Redirect app to an site that uses https with a self-signed certificate Error 400

My YunoHost server

Hardware: VPS Server (hetzner)
YunoHost version: 11.2.4 (stable)
I have access to my server : Through SSH and through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

I am running kasm on a machine on my home network which I forwarded to port 1234 (made up) on my yunohost server with an ssh tunnel (sidedoor). Kasm by default uses a self-signed tls certificate. I used the redirect app to proxy mymachine:1234 to (both made up) I got a let’s encrypt cert for When I try to access I get the error message
“400 Bad Request The plain HTTP request was sent to HTTPS port”.

Then yes it looks like the reverse proxy happens in HTTP-only (which is expected because usually you dont need HTTPS for local-only traffic) but your app listening on port 1234 expects HTTPS traffic … Imho you should disable HTTPS on that app listening on port 1234

I have looked trough the documentation for kasm and it doesn’t seem to be possible to deactivate https for kasm-web :frowning:

I have found this example configuration for running kasm behind a reverse proxy though, if it helps in any way. Thanks for your help.

server {
     listen 443 ssl;
     ssl_certificate /etc/nginx/ssl/nginx.crt;
     ssl_certificate_key /etc/nginx/ssl/nginx.key;

     location / {
         # The following configurations must be configured when proxying to Kasm Workspaces

         # WebSocket Support
         proxy_set_header        Upgrade $http_upgrade;
         proxy_set_header        Connection "upgrade";

         # Host and X headers
         proxy_set_header        Host $host;
         proxy_set_header        X-Real-IP $remote_addr;
         proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header        X-Forwarded-Proto $scheme;

         # Connectivity Options
         proxy_http_version      1.1;
         proxy_read_timeout      1800s;
         proxy_send_timeout      1800s;
         proxy_connect_timeout   1800s;
         proxy_buffering         off;

         # Allow large requests to support file uploads to sessions
         client_max_body_size 10M;

         # Proxy to Kasm Workspaces running locally on 8443 using ssl
         proxy_pass ;

Then I guess you can tweak the reverse’s proxy nginx config to proxy_pass on https instead of just http, but it’s probably not gonna like it if the app is using a self-signed or invalid certificate. That’s the whole point of reverse-proxying on https : it’s usually pointless, and then it creates unecessary technical issues.

Like, if you go to a restaurant and order food, the cook and waitress don’t unlock/relock with their key the door between the room and the kitchen every time they go through the door, it’s clearly a waste of time and adds basically no security

would it help to replace kasm’s self signed certificate with the le-certificate for the domain (as described here: Custom Certificates — Kasm 1.14.0 documentation )?

you can tweak the reverse’s proxy nginx config to proxy_pass on https instead of just http

where do make this change?

In /etc/nginx/conf.d/yourdomain.tld.d/redirect.conf

Maybe, but then the next issue is “how does it get renewed”

you can tweak the reverse’s proxy nginx config to proxy_pass on https instead of just http

that did indeed do the trick

For Documentation: What did I do?:

  1. I replaced the kams’s self-signed certificates with the lets encrypt certs from the server ( they can be found in /etc/yunohost/certs/ following the instructions in the kasm documentation: Custom Certificates — Kasm 1.14.0 documentation
  2. I edited the line proxy_pass; in etc/nginx/conf.d/ proxy_pass;

I am fully aware that this is very hacky and that I need to manually transfer the le-certs over to the local machine each time they are renewed but for now it works :slight_smile:

Thanks @Aleks for your help!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.