How to configure a reverse proxy in ispConfig 3.2/Apache /ubuntu 22 > docker

Discussion in 'Installation/Configuration' started by kameleon1er, Mar 28, 2024.

Tags:
  1. kameleon1er

    kameleon1er Member

    ::::: SOLVED :::::

    Hi isPers, I've got my ispConfig installation up and running, domain installed, let's encrypt... all good :)

    But I'd like to have one or 2 nice applications in docker. So I installed docker /opt ...

    and I have an application (dockge) that responds on port :5001 by default, but I want to access it via a domain (dockge.myndomain.net) from the outside and I don't know exactly how to go about it :

    I've tried these steps but without success for the https part:
    1 - Create a website in isponfig > SSL checked + options > Apache Directives
    / Directive Snippets ; " ProxyPass / http://31.x.x.x:5001/
    ProxyPassReverse / http://31.x.x.x:5001/ > Save

    But it didn't seem to create the Let's encrypt certificate.

    2 - I tried ; stop Apache > certbot cmd > Ask cert for my domain... Success > Restart Apache.

    But that didn't work either, either I can connect to dockge but not in https via the ip, or if I put the domains, I end up on the default "index.html" page of ispConfig

    So what's the right way? Through ispConfig first? And when do you request the certs? Or directly manually with apache directives and vhosts?
     
    Last edited: Apr 5, 2024
    kameleon1er, Mar 28, 2024
    #1
  2. pyte

    pyte Well-Known Member HowtoForge Supporter

    This should work just fine. Create the Webspace set the ProxyPass and ProxyPassReverse settings in the Options Tab accordingly and activate Let's Encrypt. If that doesn't work there is something wrong with your configuration. Maybe the DNS entry for that domain was to new so Let's Encrypt could not verify the request?
     
    pyte, Mar 28, 2024
    #2
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    You must exclude the Let's encrypt ssl cert auth requests to .well-known/acme/ from being proxied to your Docker image.
     
    till, Mar 28, 2024
    #3
    ahrasis and pyte like this.
  4. pyte

    pyte Well-Known Member HowtoForge Supporter

    Ha, didn't thought about that :)
    Another line with "ProxyPass /.well-known/acme/ !" (Note the ! at the end) should be sufficient
     
    pyte, Mar 28, 2024
    #4
  5. kameleon1er

    kameleon1er Member

    Hi guys !!! Thanks, and for the let's encrypt snippet. I tried also manually with vhost but it still didn't work with this app in particular; dockge (a kind of new portainer), but I think for the moment it doesn't support https at all, at least not linked to a domain, I get a
    Code:
    Proxy Error
The proxy server could not handle the request
Reason: Error during SSL Handshake with remote serve
    I've done a lot of searching but haven't found a solution. I will try with another docker app to se if the problem persist.

    Code:
    sites-available# tail -n 50 /var/log/apache2/error.log
[Thu Mar 28 09:16:42.625851 2024] [proxy:error] [pid 1956515:tid 140324249441856] [remote 80.11.30.178:59105] AH00898: Error during SSL Handshake with remote server returned by /
[Thu Mar 28 09:16:42.625862 2024] [proxy_http:error] [pid 1956515:tid 140324249441856] [remote 80.11.30.178:59105] AH01097: pass request body failed to 31.207.34.190:5001 (31.207.34.190) from 80.11.30.178 ()
[Thu Mar 28 09:16:42.686667 2024] [proxy:error] [pid 1956515:tid 140324241049152] (20014)Internal error (specific information not available): [remote 80.11.30.178:59105] AH01084: pass request body failed to 31.207.34.190:5001 (31.207.34.190), referer: https://dockge.democrasite.com/
[Thu Mar 28 09:16:42.686702 2024] [proxy:error] [pid 1956515:tid 140324241049152] [remote 80.11.30.178:59105] AH00898: Error during SSL Handshake with remote server returned by /favicon.ico, referer: https://dockge.democrasite.com/
[Thu Mar 28 09:16:42.686709 2024] [proxy_http:error] [pid 1956515:tid 140324241049152] [remote 80.11.30.178:59105] AH01097: pass request body failed to 31.207.34.190:5001 (31.207.34.190) from 80.11.30.178 (), referer: https://dockge.democrasite.com/
[Thu Mar 28 09:16:56.716631 2024] [proxy:error] [pid 1956515:tid 140324164859456] (20014)Internal error (specific information not available): [remote 80.11.30.178:59106] AH01084: pass request body failed to 31.207.34.190:5001 (31.207.34.190)
[Thu Mar 28 09:16:56.716672 2024] [proxy:error] [pid 1956515:tid 140324164859456] [remote 80.11.30.178:59106] AH00898: Error during SSL Handshake with remote server returned by /
[Thu Mar 28 09:16:56.716691 2024] [proxy_http:error] [pid 1956515:tid 140324164859456] [remote 80.11.30.178:59106] AH01097: pass request body failed to 31.207.34.190:5001 (31.207.34.190) from 80.11.30.178 ()
[Thu Mar 28 09:16:56.853566 2024] [proxy:error] [pid 1956515:tid 140324156466752] (20014)Internal error (specific information not available): [remote 80.11.30.178:59106] AH01084: pass request body failed to 31.207.34.190:5001 (31.207.34.190), referer: https://dockge.democrasite.com/
[Thu Mar 28 09:16:56.853613 2024] [proxy:error] [pid 1956515:tid 140324156466752] [remote 80.11.30.178:59106] AH00898: Error during SSL Handshake with remote server returned by /favicon.ico, referer: https://dockge.democrasite.com/
[Thu Mar 28 09:16:56.853624 2024] [proxy_http:error] [pid 1956515:tid 140324156466752] [remote 80.11.30.178:59106] AH01097: pass request body failed to 31.207.34.190:5001 (31.207.34.190) from 80.11.30.178 (), referer: https://dockge.democrasite.com/
[Thu Mar 28 09:24:17.939208 2024] [mpm_event:notice] [pid 1956490:tid 140324284155776] AH00492: caught SIGWINCH, shutting down gracefully
[ N 2024-03-28 09:24:18.0625 1957150/T1 age/Wat/WatchdogMain.cpp:1373 ]: Starting Passenger watchdog...
[ N 2024-03-28 09:24:18.0857 1957153/T1 age/Cor/CoreMain.cpp:1340 ]: Starting Passenger core...
[ N 2024-03-28 09:24:18.0858 1957153/T1 age/Cor/CoreMain.cpp:256 ]: Passenger core running in multi-application mode.
[ N 2024-03-28 09:24:18.0975 1957153/T1 age/Cor/CoreMain.cpp:1015 ]: Passenger core online, PID 1957153
[Thu Mar 28 09:24:18.099186 2024] [suexec:notice] [pid 1957147:tid 139665119926144] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)

[ N 2024-03-28 09:24:18.1150 1957153/T9 age/Cor/CoreMain.cpp:670 ]: Signal received. Gracefully shutting down... (send signal 2 more time(s) to force shutdown)
[ N 2024-03-28 09:24:18.1150 1957153/T1 age/Cor/CoreMain.cpp:1245 ]: Received command to shutdown gracefully. Waiting until all clients have disconnected...
[ N 2024-03-28 09:24:18.1151 1957153/Tb Ser/Server.h:901 ]: [ServerThr.2] Freed 0 spare client objects
[ N 2024-03-28 09:24:18.1151 1957153/Tb Ser/Server.h:558 ]: [ServerThr.2] Shutdown finished
[ N 2024-03-28 09:24:18.1155 1957153/T9 Ser/Server.h:901 ]: [ServerThr.1] Freed 0 spare client objects
[ N 2024-03-28 09:24:18.1156 1957153/T9 Ser/Server.h:558 ]: [ServerThr.1] Shutdown finished
[ N 2024-03-28 09:24:18.1157 1957153/Td Ser/Server.h:901 ]: [ApiServer] Freed 0 spare client objects
[ N 2024-03-28 09:24:18.1157 1957153/Td Ser/Server.h:558 ]: [ApiServer] Shutdown finished
[ N 2024-03-28 09:24:18.2024 1957178/T1 age/Wat/WatchdogMain.cpp:1373 ]: Starting Passenger watchdog...
[ N 2024-03-28 09:24:18.2572 1957181/T1 age/Cor/CoreMain.cpp:1340 ]: Starting Passenger core...
[ N 2024-03-28 09:24:18.2574 1957181/T1 age/Cor/CoreMain.cpp:256 ]: Passenger core running in multi-application mode.
[ N 2024-03-28 09:24:18.2672 1957181/T1 age/Cor/CoreMain.cpp:1015 ]: Passenger core online, PID 1957181
[Thu Mar 28 09:24:18.269787 2024] [:error] [pid 1957172:tid 139665119926144] python_init: Python version mismatch, expected '3.10.2', found '3.10.12'.
[Thu Mar 28 09:24:18.269804 2024] [:error] [pid 1957172:tid 139665119926144] python_init: Python executable found '(null)'.
[Thu Mar 28 09:24:18.269809 2024] [:error] [pid 1957172:tid 139665119926144] python_init: Python path being used '(null)'.
[Thu Mar 28 09:24:18.269832 2024] [:notice] [pid 1957172:tid 139665119926144] mod_python: Creating 8 session mutexes based on 0 max processes and 25 max threads.
[Thu Mar 28 09:24:18.269839 2024] [:notice] [pid 1957172:tid 139665119926144] mod_python: using mutex_directory /tmp
[Thu Mar 28 09:24:18.303737 2024] [mpm_event:notice] [pid 1957172:tid 139665119926144] AH00489: Apache/2.4.52 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.2 Phusion_Passenger/6.0.10 mod_python/3.5.0+git20211031 Python/3.10.12 configured -- resuming normal operations
[Thu Mar 28 09:24:18.303770 2024] [core:notice] [pid 1957172:tid 139665119926144] AH00094: Command line: '/usr/sbin/apache2'
[ N 2024-03-28 09:24:18.3552 1957153/T1 age/Cor/TelemetryCollector.h:531 ]: Message from Phusion: End time can not be before or equal to begin time
[ N 2024-03-28 09:24:18.3861 1957153/T1 age/Cor/CoreMain.cpp:1325 ]: Passenger core shutdown finished
[ E 2024-03-28 09:24:20.5024 1957181/Te age/Cor/SecurityUpdateChecker.h:521 ]: A security update is available for your version (6.0.10) of Phusion Passenger(R). We strongly recommend upgrading to version 6.0.20.
[ E 2024-03-28 09:24:20.5025 1957181/Te age/Cor/SecurityUpdateChecker.h:526 ]: Additional security update check information:
- [Fixed in 6.0.14] [CVE-2018-25032] zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
- [Fixed in 6.0.14] A use after free memory safety issue was introduced in 6.0.12, and fixed in 6.0.14.
- [Fixed in 6.0.19] [CVE-2023-38545] A vulnerability existed in libcurl before 8.4.0 which was the library used for Passenger proxy functionality. Exploiting this vulnerability would require two preconditions. First a SOCKS5 proxy to be configured for Passenger licensing, anonymous telemetry, or security update check which is not the default but is possible. Second the attacker would need to cause Passenger to use an attacker-controlled URL when performing these requests. Causing Passenger to use non-standard urls requires that the attacker already have code execution on the Passenger host, or control of the Passenger config. If exploited this vulnerability could lead to code execution, due to buffer overflow.
[Thu Mar 28 09:24:40.452803 2024] [proxy:error] [pid 1957199:tid 139664820172352] (20014)Internal error (specific information not available): [remote 80.11.30.178:59190] AH01084: pass request body failed to 31.207.34.190:5001 (31.207.34.190)
[Thu Mar 28 09:24:40.452879 2024] [proxy:error] [pid 1957199:tid 139664820172352] [remote 80.11.30.178:59190] AH00898: Error during SSL Handshake with remote server returned by /
[Thu Mar 28 09:24:40.452907 2024] [proxy_http:error] [pid 1957199:tid 139664820172352] [remote 80.11.30.178:59190] AH01097: pass request body failed to 31.207.34.190:5001 (31.207.34.190) from 80.11.30.178 ()
[Thu Mar 28 09:24:40.690832 2024] [proxy:error] [pid 1957199:tid 139665021597248] (20014)Internal error (specific information not available): [remote 80.11.30.178:59190] AH01084: pass request body failed to 31.207.34.190:5001 (31.207.34.190), referer: https://dockge.democrasite.com/
[Thu Mar 28 09:24:40.690886 2024] [proxy:error] [pid 1957199:tid 139665021597248] [remote 80.11.30.178:59190] AH00898: Error during SSL Handshake with remote server returned by /favicon.ico, referer: https://dockge.democrasite.com/
[Thu Mar 28 09:24:40.690897 2024] [proxy_http:error] [pid 1957199:tid 139665021597248] [remote 80.11.30.178:59190] AH01097: pass request body failed to 31.207.34.190:5001 (31.207.34.190) from 80.11.30.178 (), referer: https://dockge.democrasite.com/
root@srv-b:/etc/apache2/sites-available#
root@srv-b:/etc/apache2/sites-available#
root@srv-b:/etc/apache2/sites-available#
root@srv-b:/etc/apache2/sites-available#
root@srv-b:/etc/apache2/sites-available# openssl s_client -connect dockge.democrasite.com:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = dockge.democrasite.com
verify return:1
---
Certificate chain
 0 s:CN = dockge.democrasite.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 28 03:49:42 2024 GMT; NotAfter: Jun 26 03:49:41 2024 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE+TCCA+GgAwIBAgISA7RsmIma8xHKaszaADB1f/1cMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yNDAzMjgwMzQ5NDJaFw0yNDA2MjYwMzQ5NDFaMCExHzAdBgNVBAMT
FmRvY2tnZS5kZW1vY3Jhc2l0ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQC8KGicaWIOXgMHuxaeB3722q0YwF4PGeeiT3S5t5VKIphp3bxK5yA9
TU6DrAKgcbiiZ7GO8/VjnUbvy7xAGU8GCdWuKr1AoYzdJXIvEf8rVG7kKpiTHOMo
GMNR48viea/Qmhf0AdkY9QqAezkWT3se0yzGW2RqZ2SElyJm8ZON/HM10ZHQ/7Cy
41VftcAo9rKj000SeVf1DoEnxNylqVbr+qyj2Ke2Pne8NRnPG+ud+FFIP2wRzzfF
7om7L+Zx3d4b1ekPKc8jmklWAlD1pUIwpjBYqkbP40jd4ePjt/twxvZCtzTk+9aD
KZh9Qzj/akMtULNQik6DbZ2cSvB9ZoZjAgMBAAGjggIYMIICFDAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFNPKvvccY0CC0zoo2aD3dzoTk4Q7MB8GA1UdIwQYMBaAFBQu
sxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYV
aHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5s
ZW5jci5vcmcvMCEGA1UdEQQaMBiCFmRvY2tnZS5kZW1vY3Jhc2l0ZS5jb20wEwYD
VR0gBAwwCjAIBgZngQwBAgEwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgA7U3d1
Pi25gE6LMFsG/kA7Z9hPw/THvQANLXJv4frUFwAAAY6DZHQvAAAEAwBHMEUCIBfT
O69BDG0NMXvzSrwaz9QLj2DQmw66csXVloYHhV5+AiEA+KlhKTW15drYQcGdeHFP
WpA0H04xXyLxViek3gQ6OdIAdgDuzdBk1dsazsVct520zROiModGfLzs3sNRSFlG
cR+1mwAAAY6DZHQ8AAAEAwBHMEUCIEtxCUM3+Fjma3VrjxxpKDzqyoHO7Hz0aF2L
EfPvnIoaAiEA+xFDpTHSOxw8lULIpsGI2F4VKCmZOeRkhK/2IVJEjUAwDQYJKoZI
hvcNAQELBQADggEBAK6XgOI73uiGNFOo/ZJ5dg+n8o0YD9DQ6zYMB1xDinSXFdLK
aTyoqI/++zPwqnw6x8xgCm+LovUzo0Ri3hmFGAX62RSPSKv0uCDfHkDwS1sQd11D
Q2O9DQh/e9ZV+VjHOXklpgpBi4aF4ks3cXENq9IZt4Sy2/NXwDCN4TX5fu0DFauK
h/qT15TEzJNu4HXc43wJeYsy90BEamCNVqTdJ8quWQHdUh6uFjmxVLiKwidXSsb2
vUVLLa9rvyuwGaQ8Tumudfcoyz2f9jUZYhQ59dc6oLfeb55sRqTDW10f7PrMwaXP
XRjk+U3BpYyzkdcz0nHMV1w4NhZTle/iVfTl4bQ=
-----END CERTIFICATE-----
subject=CN = dockge.democrasite.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3148 bytes and written 404 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 17455E4A876F64BED804CB1AA742A34405C0E8D5B13835DBF0E8D698382AA87A
    Session-ID-ctx:
    Resumption PSK: 387D90D3270143098A2571999B645DB5E8C69F1A02B3F5528AE01CB54767D9B7BEE4838129E0B5CDD86F9C74716EE625
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - f8 34 96 2e 54 f6 01 b1-f5 b3 a2 35 b5 0d 81 76   .4..T......5...v
    0010 - 83 d5 80 45 a1 be e7 5f-b2 ec 24 9b f9 95 e7 7d   ...E..._..$....}
    0020 - c9 26 a9 26 0e 9a 07 b5-b5 a6 2a f1 a4 86 3b 14   .&.&......*...;.
    0030 - 00 10 28 92 15 31 fb ad-eb 1b b8 6e c3 fe e1 9b   ..(..1.....n....
    0040 - 92 da 26 24 1b 2b c6 71-4a 1b 88 5f 72 e5 0e d8   ..&$.+.qJ.._r...
    0050 - 50 e0 4d ad 32 ec 42 97-11 2d 53 94 ae 91 14 a7   P.M.2.B..-S.....
    0060 - 7d 52 3d de 1f 04 c4 32-70 f7 f1 40 28 b4 46 8d   }R=....2p..@(.F.
    0070 - 39 68 d0 f4 b4 b7 c2 55-6b a3 d8 97 6c 89 e8 8a   9h.....Uk...l...
    0080 - eb d0 46 54 e6 19 92 ce-d3 47 58 96 c5 06 72 ed   ..FT.....GX...r.
    0090 - 50 b7 dd 23 d6 29 b7 2a-6c 09 c8 4d 92 79 07 6c   P..#.).*l..M.y.l
    00a0 - 80 f0 b6 74 86 d1 ae fa-47 bc a5 30 1f d7 88 e5   ...t....G..0....
    00b0 - d5 13 ea 5f 3b f2 ec fc-d3 95 5d 25 a2 03 67 1b   ..._;.....]%..g.
    00c0 - cb f0 3d c9 c1 07 ba 1e-bd 35 49 64 87 12 65 7e   ..=......5Id..e~
    00d0 - 0d 16 84 6a 13 bc 4a bc-15 4a 64 b8 fb eb 13 36   ...j..J..Jd....6
    00e0 - 64 d7 68 78 e0 02 26 54-0e d5 35 74 e0 62 f7 7e   d.hx..&T..5t.b.~
    00f0 - 3b c6 74 0a ac 4a 09 b0-78 1c b2 27 80 5c ab 70   ;.t..J..x..'.\.p

    Start Time: 1711614414
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 4BD7637973A5E71E504FE62C82BE96CDD436C9EE24DCBB12CCDD256EE7AC7F0E
    Session-ID-ctx:
    Resumption PSK: 6FB96752F0E9B675FF85B11C80EA64FAC8130081E0E354B505F1C3EBA1A4234F1A5882F9D9F928C099B1BACA703AC5DD
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - f8 34 96 2e 54 f6 01 b1-f5 b3 a2 35 b5 0d 81 76   .4..T......5...v
    0010 - 0c 6b 46 bd 63 c2 12 78-d4 96 ab 85 56 d4 d3 67   .kF.c..x....V..g
    0020 - 9b 0a 8c b6 57 f3 0b e5-f9 1a 5d a4 cb 11 34 2b   ....W.....]...4+
    0030 - 30 24 e0 ce ff 05 7c 4e-af 1e 59 ea f1 f2 4d 0a   0$....|N..Y...M.
    0040 - 6e 62 0c d4 d6 21 90 1e-e8 48 c8 64 b7 98 d7 34   nb...!...H.d...4
    0050 - 45 0a 22 38 f0 3e 16 d7-6a 9f 8e 56 d3 d1 5e 5d   E."8.>..j..V..^]
    0060 - 13 4d 0c e6 88 66 86 55-9d 94 08 25 00 af e0 9b   .M...f.U...%....
    0070 - 92 0c 46 09 ec bc b8 39-29 fb f1 5e 71 4e 32 a7   ..F....9)..^qN2.
    0080 - a8 eb 38 54 ab ee 59 7a-46 4d 3a dd 47 0e a0 99   ..8T..YzFM:.G...
    0090 - c2 b8 18 11 32 7e c3 df-30 c1 cb f0 02 4f d9 f0   ....2~..0....O..
    00a0 - 75 67 ad df 4c 75 e9 d9-3b 98 8b 71 29 7c 00 56   ug..Lu..;..q)|.V
    00b0 - 85 60 8d 45 25 45 86 56-74 ef 34 0c 0a 74 4c 18   .`.E%E.Vt.4..tL.
    00c0 - b4 fc 73 24 8a c8 7b 94-6c 2f 07 fc 42 4e ff 92   ..s$..{.l/..BN..
    00d0 - 52 ff 4f 50 08 34 a0 9e-1e bc 50 c7 8d 2b 07 37   R.OP.4....P..+.7
    00e0 - c7 a5 51 8e 05 7e 55 2e-64 be 80 82 37 e6 91 e4   ..Q..~U.d...7...
    00f0 - f2 61 5a 4b 45 b6 a3 68-1f 17 ab e9 f6 16 8e 2a   .aZKE..h.......*

    Start Time: 1711614414
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
     
    kameleon1er, Mar 29, 2024
    #5
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    You must enable SSL for the website in ISPConfig and request a LE cert by enabling LE checkbox and then forward the request via HTTP to Docker. To get a Let's encrypt SSL cert for the website, do what @pyte suggested to avoid the LE auth requests getting forwarded to the Docker container. Internal requests between proxy server and docker on localhost do not get SSL encrypted as they are not routed over a public network, that#s why you must use http://.... in the proxy URL and not https:// as SSL is terminated on the proxy.
     
    till, Mar 29, 2024
    #6
  7. kameleon1er

    kameleon1er Member

    Hi guys, back to understand reverse-proxys with ispConf-Apache ; new try for Portainer (by default ports 9000:9000) :
    1 - I have docker / docker compose running
    2 - I create a new website for "portainer.democrasite..com" > check Let'sEncrypt cert asking for = OK
    3 - Go to Website > Options > Apache directives :
    Code:
    Apache reverse proxy : # pour rediriger vers par exemple le port 9000 de portainer
ProxyPass / http://31.207.34.190:9000/
ProxyPassReverse / http://31.207.34.190:9000/
ProxyPass /.well-known/acme/ !
    4 - create "docker-compose.yml :
    Code:
    cat docker-compose.yml
-----------------
version: '3'

services:
  portainer:
    image: portainer/portainer-ce
    container_name: portainer
    restart: always
 #   ports:
 #     - "9000:9000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data

volumes:
  portainer_data:
    5 - Question, do I need comment ports in the file ?
    6 - Deploy container ; " docker-compose up -d "
    7 - Container is running
    8 - go to my url > "https to my url "
    Result : defaut apache webpage by ispconfig.

    Where a I wrong ? oO

    Thanks for your help.
     
    kameleon1er, Apr 4, 2024
    #7
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to put this in Apache directives instead:

    Code:
    ProxyPass /.well-known/acme/ !
ProxyPass / http://31.207.34.190:9000/
ProxyPassReverse / http://31.207.34.190:9000/
    So there should not be a line like "
    Apache reverse proxy : # pour rediriger vers par exemple le port 9000 de portainer" and the proxy pass rule to not redirect acme requests must be first as rules are read from top to bottom by Apache.

    and do not comment out the ports in the docker-compose.yml file.
     
    till, Apr 4, 2024
    #8
  9. kameleon1er

    kameleon1er Member

    Hi @till thanks,
    After changes, browser reply :
    Code:
    Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

Additionally, a 503 Service Unavailable error was encountered while trying to use an ErrorDocument to handle the request.
    here my Apache logs :
    Code:
    /var/log/apache2# tail -f error.log
[Thu Apr 04 17:15:03.233132 2024] [:notice] [pid 573167:tid 140047866128256] mod_python: using mutex_directory /tmp
[ N 2024-04-04 17:15:03.2629 573147/T1 age/Cor/TelemetryCollector.h:531 ]: Message from Phusion: End time can not be before or equal to begin time
[Thu Apr 04 17:15:03.281943 2024] [mpm_event:notice] [pid 573167:tid 140047866128256] AH00489: Apache/2.4.52 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.2 Phusion_Passenger/6.0.10 mod_python/3.5.0+git20211031 Python/3.10.12 configured -- resuming normal operations
[Thu Apr 04 17:15:03.281988 2024] [core:notice] [pid 573167:tid 140047866128256] AH00094: Command line: '/usr/sbin/apache2'
[ N 2024-04-04 17:15:03.2939 573147/T1 age/Cor/CoreMain.cpp:1325 ]: Passenger core shutdown finished
[ E 2024-04-04 17:15:05.4285 573175/T4 age/Cor/SecurityUpdateChecker.h:521 ]: A security update is available for your version (6.0.10) of Phusion Passenger(R). We strongly recommend upgrading to version 6.0.20.
[ E 2024-04-04 17:15:05.4285 573175/T4 age/Cor/SecurityUpdateChecker.h:526 ]: Additional security update check information:
- [Fixed in 6.0.14] [CVE-2018-25032] zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
- [Fixed in 6.0.14] A use after free memory safety issue was introduced in 6.0.12, and fixed in 6.0.14.
- [Fixed in 6.0.19] [CVE-2023-38545] A vulnerability existed in libcurl before 8.4.0 which was the library used for Passenger proxy functionality. Exploiting this vulnerability would require two preconditions. First a SOCKS5 proxy to be configured for Passenger licensing, anonymous telemetry, or security update check which is not the default but is possible. Second the attacker would need to cause Passenger to use an attacker-controlled URL when performing these requests. Causing Passenger to use non-standard urls requires that the attacker already have code execution on the Passenger host, or control of the Passenger config. If exploited this vulnerability could lead to code execution, due to buffer overflow.
^C

/var/log/apache2# tail -f access.log
127.0.0.1 - - [04/Apr/2024:16:40:02 +0200] "GET / HTTP/1.1" 200 10955 "-" "Mozilla/5.0 (ISPConfig monitor)"
146.19.24.28 - - [04/Apr/2024:16:44:50 +0200] "GET / HTTP/1.1" 200 10948 "-" "-"
127.0.0.1 - - [04/Apr/2024:16:45:02 +0200] "GET / HTTP/1.1" 200 10955 "-" "Mozilla/5.0 (ISPConfig monitor)"
127.0.0.1 - - [04/Apr/2024:16:50:02 +0200] "GET / HTTP/1.1" 200 10955 "-" "Mozilla/5.0 (ISPConfig monitor)"
127.0.0.1 - - [04/Apr/2024:16:55:02 +0200] "GET / HTTP/1.1" 200 10955 "-" "Mozilla/5.0 (ISPConfig monitor)"
127.0.0.1 - - [04/Apr/2024:17:00:02 +0200] "GET / HTTP/1.1" 200 10955 "-" "Mozilla/5.0 (ISPConfig monitor)"
127.0.0.1 - - [04/Apr/2024:17:05:01 +0200] "GET / HTTP/1.1" 200 10955 "-" "Mozilla/5.0 (ISPConfig monitor)"
127.0.0.1 - - [04/Apr/2024:17:10:02 +0200] "GET / HTTP/1.1" 200 10955 "-" "Mozilla/5.0 (ISPConfig monitor)"
127.0.0.1 - - [04/Apr/2024:17:15:01 +0200] "GET / HTTP/1.1" 200 10955 "-" "Mozilla/5.0 (ISPConfig monitor)"
127.0.0.1 - - [04/Apr/2024:17:20:02 +0200] "GET / HTTP/1.1" 200 10955 "-" "Mozilla/5.0 (ISPConfig monitor)"
^C


/var/log/apache2# tail -f other_vhosts_access.log
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:21:42 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:21:48 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
projects.democrasite.com:443 169.155.254.222 - - [04/Apr/2024:17:21:48 +0200] "GET /cron/run HTTP/2.0" 200 442 "https://projects.democrasite.com/users/showAll" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:21:54 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:22:00 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:22:06 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:22:13 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:22:18 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:22:24 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:22:30 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:22:36 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:22:43 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
portainer.democrasite.com:443 95.217.18.177 - - [04/Apr/2024:17:22:48 +0200] "GET / HTTP/1.1" 503 4765 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:22:48 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
projects.democrasite.com:443 169.155.254.222 - - [04/Apr/2024:17:22:48 +0200] "GET /cron/run HTTP/2.0" 200 442 "https://projects.democrasite.com/users/showAll" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:22:54 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:23:00 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:23:06 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:23:12 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:23:18 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
srv-b.democrasite.com:8080 169.155.254.222 - - [04/Apr/2024:17:23:24 +0200] "GET /datalogstatus.php HTTP/2.0" 200 394 "https://srv-b.democrasite.com:8080/index.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
portainer.democrasite.com:443 169.155.254.222 - - [04/Apr/2024:17:23:27 +0200] "GET / HTTP/2.0" 503 514 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 OPR/107.0.0.0"
     
    kameleon1er, Apr 4, 2024
    #9
  10. kameleon1er

    kameleon1er Member

    Something get wrong with my vhosts I don't know why… for some time now I have " :
    Code:
    -rw-r--r-- 1 root root 9087 avril  4 17:15 portainer.democrasite.com.vhost
-rw-r--r-- 1 root root 9253 avril  4 14:54 portainer.democrasite.com.vhost.err
    instead of : > "
    .vhost-le-ssl.conf"
    Here is my vhost for this domain :
    Code:
    cat portainer.democrasite.com.vhost

<Directory /var/www/portainer.democrasite.com>
        AllowOverride None
                Require all denied
        </Directory>

<VirtualHost *:80>


                    DocumentRoot /var/www/clients/client0/web7/web
            
        ServerName portainer.democrasite.com
        ServerAlias www.portainer.democrasite.com
        ServerAdmin [email protected]


        ErrorLog /var/log/ispconfig/httpd/portainer.democrasite.com/error.log

        Alias /error/ "/var/www/portainer.democrasite.com/web/error/"
        ErrorDocument 400 /error/400.html
        ErrorDocument 401 /error/401.html
        ErrorDocument 403 /error/403.html
        ErrorDocument 404 /error/404.html
        ErrorDocument 405 /error/405.html
        ErrorDocument 500 /error/500.html
        ErrorDocument 502 /error/502.html
        ErrorDocument 503 /error/503.html


        <Directory /var/www/portainer.democrasite.com/web>
                # Clear PHP settings of this website
                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                        SetHandler None
                </FilesMatch>
                Options +SymlinksIfOwnerMatch
                AllowOverride All
                                Require all granted
                        </Directory>
        <Directory /var/www/clients/client0/web7/web>
                # Clear PHP settings of this website
                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                        SetHandler None
                </FilesMatch>
                Options +SymlinksIfOwnerMatch
                AllowOverride All
                                Require all granted
                        </Directory>




        # suexec enabled
        <IfModule mod_suexec.c>
            SuexecUserGroup web7 client0
        </IfModule>
        <IfModule mod_fastcgi.c>
                <Directory /var/www/clients/client0/web7/cgi-bin>
                                        Require all granted
                                    </Directory>
                <Directory /var/www/portainer.democrasite.com/web>
                    <FilesMatch "\.php[345]?$">
                        <If "-f '%{REQUEST_FILENAME}'">
                            SetHandler php-fcgi
                        </If>
                    </FilesMatch>
                </Directory>
                <Directory /var/www/clients/client0/web7/web>
                    <FilesMatch "\.php[345]?$">
                        <If "-f '%{REQUEST_FILENAME}'">
                            SetHandler php-fcgi
                        </If>
                    </FilesMatch>
                </Directory>
                Action php-fcgi /php-fcgi virtual
                Alias /php-fcgi /var/www/clients/client0/web7/cgi-bin/php-fcgi-*-80-portainer.democrasite.com
                FastCgiExternalServer /var/www/clients/client0/web7/cgi-bin/php-fcgi-*-80-portainer.democrasite.com -idle-timeout 300 -socket /var/lib/php8.1-fpm/web7.sock -pass-header Authorization  -pass-header Content-Type
        </IfModule>
        <IfModule mod_proxy_fcgi.c>
            #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php8.1-fpm/web7.sock|fcgi://localhost//var/www/clients/client0/web7/web/$1
            <Directory /var/www/portainer.democrasite.com/web>
                <FilesMatch "\.php[345]?$">
                    <If "-f '%{REQUEST_FILENAME}'">
                        SetHandler "proxy:unix:/var/lib/php8.1-fpm/web7.sock|fcgi://localhost"
                    </If>
                </FilesMatch>
            </Directory>
            <Directory /var/www/clients/client0/web7/web>
                <FilesMatch "\.php[345]?$">
                    <If "-f '%{REQUEST_FILENAME}'">
                        SetHandler "proxy:unix:/var/lib/php8.1-fpm/web7.sock|fcgi://localhost"
                    </If>
                </FilesMatch>
            </Directory>
            </IfModule>



        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
            AssignUserId web7 client0
        </IfModule>

        <IfModule mod_dav_fs.c>
        # Do not execute PHP files in webdav directory
            <Directory /var/www/clients/client0/web7/webdav>
                <ifModule mod_security2.c>
                    SecRuleRemoveById 960015
                    SecRuleRemoveById 960032
                </ifModule>
                <FilesMatch "\.ph(p3?|tml)$">
                    SetHandler None
                </FilesMatch>
            </Directory>
            DavLockDB /var/www/clients/client0/web7/tmp/DavLock
            # DO NOT REMOVE THE COMMENTS!
            # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
            # WEBDAV END
        </IfModule>

            ProxyPass /.well-known/acme/ !
ProxyPass / http://31.207.34.190:9000/
ProxyPassReverse / http://31.207.34.190:9000/
    

</VirtualHost>


<VirtualHost *:443>


                    DocumentRoot /var/www/clients/client0/web7/web
            
        ServerName portainer.democrasite.com
        ServerAlias www.portainer.democrasite.com
        ServerAdmin [email protected]

        <IfModule mod_http2.c>
            Protocols h2 http/1.1
        </IfModule>

        <IfModule mod_brotli.c>
            AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript application/xml application/xml+rss application/atom+xml application/json application/x-font-ttf application/vnd.ms-fontobject image/x-icon
        </IfModule>

        ErrorLog /var/log/ispconfig/httpd/portainer.democrasite.com/error.log

        Alias /error/ "/var/www/portainer.democrasite.com/web/error/"
        ErrorDocument 400 /error/400.html
        ErrorDocument 401 /error/401.html
        ErrorDocument 403 /error/403.html
        ErrorDocument 404 /error/404.html
        ErrorDocument 405 /error/405.html
        ErrorDocument 500 /error/500.html
        ErrorDocument 502 /error/502.html
        ErrorDocument 503 /error/503.html

  <IfModule mod_ssl.c>
        SSLEngine on
        SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        # SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
        SSLHonorCipherOrder     on
        # <IfModule mod_headers.c>
        # Header always add Strict-Transport-Security "max-age=15768000"
        # </IfModule>
        SSLCertificateFile /var/www/clients/client0/web7/ssl/portainer.democrasite.com-le.crt
        SSLCertificateKeyFile /var/www/clients/client0/web7/ssl/portainer.democrasite.com-le.key
                  SSLUseStapling on
          SSLStaplingResponderTimeout 5
          SSLStaplingReturnResponderErrors off
              </IfModule>

        <Directory /var/www/portainer.democrasite.com/web>
                # Clear PHP settings of this website
                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                        SetHandler None
                </FilesMatch>
                Options +SymlinksIfOwnerMatch
                AllowOverride All
                                Require all granted
                        </Directory>
        <Directory /var/www/clients/client0/web7/web>
                # Clear PHP settings of this website
                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                        SetHandler None
                </FilesMatch>
                Options +SymlinksIfOwnerMatch
                AllowOverride All
                                Require all granted
                        </Directory>




        # suexec enabled
        <IfModule mod_suexec.c>
            SuexecUserGroup web7 client0
        </IfModule>
        <IfModule mod_fastcgi.c>
                <Directory /var/www/clients/client0/web7/cgi-bin>
                                        Require all granted
                                    </Directory>
                <Directory /var/www/portainer.democrasite.com/web>
                    <FilesMatch "\.php[345]?$">
                        <If "-f '%{REQUEST_FILENAME}'">
                            SetHandler php-fcgi
                        </If>
                    </FilesMatch>
                </Directory>
                <Directory /var/www/clients/client0/web7/web>
                    <FilesMatch "\.php[345]?$">
                        <If "-f '%{REQUEST_FILENAME}'">
                            SetHandler php-fcgi
                        </If>
                    </FilesMatch>
                </Directory>
                Action php-fcgi /php-fcgi virtual
                Alias /php-fcgi /var/www/clients/client0/web7/cgi-bin/php-fcgi-*-443-portainer.democrasite.com
                FastCgiExternalServer /var/www/clients/client0/web7/cgi-bin/php-fcgi-*-443-portainer.democrasite.com -idle-timeout 300 -socket /var/lib/php8.1-fpm/web7.sock -pass-header Authorization  -pass-header Content-Type
        </IfModule>
        <IfModule mod_proxy_fcgi.c>
            #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php8.1-fpm/web7.sock|fcgi://localhost//var/www/clients/client0/web7/web/$1
            <Directory /var/www/portainer.democrasite.com/web>
                <FilesMatch "\.php[345]?$">
                    <If "-f '%{REQUEST_FILENAME}'">
                        SetHandler "proxy:unix:/var/lib/php8.1-fpm/web7.sock|fcgi://localhost"
                    </If>
                </FilesMatch>
            </Directory>
            <Directory /var/www/clients/client0/web7/web>
                <FilesMatch "\.php[345]?$">
                    <If "-f '%{REQUEST_FILENAME}'">
                        SetHandler "proxy:unix:/var/lib/php8.1-fpm/web7.sock|fcgi://localhost"
                    </If>
                </FilesMatch>
            </Directory>
            </IfModule>



        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
            AssignUserId web7 client0
        </IfModule>

        <IfModule mod_dav_fs.c>
        # Do not execute PHP files in webdav directory
            <Directory /var/www/clients/client0/web7/webdav>
                <ifModule mod_security2.c>
                    SecRuleRemoveById 960015
                    SecRuleRemoveById 960032
                </ifModule>
                <FilesMatch "\.ph(p3?|tml)$">
                    SetHandler None
                </FilesMatch>
            </Directory>
            DavLockDB /var/www/clients/client0/web7/tmp/DavLock
            # DO NOT REMOVE THE COMMENTS!
            # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
            # WEBDAV END
        </IfModule>

    ProxyPass /.well-known/acme/ !
ProxyPass / http://31.207.34.190:9000/
ProxyPassReverse / http://31.207.34.190:9000/


</VirtualHost>

<IfModule mod_ssl.c>
        SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>
     
    kameleon1er, Apr 4, 2024
    #10
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    This means the website could not be saved as Apache does not understand its config. This means that the proxy config likely never got included. You can rename the vhost file to e.g. .bak, remove .err from the other file, restart apache to see why it fails.
     
    till, Apr 4, 2024
    #11
  12. kameleon1er

    kameleon1er Member

    @till Ok I did it and thought isp "flush" or sweep vhost config after correct the error in apache directives options for reverse-proxy, but it doesn't . So I deleted the website in "WebSite" and recreate a fresh one. Not a big deal :)
    Last question on the good process ; what moment I have to select "Let's encrypt" ? Just before ask to create the new website? Or let the process finish, come back and select the check box ? And for the apache option directive for the reverse-proxy ? Before click "save" the new website ? Thanks
     
    kameleon1er, Apr 4, 2024
    #12
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig does this every time you press save on the website. But if the error persists, a new .err file is written. So there was no need to delete the site, see post #11 for how to f´find out what the reason for the error was. deleting the site just prevents now that you can get the detailed error message.

    This does not matter. Changes are always processed in the order they were made. All you have to do is to ensure that the domain you use points to the server in DNS already.

    Does not matter as well.
     
    till, Apr 4, 2024
    #13
    kameleon1er likes this.
  14. kameleon1er

    kameleon1er Member

    I recreate one site, but I think I have let's encrypt problem… Checkbox is selected but when I verify the vhost in terminal :
    Code:
     cat portainer.democrasite.com.vhost

<Directory /var/www/portainer.democrasite.com>
        AllowOverride None
                Require all denied
        </Directory>

<VirtualHost *:80>


                    DocumentRoot /var/www/clients/client0/web8/web
            
        ServerName portainer.democrasite.com
        ServerAlias www.portainer.democrasite.com
        ServerAdmin [email protected]


        ErrorLog /var/log/ispconfig/httpd/portainer.democrasite.com/error.log

        Alias /error/ "/var/www/portainer.democrasite.com/web/error/"
        ErrorDocument 400 /error/400.html
        ErrorDocument 401 /error/401.html
        ErrorDocument 403 /error/403.html
        ErrorDocument 404 /error/404.html
        ErrorDocument 405 /error/405.html
        ErrorDocument 500 /error/500.html
        ErrorDocument 502 /error/502.html
        ErrorDocument 503 /error/503.html


        <Directory /var/www/portainer.democrasite.com/web>
                # Clear PHP settings of this website
                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                        SetHandler None
                </FilesMatch>
                Options +SymlinksIfOwnerMatch
                AllowOverride All
                                Require all granted
                        </Directory>
        <Directory /var/www/clients/client0/web8/web>
                # Clear PHP settings of this website
                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                        SetHandler None
                </FilesMatch>
                Options +SymlinksIfOwnerMatch
                AllowOverride All
                                Require all granted
                        </Directory>




        # suexec enabled
        <IfModule mod_suexec.c>
            SuexecUserGroup web8 client0
        </IfModule>
        <IfModule mod_fastcgi.c>
                <Directory /var/www/clients/client0/web8/cgi-bin>
                                        Require all granted
                                    </Directory>
                <Directory /var/www/portainer.democrasite.com/web>
                    <FilesMatch "\.php[345]?$">
                        <If "-f '%{REQUEST_FILENAME}'">
                            SetHandler php-fcgi
                        </If>
                    </FilesMatch>
                </Directory>
                <Directory /var/www/clients/client0/web8/web>
                    <FilesMatch "\.php[345]?$">
                        <If "-f '%{REQUEST_FILENAME}'">
                            SetHandler php-fcgi
                        </If>
                    </FilesMatch>
                </Directory>
                Action php-fcgi /php-fcgi virtual
                Alias /php-fcgi /var/www/clients/client0/web8/cgi-bin/php-fcgi-*-80-portainer.democrasite.com
                FastCgiExternalServer /var/www/clients/client0/web8/cgi-bin/php-fcgi-*-80-portainer.democrasite.com -idle-timeout 300 -socket /var/lib/php8.1-fpm/web8.sock -pass-header Authorization  -pass-header Content-Type
        </IfModule>
        <IfModule mod_proxy_fcgi.c>
            #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php8.1-fpm/web8.sock|fcgi://localhost//var/www/clients/client0/web8/web/$1
            <Directory /var/www/portainer.democrasite.com/web>
                <FilesMatch "\.php[345]?$">
                    <If "-f '%{REQUEST_FILENAME}'">
                        SetHandler "proxy:unix:/var/lib/php8.1-fpm/web8.sock|fcgi://localhost"
                    </If>
                </FilesMatch>
            </Directory>
            <Directory /var/www/clients/client0/web8/web>
                <FilesMatch "\.php[345]?$">
                    <If "-f '%{REQUEST_FILENAME}'">
                        SetHandler "proxy:unix:/var/lib/php8.1-fpm/web8.sock|fcgi://localhost"
                    </If>
                </FilesMatch>
            </Directory>
            </IfModule>



        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
            AssignUserId web8 client0
        </IfModule>

        <IfModule mod_dav_fs.c>
        # Do not execute PHP files in webdav directory
            <Directory /var/www/clients/client0/web8/webdav>
                <ifModule mod_security2.c>
                    SecRuleRemoveById 960015
                    SecRuleRemoveById 960032
                </ifModule>
                <FilesMatch "\.ph(p3?|tml)$">
                    SetHandler None
                </FilesMatch>
            </Directory>
            DavLockDB /var/www/clients/client0/web8/tmp/DavLock
            # DO NOT REMOVE THE COMMENTS!
            # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
            # WEBDAV END
        </IfModule>

            
    

</VirtualHost>


<VirtualHost *:443>


                    DocumentRoot /var/www/clients/client0/web8/web
            
        ServerName portainer.democrasite.com
        ServerAlias www.portainer.democrasite.com
        ServerAdmin [email protected]

        <IfModule mod_http2.c>
            Protocols h2 http/1.1
        </IfModule>

        <IfModule mod_brotli.c>
            AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript application/xml application/xml+rss application/atom+xml application/json application/x-font-ttf application/vnd.ms-fontobject image/x-icon
        </IfModule>

        ErrorLog /var/log/ispconfig/httpd/portainer.democrasite.com/error.log

        Alias /error/ "/var/www/portainer.democrasite.com/web/error/"
        ErrorDocument 400 /error/400.html
        ErrorDocument 401 /error/401.html
        ErrorDocument 403 /error/403.html
        ErrorDocument 404 /error/404.html
        ErrorDocument 405 /error/405.html
        ErrorDocument 500 /error/500.html
        ErrorDocument 502 /error/502.html
        ErrorDocument 503 /error/503.html

  <IfModule mod_ssl.c>
        SSLEngine on
        SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        # SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
        SSLHonorCipherOrder     on
        # <IfModule mod_headers.c>
        # Header always add Strict-Transport-Security "max-age=15768000"
        # </IfModule>
        SSLCertificateFile /var/www/clients/client0/web8/ssl/portainer.democrasite.com-le.crt
        SSLCertificateKeyFile /var/www/clients/client0/web8/ssl/portainer.democrasite.com-le.key
                  SSLUseStapling on
          SSLStaplingResponderTimeout 5
          SSLStaplingReturnResponderErrors off
              </IfModule>

        <Directory /var/www/portainer.democrasite.com/web>
                # Clear PHP settings of this website
                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                        SetHandler None
                </FilesMatch>
                Options +SymlinksIfOwnerMatch
                AllowOverride All
                                Require all granted
                        </Directory>
        <Directory /var/www/clients/client0/web8/web>
                # Clear PHP settings of this website
                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                        SetHandler None
                </FilesMatch>
                Options +SymlinksIfOwnerMatch
                AllowOverride All
                                Require all granted
                        </Directory>




        # suexec enabled
        <IfModule mod_suexec.c>
            SuexecUserGroup web8 client0
        </IfModule>
        <IfModule mod_fastcgi.c>
                <Directory /var/www/clients/client0/web8/cgi-bin>
                                        Require all granted
                                    </Directory>
                <Directory /var/www/portainer.democrasite.com/web>
                    <FilesMatch "\.php[345]?$">
                        <If "-f '%{REQUEST_FILENAME}'">
                            SetHandler php-fcgi
                        </If>
                    </FilesMatch>
                </Directory>
                <Directory /var/www/clients/client0/web8/web>
                    <FilesMatch "\.php[345]?$">
                        <If "-f '%{REQUEST_FILENAME}'">
                            SetHandler php-fcgi
                        </If>
                    </FilesMatch>
                </Directory>
                Action php-fcgi /php-fcgi virtual
                Alias /php-fcgi /var/www/clients/client0/web8/cgi-bin/php-fcgi-*-443-portainer.democrasite.com
                FastCgiExternalServer /var/www/clients/client0/web8/cgi-bin/php-fcgi-*-443-portainer.democrasite.com -idle-timeout 300 -socket /var/lib/php8.1-fpm/web8.sock -pass-header Authorization  -pass-header Content-Type
        </IfModule>
        <IfModule mod_proxy_fcgi.c>
            #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php8.1-fpm/web8.sock|fcgi://localhost//var/www/clients/client0/web8/web/$1
            <Directory /var/www/portainer.democrasite.com/web>
                <FilesMatch "\.php[345]?$">
                    <If "-f '%{REQUEST_FILENAME}'">
                        SetHandler "proxy:unix:/var/lib/php8.1-fpm/web8.sock|fcgi://localhost"
                    </If>
                </FilesMatch>
            </Directory>
            <Directory /var/www/clients/client0/web8/web>
                <FilesMatch "\.php[345]?$">
                    <If "-f '%{REQUEST_FILENAME}'">
                        SetHandler "proxy:unix:/var/lib/php8.1-fpm/web8.sock|fcgi://localhost"
                    </If>
                </FilesMatch>
            </Directory>
            </IfModule>



        # add support for apache mpm_itk
        <IfModule mpm_itk_module>
            AssignUserId web8 client0
        </IfModule>

        <IfModule mod_dav_fs.c>
        # Do not execute PHP files in webdav directory
            <Directory /var/www/clients/client0/web8/webdav>
                <ifModule mod_security2.c>
                    SecRuleRemoveById 960015
                    SecRuleRemoveById 960032
                </ifModule>
                <FilesMatch "\.ph(p3?|tml)$">
                    SetHandler None
                </FilesMatch>
            </Directory>
            DavLockDB /var/www/clients/client0/web8/tmp/DavLock
            # DO NOT REMOVE THE COMMENTS!
            # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
            # WEBDAV END
        </IfModule>

    


</VirtualHost>

<IfModule mod_ssl.c>
        SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>
     
    kameleon1er, Apr 4, 2024
    #14
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    The vhost file shows that let's encrypt is active, not sure why you think that this is not the case as it contains a https vhost on port 443 with a LE certificate.
     
    till, Apr 4, 2024
    #15
  16. kameleon1er

    kameleon1er Member

    Just thought it could be a second vhost like "vhost...le-ssl.conf" or something… for 443. But yes, browser says "private > let's encrypt ssl" just NO ACME-Challenge records by checking " https://acme-check.com"
    There was an error in my docker yml conf also :
    Code:
    cat docker-compose.yml
version: '3'

services:
  portainer:
    image: portainer/portainer-ce
    container_name: portainer
    restart: always
 #   ports:
 #     - "9000:9000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data

volumes:
  portainer_data:
    uncomment 2 lines #ports and #9090:9000, reverse-proxy is working fine :) Error comme from bad IA gemini

    Thanks @till
    ::::: SOLVED :::::
     
    kameleon1er, Apr 4, 2024
    #16
    ahrasis and till like this.

Share This Page