Subdomain and reverse proxy configuration

[miguelgfierro]

Trying in https://letters.miguelgfierro.com/

Progress: https://chat.openai.com/c/911f4946-2bf4-4533-ba7e-bc3ad4eee326

[miguelgfierro]

Error:

[Tue Mar 19 21:54:21.317114 2024] [proxy:error] [pid 14863] [client 79.116.249.194:60989] AH00898: Error during SSL Handshake with remote server returned by /favicon.ico, referer: https://letters.miguelgfierro.com/
[Tue Mar 19 21:54:21.317124 2024] [proxy_http:error] [pid 14863] [client 79.116.249.194:60989] AH01097: pass request body failed to 172.64.154.11:443 (miguelgfierro.substack.com) from 79.116.249.194 (), referer: https://letters.miguelgfierro.com/

I tried to verify connectivity from your Apache server to the remote server (miguelgfierro.substack.com), with openssl s_client -connect miguelgfierro.substack.com:443. I get:

$ openssl s_client -connect miguelgfierro.substack.com:443
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = substack.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = substack.com
   i:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
 1 s:C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
   i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFGDCCBL6gAwIBAgIQDXtjpleqWsp3ld+vxBn6rTAKBggqhkjOPQQDAjBKMQsw
CQYDVQQGEwJVUzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEgMB4GA1UEAxMX
Q2xvdWRmbGFyZSBJbmMgRUNDIENBLTMwHhcNMjMwOTEzMDAwMDAwWhcNMjQwOTEy
MjM1OTU5WjBsMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
A1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEV
MBMGA1UEAxMMc3Vic3RhY2suY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
9xYWFbV5HMM5uGHUzo3ABoYsArVqZXVbGP/d5GIOVKnxbB9l5yitJ8fu0nf4uWkh
ecO2ZnORL/qNwLLLHSbYYKOCA2IwggNeMB8GA1UdIwQYMBaAFKXON+rrsHUOlGeI
tEX62SQQh5YfMB0GA1UdDgQWBBROKqGRbKgEivMmnQ7xJooKr2g0mzAnBgNVHREE
IDAegg4qLnN1YnN0YWNrLmNvbYIMc3Vic3RhY2suY29tMD4GA1UdIAQ3MDUwMwYG
Z4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
UzAOBgNVHQ8BAf8EBAMCA4gwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
MHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9DbG91
ZGZsYXJlSW5jRUNDQ0EtMy5jcmwwN6A1oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0
LmNvbS9DbG91ZGZsYXJlSW5jRUNDQ0EtMy5jcmwwdgYIKwYBBQUHAQEEajBoMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wQAYIKwYBBQUHMAKG
NGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9DbG91ZGZsYXJlSW5jRUNDQ0Et
My5jcnQwDAYDVR0TAQH/BAIwADCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHYA
7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGKjLHT+wAABAMARzBF
AiB5Z4tCoKbPcKAZljS57vd7HdoSjIaMaSIQWhadhjsVAAIhAJ8BsauStFblK/84
HSMWMQ7vtiS9lNuOaJjAcqi/wbXjAHcASLDja9qmRzQP5WoC+p0w6xxSActW3SyB
2bu/qznYhHMAAAGKjLHUSAAABAMASDBGAiEA3/fx/9kiqBattk7GZflUK+siIdgG
EBgZdC6SpVX7HPECIQCsH5Nd458UktrNcvjANTfjy0/qk5NxGFg5M0zcif7VPAB2
ANq2v2s/tbYin5vCu1xr6HCRcWy7UYSFNL2kPTBI1/urAAABioyx1AIAAAQDAEcw
RQIhAOU6gR7dzFGpwNPlu6Ykgiej2XX3mb0liNiZQqM+C6kHAiAmSCor/Ml3DKQY
oAxjvjVJCHoLDVqiJR908REDZISvHDAKBggqhkjOPQQDAgNIADBFAiEA/mXcpilo
AvWBzntnCArYiuyVRvLbHlDVmFEECoxnhrYCIFm8xDXqfQ09fnmIBTIoFFG/rzhr
8N/DvVBVwrVfKE8f
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = substack.com

issuer=C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2598 bytes and written 408 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: D0100AA4FA37BB9804FDFCD230E23CFCC00A6B0A6C14C8B10816CFCD521B80C2
    Session-ID-ctx:
    Resumption PSK: 695173F635405A88E3034B6BE8AF64204372478DC3C5B59C21453A82D5FF81B366286C24120FCC1604164C75EC50B0C0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - d7 9a fd eb 1e 39 b1 2c-cb 96 5a 95 22 7c 5d 11   .....9.,..Z."|].
    0010 - 16 0b 2f 4a eb 0b a9 66-10 e1 38 b7 c3 dc cd 71   ../J...f..8....q
    0020 - 97 07 65 39 e1 6f 0d 43-e1 c5 ca d2 80 a7 d8 9b   ..e9.o.C........
    0030 - 8a cf 54 41 1c 59 d7 47-71 ae fc 98 0a 92 0c 50   ..TA.Y.Gq......P
    0040 - 0c c3 75 4d 5b 7e b7 29-b5 05 4b 8e a2 9f 29 2b   ..uM[~.)..K...)+
    0050 - e8 c6 88 3b 46 6d 48 63-ba af 01 d6 f7 4d fa ca   ...;FmHc.....M..
    0060 - c2 d5 bd cb 5a b8 e5 b7-26 96 20 f9 c5 2a a4 3d   ....Z...&. ..*.=
    0070 - 90 ba 44 2d ce b1 af 08-aa 96 13 75 b1 a6 a9 b8   ..D-.......u....
    0080 - da 6a c3 a6 b3 6c 1c 8c-ec 02 bb d1 4f b7 5d 67   .j...l......O.]g
    0090 - c1 b9 14 47 9c 55 e9 b9-3c 37 f8 af 80 11 e0 57   ...G.U..<7.....W
    00a0 - 5b 07 17 08 38 86 31 d9-98 8b 13 ea ae b6 ec 20   [...8.1........
    00b0 - 99 69 1a 6c 6f d4 31 b7-e9 5d ac 4a 9a 9d ee 56   .i.lo.1..].J...V

    Start Time: 1711126120
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: CB889E58A8C0606869A29963E75B8C9F833B56CDA6D60D9CD1E22244D9A85EA1
    Session-ID-ctx:
    Resumption PSK: 01571F7C5FC3C65A9A397F0AA20612ED1911CDC1F58851C46185BEE6E1D56D287C60363A9A2893A19DFC23C1451AA41F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - d7 9a fd eb 1e 39 b1 2c-cb 96 5a 95 22 7c 5d 11   .....9.,..Z."|].
    0010 - ad a0 ea cc 08 cf 15 25-8b 59 0f df 4f d0 06 f6   .......%.Y..O...
    0020 - 42 1d 36 33 ab 3b 2c 0f-73 3e b2 39 44 43 84 56   B.63.;,.s>.9DC.V
    0030 - f6 af cc af a9 0d f5 da-fd fb 9d cb 13 e8 dd 9f   ................
    0040 - 9e 63 51 64 c4 6f ee 75-db 63 db b5 bf a0 a4 32   .cQd.o.u.c.....2
    0050 - a5 5d 1d 75 cb c4 dc 5e-2b 3c 51 33 cc 6f d2 fa   .].u...^+<Q3.o..
    0060 - fd d5 4e bd f6 84 ab 25-ae 72 a4 45 db 60 a9 6b   ..N....%.r.E.`.k
    0070 - 43 94 cb 5a 56 e8 8a 4e-7b 82 64 9f 42 23 9d 11   C..ZV..N{.d.B#..
    0080 - 70 0a 77 5d 1a 68 fe 2c-d1 e0 3d 2d f1 b5 3b fe   p.w].h.,..=-..;.
    0090 - b4 2b d6 03 01 2c 8b fc-9d 37 71 1e f1 bf 61 81   .+...,...7q...a.
    00a0 - fe ad e6 8d 3d 3e 99 af-04 be 78 8f 16 d5 77 d5   ....=>....x...w.
    00b0 - 5d 74 f7 de 85 a3 4b 14-2c 48 46 30 b2 f3 93 36   ]t....K.,HF0...6

    Start Time: 1711126120
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

The output from openssl s_client indicates a successful SSL handshake with miguelgfierro.substack.com. The verification was successful, and the connection was established. However, the connection was closed immediately after the handshake without any further communication.

This behavior suggests that the server is terminating the connection abruptly after the handshake. Possible reasons for this behavior could include:

Server-Side Configuration: The server might be configured to only accept connections from specific clients or user agents. It's possible that the server is rejecting the connection for some reason.

Load Balancer or Firewall: If there is a load balancer or firewall in front of the server, it might be terminating connections or blocking certain requests.

Network Issues: There could be network issues causing the connection to be terminated unexpectedly.

[miguelgfierro]

I was not able to fix it, after trying this configuration and variants:

# Reverse proxy
<VirtualHost *:443>

    # Server name
    ServerName letters.miguelgfierro.com

    # SLL directives and certificates
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/letters.miguelgfierro.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/letters.miguelgfierro.com/privkey.pem

    # Proxy configuration for letters.miguelgfierro.com...
    SSLProxyEngine On
    ProxyPreserveHost On
    ProxyPass "/" "https://miguelgfierro.substack.com/"
    ProxyPassReverse "/" "https://miguelgfierro.substack.com/"

    # Additional proxy settings
    ProxyRequests Off
    ProxyTimeout 600
    SSLProxyCheckPeerCN Off



    # Rewrite URLs to preserve letters.miguelgfierro.com in the browser address bar
#    RewriteEngine On
#    RewriteCond %{HTTP_HOST} ^letters\.miguelgfierro\.com$ [NC]
#    RewriteRule ^/(.*)$ "https://miguelgfierro.substack.com/$1" [P,L]

    # Log files
    ErrorLog /var/log/apache2/reverse_proxy.error.log
    CustomLog /var/log/apache2/reverse_proxy.access.log combined


</VirtualHost>

</IfModule>

I get the error:

[Fri Mar 22 17:01:44.402952 2024] [proxy:error] [pid 8835] (20014)Internal error (specific information not available): [client 79.116.249.194:61220] AH01084: pass request body failed to 172.64.154.11:443 (miguelgfierro.substack.com), referer: https://letters.miguelgfierro.com/
[Fri Mar 22 17:01:44.403025 2024] [proxy:error] [pid 8835] [client 79.116.249.194:61220] AH00898: Error during SSL Handshake with remote server returned by /favicon.ico, referer: https://letters.miguelgfierro.com/
[Fri Mar 22 17:01:44.403032 2024] [proxy_http:error] [pid 8835] [client 79.116.249.194:61220] AH01097: pass request body failed to 172.64.154.11:443 (miguelgfierro.substack.com) from 79.116.249.194 (), referer: https://letters.miguelgfierro.com/
[Fri Mar 22 17:01:46.996489 2024] [proxy:error] [pid 8836] (20014)Internal error (specific information not available): [client 79.116.249.194:61222] AH01084: pass request body failed to 172.64.154.11:443 (miguelgfierro.substack.com)
[Fri Mar 22 17:01:46.996604 2024] [proxy:error] [pid 8836] [client 79.116.249.194:61222] AH00898: Error during SSL Handshake with remote server returned by /
[Fri Mar 22 17:01:46.996609 2024] [proxy_http:error] [pid 8836] [client 79.116.249.194:61222] AH01097: pass request body failed to 172.64.154.11:443 (miguelgfierro.substack.com) from 79.116.249.194 ()
[Fri Mar 22 17:01:47.186021 2024] [proxy:error] [pid 8822] (20014)Internal error (specific information not available): [client 79.116.249.194:61223] AH01084: pass request body failed to 172.64.154.11:443 (miguelgfierro.substack.com), referer: https://letters.miguelgfierro.com/
[Fri Mar 22 17:01:47.186081 2024] [proxy:error] [pid 8822] [client 79.116.249.194:61223] AH00898: Error during SSL Handshake with remote server returned by /favicon.ico, referer: https://letters.miguelgfierro.com/
[Fri Mar 22 17:01:47.186086 2024] [proxy_http:error] [pid 8822] [client 79.116.249.194:61223] AH01097: pass request body failed to 172.64.154.11:443 (miguelgfierro.substack.com) from 79.116.249.194 (), referer: https://letters.miguelgfierro.com/
[Fri Mar 22 17:01:47.246403 2024] [proxy:error] [pid 8821] (20014)Internal error (specific information not available): [client 79.116.249.194:61224] AH01084: pass request body failed to 172.64.154.11:443 (miguelgfierro.substack.com), referer: https://letters.miguelgfierro.com/
[Fri Mar 22 17:01:47.246472 2024] [proxy:error] [pid 8821] [client 79.116.249.194:61224] AH00898: Error during SSL Handshake with remote server returned by /favicon.ico, referer: https://letters.miguelgfierro.com/
[Fri Mar 22 17:01:47.246483 2024] [proxy_http:error] [pid 8821] [client 79.116.249.194:61224] AH01097: pass request body failed to 172.64.154.11:443 (miguelgfierro.substack.com) from 79.116.249.194 (), referer: https://letters.miguelgfierro.com/

Details and tests: https://chat.openai.com/c/911f4946-2bf4-4533-ba7e-bc3ad4eee326

[miguelgfierro]

tried:

SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

but still an error

Then I tried SSLProxyCipherSuite HIGH:!aNULL:!MD5 and same error.

I tried:

<VirtualHost *:443>
    ServerName letters.miguelgfierro.com

    # SSL directives and certificates
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/letters.miguelgfierro.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/letters.miguelgfierro.com/privkey.pem

    # Proxy configuration for letters.miguelgfierro.com
    SSLProxyEngine On

    # Exclude the root path from proxying
    ProxyPassMatch ^/$ !
    ProxyPassMatch ^/(.*)$ https://topmate.io/miguelgfierro/$1
    ProxyPassReverse / https://topmate.io/miguelgfierro/

    # Additional proxy settings
    # ProxyRequests Off
    # ProxyTimeout 600
    # SSLProxyCheckPeerCN Off

    # Log files
    ErrorLog /var/log/apache2/reverse_proxy.error.log
    CustomLog /var/log/apache2/reverse_proxy.access.log combined
</VirtualHost>

the page https://letters.miguelgfierro.com/ is blank, if I see the JS errors, I get: Refused to apply style from 'https://letters.miguelgfierro.com/_next/static/css/07aba7a2f352fb1a.css' because its MIME type ('text/html') is not a supported stylesheet MIME type, and strict MIME checking is enabled.