I am running into these specific errors:
[proxy:error] [pid 3974] (20014)Internal error (specific information not available): [client 34.96.130.19:34571] AH01084: pass request body failed to 127.0.0.1:3000 (localhost)
[proxy:error] [pid 3974] [client 34.96.130.19:34571] AH00898: Error during SSL Handshake with remote server returned by /
[proxy_http:error] [pid 3974] [client 34.96.130.19:34571] AH01097: pass request body failed to 127.0.0.1:3000 (localhost) from 34.96.130.19 ()
[proxy:error] [pid 3974] (20014)Internal error (specific information not available): [client 34.96.130.19:34571] AH01084: pass request body failed to 127.0.0.1:3000 (localhost)
[proxy:error] [pid 3974] [client 34.96.130.19:34571] AH00898: Error during SSL Handshake with remote server returned by /error/500.html
[proxy_http:error] [pid 3974] [client 34.96.130.19:34571] AH01097: pass request body failed to 127.0.0.1:3000 (localhost) from 34.96.130.19 ()
[proxy:error] [pid 7611] (20014)Internal error (specific information not available): [client 49.247.196.186:51316] AH01084: pass request body failed to 127.0.0.1:3000 (localhost)
[proxy:error] [pid 7611] [client 49.247.196.186:51316] AH00898: Error during SSL Handshake with remote server returned by /
[proxy_http:error] [pid 7611] [client 49.247.196.186:51316] AH01097: pass request body failed to 127.0.0.1:3000 (localhost) from 49.247.196.186 ()
[proxy:error] [pid 7611] (20014)Internal error (specific information not available): [client 49.247.196.186:51316] AH01084: pass request body failed to 127.0.0.1:3000 (localhost)
[proxy:error] [pid 7611] [client 49.247.196.186:51316] AH00898: Error during SSL Handshake with remote server returned by /error/500.html
[proxy_http:error] [pid 7611] [client 49.247.196.186:51316] AH01097: pass request body failed to 127.0.0.1:3000 (localhost) from 49.247.196.186 ()
[proxy:error] [pid 7607] (20014)Internal error (specific information not available): [client 49.247.196.186:51318] AH01084: pass request body failed to 127.0.0.1:3000 (localhost), referer: https://git.example.com/
[proxy:error] [pid 7607] [client 49.247.196.186:51318] AH00898: Error during SSL Handshake with remote server returned by /favicon.ico, referer: https://git.example.com/
[proxy_http:error] [pid 7607] [client 49.247.196.186:51318] AH01097: pass request body failed to 127.0.0.1:3000 (localhost) from 49.247.196.186 (), referer: https://git.example.com/
[proxy:error] [pid 7607] (20014)Internal error (specific information not available): [client 49.247.196.186:51318] AH01084: pass request body failed to 127.0.0.1:3000 (localhost), referer: https://git.example.com/
[proxy:error] [pid 7607] [client 49.247.196.186:51318] AH00898: Error during SSL Handshake with remote server returned by /error/500.html, referer: https://git.example.com/
[proxy_http:error] [pid 7607] [client 49.247.196.186:51318] AH01097: pass request body failed to 127.0.0.1:3000 (localhost) from 49.247.196.186 (), referer: https://git.example.com/
Might someone know how to correct my apache directives for SSL use?
My complete vhost file is below:
<Directory /var/www/git.example.com>
AllowOverride None
Require all denied
</Directory>
<VirtualHost *:80>
DocumentRoot /var/www/clients/client1/web7/web
ServerName git.example.com
ServerAdmin [email protected]
ErrorLog /var/log/ispconfig/httpd/git.example.com/error.log
Alias /error/ "/var/www/git.example.com/web/error/"
ErrorDocument 400 /error/400.html
ErrorDocument 401 /error/401.html
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 405 /error/405.html
ErrorDocument 500 /error/500.html
ErrorDocument 502 /error/502.html
ErrorDocument 503 /error/503.html
<Directory /var/www/git.example.com/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +SymlinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/clients/client1/web7/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +SymlinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
# suexec enabled
<IfModule mod_suexec.c>
SuexecUserGroup web7 client1
</IfModule>
<IfModule mod_fastcgi.c>
<Directory /var/www/clients/client1/web7/cgi-bin>
Require all granted
</Directory>
<Directory /var/www/git.example.com/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler php-fcgi
</If>
</FilesMatch>
</Directory>
<Directory /var/www/clients/client1/web7/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler php-fcgi
</If>
</FilesMatch>
</Directory>
Action php-fcgi /php-fcgi virtual
Alias /php-fcgi /var/www/clients/client1/web7/cgi-bin/php-fcgi-*-80-git.example.com
FastCgiExternalServer /var/www/clients/client1/web7/cgi-bin/php-fcgi-*-80-git.example.com -idle-timeout 300 -socket /var/lib/php7.3-fpm/web7.sock -pass-header Authorization -pass-header Content-Type
</IfModule>
<IfModule mod_proxy_fcgi.c>
#ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.3-fpm/web7.sock|fcgi://localhost//var/www/clients/client1/web7/web/$1
<Directory /var/www/clients/client1/web7/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler "proxy:unix:/var/lib/php7.3-fpm/web7.sock|fcgi://localhost"
</If>
</FilesMatch>
</Directory>
</IfModule>
# add support for apache mpm_itk
<IfModule mpm_itk_module>
AssignUserId web7 client1
</IfModule>
<IfModule mod_dav_fs.c>
# Do not execute PHP files in webdav directory
<Directory /var/www/clients/client1/web7/webdav>
<ifModule mod_security2.c>
SecRuleRemoveById 960015
SecRuleRemoveById 960032
</ifModule>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
</Directory>
DavLockDB /var/www/clients/client1/web7/tmp/DavLock
# DO NOT REMOVE THE COMMENTS!
# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
# WEBDAV BEGIN
# WEBDAV END
</IfModule>
ProxyPreserveHost On
ProxyRequests off
AllowEncodedSlashes NoDecode
SSLProxyEngine On
ProxyPass / https://localhost:3000/ nocanon
ProxyPassReverse / https://localhost:3000/
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/clients/client1/web7/web
ServerName git.example.com
ServerAdmin [email protected]
<IfModule mod_http2.c>
Protocols h2 http/1.1
</IfModule>
<IfModule mod_brotli.c>
AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript application/xml application/xml+rss application/atom+xml application/json application/x-font-ttf application/vnd.ms-fontobject image/x-icon
</IfModule>
ErrorLog /var/log/ispconfig/httpd/git.example.com/error.log
Alias /error/ "/var/www/git.example.com/web/error/"
ErrorDocument 400 /error/400.html
ErrorDocument 401 /error/401.html
ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/404.html
ErrorDocument 405 /error/405.html
ErrorDocument 500 /error/500.html
ErrorDocument 502 /error/502.html
ErrorDocument 503 /error/503.html
<IfModule mod_ssl.c>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
# <IfModule mod_headers.c>
# Header always add Strict-Transport-Security "max-age=15768000"
# </IfModule>
SSLCertificateFile /var/www/clients/client1/web7/ssl/git.example.com-le.crt
SSLCertificateKeyFile /var/www/clients/client1/web7/ssl/git.example.com-le.key
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
</IfModule>
<Directory /var/www/git.example.com/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +SymlinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/clients/client1/web7/web>
# Clear PHP settings of this website
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler None
</FilesMatch>
Options +SymlinksIfOwnerMatch
AllowOverride All
Require all granted
</Directory>
# suexec enabled
<IfModule mod_suexec.c>
SuexecUserGroup web7 client1
</IfModule>
<IfModule mod_fastcgi.c>
<Directory /var/www/clients/client1/web7/cgi-bin>
Require all granted
</Directory>
<Directory /var/www/git.example.com/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler php-fcgi
</If>
</FilesMatch>
</Directory>
<Directory /var/www/clients/client1/web7/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler php-fcgi
</If>
</FilesMatch>
</Directory>
Action php-fcgi /php-fcgi virtual
Alias /php-fcgi /var/www/clients/client1/web7/cgi-bin/php-fcgi-*-443-git.example.com
FastCgiExternalServer /var/www/clients/client1/web7/cgi-bin/php-fcgi-*-443-git.example.com -idle-timeout 300 -socket /var/lib/php7.3-fpm/web7.sock -pass-header Authorization -pass-header Content-Type
</IfModule>
<IfModule mod_proxy_fcgi.c>
#ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.3-fpm/web7.sock|fcgi://localhost//var/www/clients/client1/web7/web/$1
<Directory /var/www/clients/client1/web7/web>
<FilesMatch "\.php[345]?$">
<If "-f '%{REQUEST_FILENAME}'">
SetHandler "proxy:unix:/var/lib/php7.3-fpm/web7.sock|fcgi://localhost"
</If>
</FilesMatch>
</Directory>
</IfModule>
# add support for apache mpm_itk
<IfModule mpm_itk_module>
AssignUserId web7 client1
</IfModule>
<IfModule mod_dav_fs.c>
# Do not execute PHP files in webdav directory
<Directory /var/www/clients/client1/web7/webdav>
<ifModule mod_security2.c>
SecRuleRemoveById 960015
SecRuleRemoveById 960032
</ifModule>
<FilesMatch "\.ph(p3?|tml)$">
SetHandler None
</FilesMatch>
</Directory>
DavLockDB /var/www/clients/client1/web7/tmp/DavLock
# DO NOT REMOVE THE COMMENTS!
# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
# WEBDAV BEGIN
# WEBDAV END
</IfModule>
ProxyPreserveHost On
ProxyRequests off
AllowEncodedSlashes NoDecode
SSLProxyEngine On
ProxyPass / https://localhost:3000/ nocanon
ProxyPassReverse / https://localhost:3000/
</VirtualHost>
<IfModule mod_ssl.c>
SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>
