Reverse proxy configuration

This was the smoking gun for me. Thanks for sharing.

In case someone is using Apache 2.4 (sudo apt info apache2) as the reverse proxy:

What needs to be done from the standpoint of apache2:
if a request comes in, forward it to octoprint using an https 443 tcp/ip connection to the octoprint web server (tornado?) and use the response to create a response for the client with a valid ssl/tls certificate using the 443 tcp/ip connection to the client browser.

Below is the config file that does this for an octoprint raspberry pi with the static ipv4 192.168.2.11 and a domain name of "example.com" for which a valid wildcard certificate exists on the apache server box.

<VirtualHost *:*>
        RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>

<VirtualHost *:80>
        ServerName octoprint.example.com
        Redirect permanent / https://octoprint.example.com/
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>       
        SSLProxyEngine          on

        SSLProxyVerify          none
        SSLProxyCheckPeerCN     off
        SSLProxyCheckPeerName   off
        SSLProxyCheckPeerExpire off

        SSLEngine               on

        SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
        SSLHonorCipherOrder     off
        SSLCompression          off
        SSLSessionTickets       on
        SSLUseStapling          off
        SSLCertificateFile      /etc/letsencrypt/live/example.com/fullchain.pem
        SSLCertificateKeyFile   /etc/letsencrypt/live/example.com/privkey.pem

        Protocols               h2 http/1.1
        ProxyPreserveHost       Off
        ProxyPass               / https://192.168.2.11:443/
        ProxyPassReverse        / https://192.168.2.11:443/

        ServerName              octoprint.example.com

        ErrorLog                ${APACHE_LOG_DIR}.octoprint.example.com.error.log
        CustomLog               ${APACHE_LOG_DIR}.octoprint.example.com.access.log common

</VirtualHost>
</IfModule>

NOTE

if you instead try to upgrade 80 to 443 and using rewrite for ws, you will encounter issues with csrf_token which will be set as csrf_token_80.