• 4
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

503 proxy error and unable to establish SSL connection

I have a docker container running on my server. It's running an instance of collabora/code if that matters. I have a external subdomain that does a reverse proxy to the container URL but getting a 503. Digging a little deeper, it seems I'm getting a Unable to establish SSL connection error. I'm running out of things to check on my own, hoping someone can advise...

$ wget -O - https://office.mydomain.com/hosting/discovery > /dev/null 
--2019-01-15 22:40:29--  https://office.mydomain.com/hosting/discovery
Resolving office.mydomain.com (office.mydomain.com)... 5.28.62.38
Connecting to office.mydomain.com (office.mydomain.com)|5.28.62.38|:443... connected.
HTTP request sent, awaiting response... 502 Proxy Error
2019-01-15 22:40:31 ERROR 502: Proxy Error.

So proxy error. Now I’m looking at the virtual host file, I can see where it’s trying to reverse proxy to:

<VirtualHost *:443>
ServerName office.mydomain.com:443

# SSL configuration, you may want to take the easy route instead and use Lets Encrypt!
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/office.mydomain.com/fullchain.pem
SSLCertificateChainFile /etc/letsencrypt/live/office.mydomain.com/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/office.mydomain.com/privkey.pem

SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on

# Encoded slashes need to be allowed
AllowEncodedSlashes NoDecode

# Container uses a unique non-signed certificate
SSLProxyEngine On
SSLProxyVerify None
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

# keep the host
ProxyPreserveHost On

# static html, js, images, etc. served from loolwsd
# loleaflet is the client part of LibreOffice Online
ProxyPass           /loleaflet https://127.0.0.1:9980/loleaflet retry=0
ProxyPassReverse    /loleaflet https://127.0.0.1:9980/loleaflet

# WOPI discovery URL
ProxyPass           /hosting/discovery https://127.0.0.1:9980/hosting/discovery retry=0
ProxyPassReverse    /hosting/discovery https://127.0.0.1:9980/hosting/discovery

# Main websocket
ProxyPassMatch "/lool/(.*)/ws$" wss://127.0.0.1:9980/lool/$1/ws nocanon

# Admin Console websocket
ProxyPass   /lool/adminws wss://127.0.0.1:9980/lool/adminws

# Download as, Fullscreen presentation and Image upload operations
ProxyPass           /lool https://127.0.0.1:9980/lool
ProxyPassReverse    /lool https://127.0.0.1:9980/lool
</VirtualHost>

So (SSH into that server to run locally) I’m trying to send a request to the reverse proxy destination, cutting out the proxy:

$ wget -O - https://127.0.0.1:9980/hosting/discovery > /dev/null 
--2019-01-15 22:20:25--  https://127.0.0.1:9980/hosting/discovery
Connecting to 127.0.0.1:9980... connected.
Unable to establish SSL connection.

So there is a problem with my SSL connection? The keys do exist and I’ve used Let’s encrypt for this and other sites that work fine over HTTPS.

More info if it helps:

$ sudo netstat -lnpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State   

    PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      15179/mysqld
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      29677/redis-server
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      19278/sshd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      29538/master
tcp        0      0 127.0.0.1:9980          0.0.0.0:*               LISTEN      27082/docker-proxy
tcp6       0      0 :::80                   :::*                    LISTEN      1011/apache2
tcp6       0      0 :::22                   :::*                    LISTEN      19278/sshd
tcp6       0      0 :::25                   :::*                    LISTEN      29538/master
tcp6       0      0 :::443                  :::*                    LISTEN      1011/apache2

$ sudo docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                      NAMES
c714e3b8883d        collabora/code      "/bin/sh -c 'bash st…"   24 hours ago        Up 2 minutes        127.0.0.1:9980->9980/tcp   vibrant_haibt

Is there anything I might have done wrong in my virtual host setup? Anything else I ought to be checking? UFW, etc?

UPDATE

Curl with HTTPS:

$ curl -v https://127.0.0.1:9980/hosting/discovery
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 9980 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 599 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: The TLS connection was non-properly terminated.
* Closing connection 0
curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.

And without:

$ curl -v http://127.0.0.1:9980/hosting/discovery
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 9980 (#0)
> GET /hosting/discovery HTTP/1.1
> Host: 127.0.0.1:9980
> User-Agent: curl/7.47.0
> Accept: */*
> 
* Empty reply from server
* Connection #0 to host 127.0.0.1 left intact
curl: (52) Empty reply from server
      • 1
    • tcp6 0 0 :::80 :::* LISTEN 7489/apache2 looks a bit weird - you have an apache that is only listening for ipv6 connections on port 80? docker-proxy is the thing listening on 9880...
      • 2
    • It's also listening on 443, I've updated the full output. Sorry I was trying to keep it short, but didn't realise I'd cut another port Apache was listening to.

It's seems that the docker container does not listen for HTTPS connection. Try switching the proxy configs to http and see if you are going to get a response.

Also you can verify locally if you do curl to the docker container over HTTP. *Edit:

Can you provide out put of curl verbose output to the docker instance?

  • 0
Reply Report

Trending Tags