Apache2 Reverse Proxy behind Cloudflare site

I have an Apache2 reverse proxy on my network. This reverse proxy redirects the requests coming from the hostname example.com.

When wanting to add a new domain name, I just create a new vHost and specifiy the A record on the DNS of the domain to be my public IP, I issue a new SSL certificate with Let’s Encrypt on the reverse proxy and it works perfectly.

But now, I tried using Cloudflare. And problems appeared.

Here’s the content of my example.com.conf on the reverse proxy:

Since I’m a new user, I’m not allowed to post more than two links (and the names in my config file are considered as links (…). I’ll replace HTTP by “htpp”, HTTPS by “htpps” and the TLD .com with “dotcom”.

###########################################################
#<VirtualHost *:80>
        #ServerName htpp://example.dotcom

        #Redirect / htpps://example.dotcom/
        #RewriteEngine on
        #RewriteCond %{SERVER_NAME} =example.dotcom
        #RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
#</VirtualHost>

<VirtualHost *:443>
        # Proxy
        ServerName example.dotcom

        SSLProxyEngine on
        ProxyPreserveHost on

        # The server here is in my local network, that's why it ends by .net
        ProxyPass / htpp://slvdocsor01.docker.hosting.example.net:8000/
        ProxyPassReverse / htpp://slvdocsor01.docker.hosting.example.net:8000/

        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/example.dotcom/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/example.dotcom/privkey.pem
</VirtualHost>

The Cloudflare panel is configured as “DNS only”.

When accessing the website, it reaches my reverse proxy, but there are two problems:

  • the port 8000 (specified in the ProxyPass) is used in the URL without my voluntee

I tried to turn off the ProxyPreserveHost on directive, and this lead me to the CSS not loading because my reverse proxy wanted to access slvdocsor01 with HTTPS (but I specified it as HTTP since there is no HTTPS on this machine).

Why is this happening? I’ve been struggling around for hours now, can someone help me please?

EDIT 1: the security policy for the SSL is set to “Flexible”.

Thanks in advance!

Hi there,

So there are a couple of things here that looks somewhat unexpected to me in your Apache configuration – chief among them is that it looks like your server is listening on port 443 – which is normally the port reserved for HTTPS traffic.

If you wish to use the SSL setting of “Flexible” – CF will attempt to connect over port 80 – so your server will need to be listening on this port.

Hope this helps!

1 Like

Peter, no offence, but Flexible should really not be recommended :wink:

Hi,

Thanks for your precision! I also tried to set up the “Strict” mode with the vHost configuration exactly as specified in my question, but it still does not work.

So, should I set the “Flexible” or the “Strict” mode for my vHost? If I set the “Strict”, what should I change in my vHost?

Flexible should never be chosen as it is insecure and leaves your site on HTTP.

First make sure your setup works overall (also on HTTPS) before doing anything with Cloudflare. Only then add Cloudflare. As long as it is not working on its own, it cannot work with Clouflare either.

Hi Sandro,

Thanks for your answer. I’ll set the SSL settings on “Strict”.
I’d really like to test my setup without CF, but my client (I’m doing this for a client) enabled CF for his domain, and he’s pointing a subdomain to my public IP. Afaik, he cannot disable CF for his domain.