Content
Reversproxy
Added by Raimund Ortner over 1 year ago
I'm now close to despair and the sledgehammer :-)
I have "centralized" my reverse proxy.
External: Server1:DNS server, reverse proxy Apache -> Server2: Openproject+Apache
I get to the login page and can enter my data, but then I get "Error 500"
The address line is also strange
Loginpage: https://xxx.XXXXX.net/login?back_url=https%3A%2F%2Fxxx.XXXXX.net%2F
500erPAge: https://xxx.xxxxx.net/login
My Apache Config on the ReverseProxy
<VirtualHost *:443>
ServerName XXXX
ServerAlias XXXXX
ServerAdmin admin@example.com
#
# SSL Start
#
Protocols h2 h2c http/1.1
SSLEngine On
SSLProxyEngine On
SSLCompression off
SSLProtocol all -TLSv1.2 -TLSv1.1 -TLSv1 -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDH>
SSLHonorCipherOrder on
SSLSessionTickets off
Include /etc/letsencrypt/options-ssl-apache.conf
SSLOpenSSLConfCmd DHParameters /etc/dhparam/dhparams.pem
ProxyPreserveHost On
ProxyRequests Off
ProxyVia On
#Header always set Referrer-Policy "strict-origin"
#Header always set Referrer-Policy "same-origin"
#RequestHeader set Host $host
#RequestHeader set X-Real-IP %{REMOTE_ADDR}s
#RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s
#RequestHeader set X-Forwarded-Host %{SERVER_NAME}s
RequestHeader set X-Forwarded-Proto "https"
ProxyPass / http://srv.openproject/ retry=0 connectiontimeout=900 timeout=900 keepalive=On
ProxyPassReverse / http://srv.openproject/ keepalive=On
<Location http://srv.openproject>
Require all granted
</Location>
Timeout 900
ProxyTimeout 900
#Header set X-XSS-Protection "1; mode=block"
#Header always set X-Frame-Options "SAMEORIGIN"
#Header always set X-Content-Type-Options "nosniff"
#Header always set Content-Security-Policy "default-src 'self'; font-src *;img-src * data:; script-src *; style-src *;"
#Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
#Header set siwecostoken "L9WAfz38VpE85V90hQdl7r422Fir01Y2pRz0B3G9l3749Cq4fcab2wSIuWJSaj3o"
SSLCertificateFile /etc/letsencrypt/live/xxxxxxxxx/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xxxxxxxxx/privkey.pem
</VirtualHost>
Apache Config on the openproject-Server
Include /etc/openproject/addons/apache2/includes/server/*.conf
IncludeOptional /etc/openproject/addons/apache2/custom/server/*.conf
<VirtualHost *:80>
ServerName XXXXXXXXXXX
DocumentRoot /opt/openproject/public
SSLProxyEngine On
ProxyPreserveHost On
ProxyRequests Off
ProxyVia Off
#RequestHeader set X-Forwarded-Proto "https"
Include /etc/openproject/addons/apache2/includes/vhost/*.conf
IncludeOptional /etc/openproject/addons/apache2/custom/vhost/*.conf
# Can't use Location block since it would overshadow all the other proxypass directives on CentOS
ProxyPass / http://127.0.0.1:6000/ retry=0
<Proxy https://127.0.0.1:6000/*>
Order deny,allow
Allow from all
</Proxy>
ProxyPassReverse / http://127.0.0.1:6000/
</VirtualHost>
Any Hint what im Doing wrong? The only hint i get is from the log with
"The browser returned a 'null' origin for a request with origin-based forgery protection turned on. This usually means you have the 'no-referrer' Referrer-Policy header enabled, or that the request came from a site that refused to give its origin. This makes it impossible for Rails to verify the source of the requests. Likely the best solution is to change your referrer policy to something less strict like same-origin or strict-same-origin. If you cannot change the referrer policy, you can disable origin checking with the Rails.application.config.action_controller.forgery_protection_origin_check setting."
Thanks