SSl via proxy to site

I’m using virtualmin to proxy to a web app Taiga and wondering how to get the letsencrypt SSL forwarded so I can access the page outside the network.

The Taiga Guide is here.
https://docs.taiga.io/setup-production.html#start-and-expose

When trying to use the page I get,

Proxy Error

The proxy server could not handle the request
Reason: Error during SSL Handshake with remote server

The web app is hosted on a njinx server in a LXC container using this code as taiga.conf.
Proxing is passing to the IP of the service, https://192.168.1.5/

server {
listen 80 default_server;
server_name _;
return 301 https://$server_name$request_uri;
}

server {
listen 443 default_server;
server_name _; # See Server names

large_client_header_buffers 4 32k;
client_max_body_size 50M;
charset utf-8;

access_log /home/taiga/logs/nginx.access.log;
error_log /home/taiga/logs/nginx.error.log;

# Frontend
location / {
    root /home/taiga/taiga-front-dist/dist/;
    try_files $uri $uri/ /index.html;
}

# Backend
location /api {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://127.0.0.1:8001/api;
    proxy_redirect off;
}

# Admin access (/admin/)
location /admin {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://127.0.0.1:8001$request_uri;
    proxy_redirect off;
}

# Static files
location /static {
    alias /home/taiga/taiga-back/static;
}

# Media
location /_protected {
    internal;
    alias /home/taiga/taiga-back/media/;
    add_header Content-disposition "attachment";
}

# Unprotected section
location /media/exports {
    alias /home/taiga/taiga-back/media/exports/;
    add_header Content-disposition "attachment";
}

location /media {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://127.0.0.1:8003/;
    proxy_redirect off;
}

# Events
location /events {
    proxy_pass http://127.0.0.1:8888/events;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_connect_timeout 7d;
    proxy_send_timeout 7d;
    proxy_read_timeout 7d;
}

# TLS
# Configure your TLS following the best practices inside your company

}

I beleive I need some extra perameteres to pass through the Lets encrypt over so how would I do this?

I was using a self signed certificate in the nginx taiga.conf to set it up internally with this modified code,

server {
listen 443 SSL default_server;
server_name _; # See Server names

ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;

Tried to generate a lets encypt while proxied and got this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for admin.projects.drguild.noip.me
http-01 challenge for projects.drguild.noip.me
http-01 challenge for webmail.projects.drguild.noip.me
http-01 challenge for www.projects.drguild.noip.me
Using the webroot path /home/drguild/domains/projects.drguild.noip.me/public_html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. projects.drguild.noip.me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://projects.drguild.noip.me/.well-known/acme-challenge/abAzQGPWzWaTXh5gGva5EZojDRcnUafLkT8jJYl4s4o [220.244.244.115]: “\n\n500 Proxy Error\n\n

Proxy Error</h1”, www.projects.drguild.noip.me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.projects.drguild.noip.me/.well-known/acme-challenge/ONX2RefrP51js-i8024rWnX3s-Sjf0J-M4GvYFrRZ3I [220.244.244.115]: “\n\n500 Proxy Error\n\n

Proxy Error</h1”, admin.projects.drguild.noip.me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://admin.projects.drguild.noip.me/.well-known/acme-challenge/iPVBoVMfBgmKWDaffuif-8I0X5knqdTaMg2ZetuLzmw [220.244.244.115]: “\n\n500 Proxy Error\n\n

Proxy Error</h1”, webmail.projects.drguild.noip.me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://webmail.projects.drguild.noip.me/.well-known/acme-challenge/m9Hl2GV-JIeUBMDa8lb3F-36O_V-AJOBp-ZvgpCuBtE [220.244.244.115]: “\n\n500 Proxy Error\n\n

Proxy Error</h1”
IMPORTANT NOTES:

I’ve gotten as far as reading this so I need to configure the nginx side to accept the proxy SSL.

Open Apache website config and add :
ProxyPass /.well-known/acme-challenge/ !
ProxyPassReverse /.well-known/acme-challenge/ !

Finally got it woprking had to enable nginx to use TLSv1.2 and SSL with self signed now the lets encrypt is being passed through.

Just the start of the config.

server {
listen 443 ssl default_server;
server_name _; # See Server names

ssl_protocols       TLSv1.2;
ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;

If anyone wants to double check if its working my project tracker is here.
Discover projects - Taiga (drguild.noip.me)

hi, on apache it is quiet simple your website> isp > router > to your server - your server go to lan and grab another server and serve out as https with LE via proxy. All you have to do is enable ssl in your domain/subserver via :LE and configure proxy pass to use it… I can do this for you if you need.

@unborn , how to configure proxy pass?

I too would like to know @unborn. Please share with us how you have configured Apache for this please.

This subdomain is showing you content from Lan server, basically another machine on my Lan https://git.topfreelancer.co.uk , it is completely separate box from my main server which host normally all websites. I set virtualmin to get SSL from LE and rest is via proxy all on Apache server. It’s just example but is doable. Pm me if you interested.