How can I reverse proxy FBox?


I am running FBox inside Virtualbox, it all works. Now I want to proxy web services via Apache running on the host.

I have setup a subdomain for it, obtained LE certs in the host machine and added the lines below to dedicated vhost.

I am also running it under NAT network in Virtualbox so I forwarded :80 as 30080 to the host therefor you see these lines

  ProxyPass /
  ProxyPassReverse /
  RequestHeader set X-Forwarded-Proto "https"

It does not work. I am wondering if such setup is possible? I alsready have a webserver running so my 443 and 80 are already taken. That is why I am trying to proxy it.


Any recommendations?

Looking at this setup, I understand why you want to use FreedomBox with HTTP only. My solution in the other thread should do that job.

So, I don’t see major issues with why this setup would not work. I tried this and it work as follows:

On Host machine:

$ apt install apache2
$ a2enmod http
$ a2enmod http_proxy
$ a2enmod headers
$ cat /etc/apache2/conf-available/proxy.conf
ProxyPass /
ProxyPassReverse /
RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost on
$ a2enconf proxy
$ systemctl restart apache2

On FreedomBox:

$ a2dissite plinth-ssl
$ systemctl apache2 restart
$ vi /etc/plinth/plinth.conf (Set use_x_forwarded_host = False)
$ systemctl restart plinth

On browser:



I haven’t evaluated the security implications of setting use_x_forwarded_host = False. So, do your own research on that.


Thanks for the reply. Well I have some progress but hitting this issue when I try to login (which I was not even able to load the login page whatsoever before)

Forbidden (403)

CSRF verification failed. Request aborted.

Would you please try setting ProxyPreserveHost yes in both Apache configurations? For FreedomBox it should be in /etc/apache2/sites-enabled/plinth.conf, I think.


Thanks for the help, so far that works. I think this should be in the official wiki, I am pretty sure many people might want to proxy it.

If you are interested to contribute this piece to the official wiki, please feel free to edit the page /FreedomBox/Hardware/VirtualBox. Someone can always review the changes.

Ditto, but I didn’t want my existing webserver to do the ssl handoff, i.e. I wanted Lets Encrypt to just work on both my webserver and freedombox independently. It turns out this is called “SNI pass through” and is deceptively simple with nginx-full on debian:


stream {
        map_hash_bucket_size 64;
        map $ssl_preread_server_name $name {
                default                 localhost;

        server {
                ssl_preread on;        
                resolver localhost;    
                proxy_pass $name:443;  

Literally the only change I had to make to my existing webserver config was to change listen 443 ssl lines to not bind to the external ip: listen localhost:443 ssl.