Reverse proxy configuration

This was the smoking gun for me. Thanks for sharing.

In case someone is using Apache 2.4 (sudo apt info apache2) as the reverse proxy:

What needs to be done from the standpoint of apache2:
if a request comes in, forward it to octoprint using an https 443 tcp/ip connection to the octoprint web server (tornado?) and use the response to create a response for the client with a valid ssl/tls certificate using the 443 tcp/ip connection to the client browser.

Below is the config file that does this for an octoprint raspberry pi with the static ipv4 and a domain name of "" for which a valid wildcard certificate exists on the apache server box.

<VirtualHost *:*>
        RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}

<VirtualHost *:80>
        Redirect permanent /

<IfModule mod_ssl.c>
<VirtualHost *:443>       
        SSLProxyEngine          on

        SSLProxyVerify          none
        SSLProxyCheckPeerCN     off
        SSLProxyCheckPeerName   off
        SSLProxyCheckPeerExpire off

        SSLEngine               on

        SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
        SSLHonorCipherOrder     off
        SSLCompression          off
        SSLSessionTickets       on
        SSLUseStapling          off
        SSLCertificateFile      /etc/letsencrypt/live/
        SSLCertificateKeyFile   /etc/letsencrypt/live/

        Protocols               h2 http/1.1
        ProxyPreserveHost       Off
        ProxyPass               /
        ProxyPassReverse        /


        ErrorLog                ${APACHE_LOG_DIR}
        CustomLog               ${APACHE_LOG_DIR} common



if you instead try to upgrade 80 to 443 and using rewrite for ws, you will encounter issues with csrf_token which will be set as csrf_token_80.