Apache2 reverse proxy issue


in my environment i have two servers, an apache2 reverse proxy and the univention corporate server.
My problem is that if i go to subdomain its forwarded correctly to the univention server cause i see sub.domain.com/univention/portal/ in address bar but i see nothing else. Maybe there is something missing in my configuration.

Here is my apache2 reverse proxy configuration:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName sub.domain.com

        #DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        # LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        Include /etc/letsencrypt/options-ssl-apache.conf

        SSLProxyEngine On
        ProxyPass "/" ""
        ProxyPassReverse "/" ""
        SSLProxyCheckPeerName Off
        SSLProxyCheckPeerExpire Off

        <IfModule mod_headers.c>
                Header set Referrer-Policy "no-referrer"

SSLCertificateFile /etc/letsencrypt/live/domain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain/privkey.pem

If i go to directly everything works. The univention server has a selfsigned certificate.
Thanks for help.

That is probably the issue. I would recommend to proxy to the plain http port instead.

If you still want to proxy to the https port, then you need to make sure that the certificate is trusted by your reverse proxy.

PS: if the other system is really just a reverse proxy, then I would recommend looking at something else than Apache as well. There are so many nice webservers that could be used instead and some even automatically take care of getting ssl certificates, like Caddy for example.

Thank you for your answer.
I added the parameter SSLProxyVerify none to the reverse proxy config so that apache doesn’t care about self signed certificates.

The second thing i have done is to set kopano as the landing page with ucr set apache2/startsite=webapp/. Now when i visit sub.domain.com i see the login screen from kopano but if i klick login i got an timeout. Seems for me there is a wrong configuration on the univention site.

Do you have an idea?

Just be aware that a connection that accepts any ssl certificate is practically as insecure as a plain http connection.

Where do you get a timeout? What exactly does the message say? What does the webserver log (frontend and backend) at the time?

I type my fqdn in browser and get forwarded to the kopano login screen at /webapp/. Then i type in my credentials. I see the kopano wallpaper with blue ink but nothing more. It keeps loading and loading. In webbrowser console i see these messages after a while:

ux-all.js:1 Failed to load resource: net::ERR_CONNECTION_RESET
breeze-icons.css:1 Failed to load resource: net::ERR_CONNECTION_RESET
index.php:1 Failed to load resource: net::ERR_CONNECTION_RESET
background.jpg:1 Failed to load resource: net::ERR_CONNECTION_RESET
tinymce.min.js:1 Failed to load resource: net::ERR_CONNECTION_RESET
ext-base-all.js:1 Failed to load resource: net::ERR_CONNECTION_RESET
extjs-mod-debug.js:2 Uncaught ReferenceError: Ext is not defined
    at extjs-mod-debug.js:2
    at extjs-mod-debug.js:1
(anonymous) @ extjs-mod-debug.js:1
(anonymous) @ extjs-mod-debug.js:1
ux-thirdparty-debug.js:40 Uncaught ReferenceError: Ext is not defined
    at ux-thirdparty-debug.js:40
(anonymous) @ ux-thirdparty-debug.js:40

This happens only if i connect over the reverse proxy. Direct access works.
I have looked at the access.log/error.log of univention and proxy server but i don’t see any error related. Where can i see the frontend log?

There are some hints in regards to the above message in https://stackoverflow.com/a/53864679.

Finally i have found the right parameter. In the vhost configuration on the proxy server i added the following line:

AddOutputFilterByType DEFLATE application/x-javascript

Now it’s working. Thank you for pointing me in the right direction.