HTTPS (TLS) behind Apache reverse proxy

alexxtasi · June 23, 2015, 6:06pm

Hi first time I use this feature (almost a year after !) But having already configured the Reverse Proxy Setup for the apache server, when I check the “Use HTTPS for GUI” the apache setup breaks.

I modified it a bit so it works:

LoadModule ssl_module modules/mod_ssl.so
SSLProxyEngine On
SSLCertificateFile /path-to/.config/syncthing/https-cert.pem
SSLCertificateKeyFile /path-to/.config/syncthing/https-key.pem
ProxyPass /syncthing/ https://127.0.0.1:8080/
<Location /syncthing/>
        ProxyPassReverse https://127.0.0.1:8080/
        #Require all granted - not for apache v2.2.15
        Allow from all
</Location>

Now when I hit http://server-ip/syncthing/ I can see syncthing’s web gui, but having no https indicator…

Since I am just a newbie, is this configuration correct and also secure?

thanks

calmh · June 23, 2015, 6:22pm

No. You’re talking insecure HTTP between yourself and Apache and HTTPS between Apache and Syncthing. You need to use an HTTPS URL in your browser.

alexxtasi · June 23, 2015, 7:40pm

I see… so the secure solution might be:

either not use of the apache’s Reverse Proxy Setup, but just syncthing’s https web gui (to the configured port)
or use apache’s https setup (port 443) and inside there, use of an “equivalent” Reverse Proxy Setup to https://localhost:port right ?

for the second one, would it be something like this in the apache’s ssl.conf file ?

LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost _default_:443>
        DocumentRoot /var/www
        ErrorLog /pathtologs/syncthing-error_log
        TransferLog /pathtologs/syncthing-access_log
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCertificateFile /path-to/.config/syncthing/https-cert.pem
        SSLCertificateKeyFile /path-to/.config/syncthing/https-key.pem
        SSLProxyEngine On
        ProxyPass /syncthing/ https://127.0.0.1:8080/
        <Location /syncthing/>
                ProxyPassReverse https://127.0.0.1:8080/
                #Require all granted
                Allow from all
        </Location>
        ServerName servername
</VirtualHost>

in fact this is working, but I am asking for security reasons…

(forgive me if all these sound like “apache stuff”)

calmh · June 23, 2015, 7:45pm

I’m not an Apache master, but it looks like that would work (and do what it’s supposed to).

wweich · June 23, 2015, 7:58pm

You should also disable SSLv3, which is considered insecure.

Using the Mozilla SSL Config Generator is a good start for secure TLS.

alexxtasi · June 23, 2015, 8:43pm

thanks you all for the tips !

DavidO · June 23, 2015, 10:59pm

If you’re interested in security, as well as ease of use and lightweightedness, give Hiawatha a go.

More info: