Skip to main content

Let's Encrypt SSL with Apache reverse proxy

After years of avoiding SSL like the plague, unless the website absolutely, positively demanded it -- due to certificates being both expensive and a nightmare to install/renew -- I've just discovered Let's Encrypt, thanks to the one-click simplicity of adding SSL to this site via the Netlify dashboard...

Within 20 minutes of first having the idea, I had all the (more than 20) sites on my CentOS webserver running over HTTPS -- at no cost.

I won't go into the details of setting it all up here, as it's all covered perfectly well over at Certbot. But I will share the one issue I did have (which added an extra 15 minutes to the setup process).

My sites are powered by Lucee running on Tomcat, served via a reverse proxy (mod_proxy) on an Apache web server. The problem was that the Lucee sites were unaware that they were being served over SSL, and so sites which were set up to redirect to HTTPS -- if not already -- were going into an endless redirect loop.

The solution is simple. There is an HTTP header, X-Forwarded-Proto, which is a de-facto standard for identifying the originating protocol of an HTTP request when routed through a reverse proxy. If you set it in your vhost definitions on SSL sites, most applications should know that they are being served over HTTPS.

The easiest way (if you've used certbot --apache to register and install your certificates) is to edit the file /etc/letsencrypt/options-ssl-apache.conf (location may differ in different flavours of Linux). Simply add the following:

# ... # Intermediate configuration, tweak to your needs RequestHeader set X-Forwarded-Proto "https" # ...

...and restart Apache, and all traffic passing through the proxy will be identified as originating from an HTTPS request.