Hello,
I wanted to install mailcow on my server. For this I wanted to use a ReverseProxy (apache). Problem is, if I create a ReverseProxy (with SSL), I cant access the website. I also had this problem with my other ReverseProxy, which I use for Mastodon. I could fix it by setting
<VirtualHost *:443> to <VirtualHost Listen social.domain.yt:443>
This doesn’t work for the mailcow server now. If I activate the apache config from the mailcow docs both ReverseProxy that exist on my server stop working (SSL) and I get following error: SSL_ERROR_RX_RECORD_TOO_LONG.
How can I fix this?
Here are my 2 apache configs:
Mailcow:
`<VirtualHost *:80>
ServerName mail.domain.yt
ServerAlias autodiscover.*
ServerAlias autoconfig.*
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R=301,L]
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
ProxyPreserveHost On
ProxyAddHeaders On
RequestHeader set X-Forwarded-Proto "http"
</VirtualHost>
<VirtualHost Listen mail.deko.yt:443>
ServerName mail.domain.yt
ServerAlias autodiscover.*
ServerAlias autoconfig.*
# You should proxy to a plain HTTP session to offload SSL processing
ProxyPass /Microsoft-Server-ActiveSync http://127.0.0.1:8080/Microsoft-Server-ActiveSync connectiontimeout=4000
ProxyPassReverse /Microsoft-Server-ActiveSync http://127.0.0.1:8080/Microsoft-Server-ActiveSync
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
ProxyPreserveHost On
ProxyAddHeaders On
RequestHeader set X-Forwarded-Proto "https"
SSLCertificateFile /opt/mailcow-dockerized/data/assets/ssl/cert.pem
SSLCertificateKeyFile /opt/mailcow-dockerized/data/assets/ssl/key.pem
# Wenn Sie einen HTTPS-Host als Proxy verwenden möchten:
#SSLProxyEngine On
# Wenn Sie einen Proxy für einen nicht vertrauenswürdigen HTTPS-Host einrichten wollen:
#SSLProxyVerify none
#SSLProxyCheckPeerCN off
#SSLProxyCheckPeerName off
#SSLProxyCheckPeerExpire off
</VirtualHost>
`
Mastodon:
`<VirtualHost *:80>
ServerAdmin ***
ServerName social.domain.yt
ServerAlias social.domain.yt
Redirect Permanent / https://social.domain.yt/
</VirtualHost>
<VirtualHost Listen social.domain.yt:443>
ServerAdmin ***
ServerName social.domain.yt
DocumentRoot /home/mastodon/live/public/
<Directory "/home/mastodon/live/public">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Require all granted
</Directory>
#### DONT USE THIS CRAP OUTSIDE A MODULE
# Header always set Strict-Transport-Security "max-age=31536000"
# Header always set Referrer-Policy "strict-origin-when-cross-origin"
#####
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite EECDH+AESGCM:AES256+EECDH:AES128+EECDH
# SSLCipherSuite EECDH+AESGCM:AES256+EECDH:AES128+EECDH:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
SSLProxyEngine On
# SSLCompression off
# SSLSessionTickets off
# SSLStaplingResponderTimeout 5
# SSLStaplingReturnResponderErrors on
# SSLUseStapling on
SSLCertificateFile /etc/letsencrypt/live/social.domain.yt/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/social.domain.yt/privkey.pem
#SSLCertificateFile /root/cloudflare/deko.yt.pem
#SSLCertificateKeyFile /root/cloudflare/deko.yt.key
#Include /etc/letsencrypt/options-ssl-apache.conf
<LocationMatch "^/(assets|avatars|emoji|headers|packs|sounds|system)>
Header always set Cache-Control "public, max-age=31536000, immutable"
Require all granted
</LocationMatch>
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
# This is definitely not the right way to do it, but I did test it.
# <Location /api/v1/streaming/>
# RewriteEngine on
# RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
# RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
# RewriteRule /api/v1/streaming/(.*) ws://localhost:4000/api/v1/streaming/$1 [P]
# </Location>
# ProxyPass / http://localhost:4000
# ProxyPassReverse / http://localhost:4000/
ProxyPass /500.html !
ProxyPass /sw.js !
ProxyPass /robots.txt !
ProxyPass /manifest.json !
ProxyPass /browserconfig.xml !
ProxyPass /mask-icon.svg !
ProxyPassMatch ^(/.*\.(png|ico)$) !
ProxyPassMatch ^/(assets|avatars|emoji|headers|packs|sounds|system|.well-known/acme-challenge) !
####### These lines below are what I think is causing the error; it's some variation on this.
#ProxyPass /.well-known/ http://social.domain.yt/webfinger/.well-known/
#ProxyPassReverse /.well-known/ http://social.domain.yt/webfinger/.well-known/
ProxyPass /api/v1/streaming/ ws://localhost:4000/
ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/
ProxyPass / http://localhost:3000/
ProxyPassReverse / http://localhost:3000/
ErrorDocument 500 /500.html
ErrorDocument 501 /500.html
ErrorDocument 502 /500.html
ErrorDocument 503 /500.html
ErrorDocument 504 /500.html
</VirtualHost>
`