Fixing 400 Bad Request with Apache Reverse Proxy & SSL

Using Apache Reverse Proxy with SSL (HTTPS) is a popular way to secure and manage traffic between clients and backend servers. Many organizations-including customers of Go4hosting's cloud servers, VPS hosting, and dedicated servers-use Apache as a front-end reverse proxy to handle incoming HTTPS connections and forward traffic to various backend services.

However, one common issue that admins face is the dreaded:

bash

CopyEdit

400 Bad Request

This error can appear after setting up SSL with Apache reverse proxy, even if your backend services are functioning properly. In this knowledgebase article, we'll explain why this happens, how to diagnose it, and most importantly, how to fix it.

What Is a 400 Bad Request Error?

A 400 Bad Request error means that the server (Apache in this case) considers the client's HTTP request malformed or invalid.

Typical causes include:

• Corrupted request headers
  

• Unsupported request format
  

• Problems in the reverse proxy configuration
  

• SSL misconfiguration
  

• Large header or cookie sizes exceeding limits
  

When using Apache as a reverse proxy, it may pass requests to backend services incorrectly if the configuration isn't perfect-resulting in a 400 error from either Apache itself or the backend.

Typical Architecture: Reverse Proxy with SSL

A common architecture looks like this:

pgsql

CopyEdit

Client (Browser) - HTTPS - Apache Reverse Proxy - HTTP/HTTPS - Backend Server

• Apache terminates SSL and forwards requests to the backend.
  

• Apache may alter or add headers during the proxy process.
  

• If there's any mismatch between client requests and what the backend expects, you can get a 400 error.
  

Common Causes of 400 Errors with Apache Reverse Proxy & SSL

1. Mismatched or Incomplete SSL Configuration

If your SSL certificate, SSL protocol settings, or VirtualHost configuration is incomplete, clients may send incomplete or malformed requests after SSL negotiation-resulting in 400 errors.

Typical signs:

• 400 errors happen immediately on the first request.
  

• Apache access log shows a short request.
  

2. ProxyPass / ProxyPassReverse Mismatch

Incorrect ProxyPass and ProxyPassReverse directives can cause:

• Incorrect forwarding of URLs.
  

• Mismatched Host headers.
  

• Session breakage.
  

This can confuse the backend or cause Apache itself to throw a 400 error.

3. Large Headers (Cookies, Auth Tokens)

Modern web apps often send large Authorization headers or Cookies.

If these headers exceed Apache�s default size limits, you'll get a 400 error:

• RequestHeaderFieldsSize exceeded.
  

• LimitRequestFieldSize exceeded.
  

4. HTTP/2 Specific Issues

If Apache is configured for HTTP/2 (via mod_http2) but the backend doesn't support HTTP/2, or if there's an incompatible configuration, malformed requests can result in 400 errors.

5. Redirect Loops or Invalid Redirects

Misconfigured Redirect, RewriteRule, or ProxyPass can create redirect loops, eventually resulting in a 400 error from the client or server.

6. Incomplete ProxySet / ProxyPreserveHost Settings

• If you fail to preserve the Host header or other vital headers, the backend may reject the request as invalid.
  

• This often happens when reverse proxying between different domains or from HTTPS to HTTP.
  

How to Diagnose the Issue

1. Check Apache Logs

Check both:

bash

CopyEdit

/var/log/apache2/access.log

/var/log/apache2/error.log

Look for:

• 400 Bad Request entries.
  

• Specific modules reporting problems (mod_proxy, mod_http2, mod_ssl).
  

2. Test Without SSL

Temporarily test the reverse proxy with plain HTTP:

apache

CopyEdit

    ProxyPass / http://backend.example.com/

    ProxyPassReverse / http://backend.example.com/

If the 400 error disappears on HTTP but appears with HTTPS, it points to an SSL or protocol negotiation issue.

3. Use curl to Simulate Requests

Example:

bash

CopyEdit

curl -v https://yourdomain.com/somepage

Look at the output:

• Is the connection established?
  

• Does the server return 400 right away?
  

• Are large cookies or headers being sent?
  

How to Fix It

1. Verify SSL Configuration

Ensure your SSL VirtualHost is correct:

apache

CopyEdit

    ServerName yourdomain.com

    SSLEngine on

    SSLCertificateFile /path/to/fullchain.pem

    SSLCertificateKeyFile /path/to/privkey.pem

    ProxyPass / http://backend.example.com/

    ProxyPassReverse / http://backend.example.com/

Also ensure:

apache

CopyEdit

SSLProtocol All -SSLv2 -SSLv3

SSLCipherSuite HIGH:!aNULL:!MD5

Test using:

bash

CopyEdit

openssl s_client -connect yourdomain.com:443

2. Use ProxyPreserveHost

If your backend expects the original Host header:

apache

CopyEdit

ProxyPreserveHost On

Without this, the backend may reject requests because it sees an unfamiliar Host header.

3. Increase Header and Field Sizes

If your app sends large cookies or tokens, increase Apache's limits:

apache

CopyEdit

LimitRequestFieldSize 65536

LimitRequestLine 16384

Example in /etc/apache2/conf-available/security.conf or your VirtualHost.

4. Handle Large Request Headers with mod_http2

If using HTTP/2, ensure you configure:

apache

CopyEdit

Protocols h2 http/1.1

H2MaxRequestHeaders 1000

Test by disabling HTTP/2 temporarily:

apache

CopyEdit

Protocols http/1.1

If the 400 error disappears, you may need to tune your mod_http2 settings.

5. Correct ProxyPass and ProxyPassReverse

Always ensure ProxyPass and ProxyPassReverse match the scheme (HTTP or HTTPS) used by the backend:

apache

CopyEdit

ProxyPass / https://backend.example.com/

ProxyPassReverse / https://backend.example.com/

Mixing HTTP and HTTPS in these can confuse the proxy layer.

6. Check Backend Logs

If Apache is forwarding requests but still gets a 400 response from the backend:

• Check backend application logs (e.g., Nginx, Tomcat, Node.js).
  

• Look for rejected requests due to header mismatch or cookie size.
  

Example: Working Reverse Proxy + SSL VirtualHost

apache

CopyEdit

    ServerName www.example.com

    SSLEngine on

    SSLCertificateFile /etc/ssl/certs/fullchain.pem

    SSLCertificateKeyFile /etc/ssl/private/privkey.pem

    ProxyPreserveHost On

    ProxyRequests Off

    ProxyPass / http://127.0.0.1:8080/

    ProxyPassReverse / http://127.0.0.1:8080/

    LimitRequestFieldSize 65536

    LimitRequestLine 16384

Final Checklist

Conclusion

Setting up Apache Reverse Proxy with SSL is a powerful technique for securing and scaling your web services on Go4hosting Cloud. However, a misconfiguration can easily trigger 400 Bad Request errors.

Key takeaways:

• Test your proxy config carefully with curl and browser tools.
  

• Match ProxyPass and ProxyPassReverse exactly.
  

• Tune header sizes for modern apps with large cookies and tokens.
  

• Consider using ProxyPreserveHost On when appropriate.
  

• Carefully tune HTTP/2 settings if using mod_http2.
  

At Go4hosting, our expert support team is ready to help you:

• Deploy optimized Apache reverse proxy setups.
  

• Troubleshoot 400 errors and other SSL issues.
  

• Tune server settings for modern web apps.
  

Was this answer helpful? 0 0