Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Apache to forward/rewrite port 443/https/SSL to another server on the network

Posted on 2008-10-08
9
Medium Priority
?
2,317 Views
Last Modified: 2012-08-13
We have a server running on the outside and a webserver on the inside network that hosts a single e-commerce website (Interchange). Currently I an using a RewriteRule in a virtual host entry to push the domain to the correct server and this works great.

My issue is that https doesn't work because the forward I setup is only for port 80.
I'm not able to add a listen to port 443 in the httpd.conf because SSL is already listening to that port. I changed the port to 444 in the ssl.conf and tried to listen to port 443 within my httpd.conf however I wasn't able to get any of my rewrites to work and I know there has to be a better way to do this.

What is the correct way to push https data from a specific domain to another server though Apache? Is this possible to do within a virtual host entry in httpd.conf?
0
Comment
Question by:BlakeEM
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 4

Expert Comment

by:urgoll
ID: 22675459
Hello,

I'm not sure I understand completely you curretn setup and what you want to achieve. If you could post the relevant portions of your Apache configuration, it would definitely help clear things up.

Specifically, are you trying to forward from the internal server to the external one or the other way around? And by forward, do you mean redirect (HTTP 302) or proxy requests ?

by internal network and external network, are those two separate physical servers, or just two network interfaces on a single server ?

I will try to help as much as I can, but I need more information.

Regards,
Christophe
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 22676588
I also have some difficulties to understand your problem.

Facts are:
  - you can redirect to multiple other servers on whatever port you like
  - only one process (your web server) can listen on one port per IP, usually
  - apache can be configured with ip-based and name-based virtual hosts
  - you can have only one name-based SSL (virtual hosted) web server
0
 

Author Comment

by:BlakeEM
ID: 22680080
I read over it and I thought it was clear that there are 2 servers. One has 2 adapters and is also used as a firewall. It has one adapter with an outside address and the other on the inside.
I then have another separate server running Interchange/apache with only an inside address (not accessible from the outside) that I need to hand off all the https traffic to.
Currently I pass http traffic using this

<VirtualHost *:80>
    ServerName gourmetculinary.com
    ServerAlias www.gourmetculinary.com

    RewriteEngine     On
    RewriteRule       ^(.*)$       http://10.0.1.106:80$1  [P]
</VirtualHost>

I just need to know how to create a virtualhost entry that will pass https traffic this same way. I tried doing it as I have read in various places but nothing seemed to work.

Also, would I need to disable or change ports for ssl on the firewall/outside server so it doesn't interfere with the forward?
0
Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

 
LVL 4

Expert Comment

by:urgoll
ID: 22680509
First of all, your current proxying would be better achieved by replace your two rewrite lines with:

ProxyPass / http://10.0.1.106:80
ProxyPassReverse / http://10.0.1.106:80

The first line does the same thing as your RewriteRule, but the second line is specific to reverse-proxying (what you are doing) and adjusts the content of the server responses to avoid bypassing the proxy.

Refer to Apache's mod_proxy for additional description:
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxypassreverse

In your original post, you mentioned that your external server already listens on port 443 - is that related to your current endeavor, or is it for another purpose ? There are several ways what you want can be done, but one is to make another virtualhost on your external server listen to port 443 with HTTPS and use the same proxypass/proxypassreverse to redirect queries to the internal server.

Your question:
>Also, would I need to disable or change ports for ssl on the firewall/outside server so it doesn't >interfere with the forward?

well, it depends on what the ssl on the outside server currently does.

Regards,
Christophe
0
 

Author Comment

by:BlakeEM
ID: 22680804
The external server listening to port 443 was an issue because it wouldn't allow me to add a listen 443 into the httpd.conf file, at least that is how I was trying to forward the traffic before. The SSL on the outside server currently isn't used for anything so if I have to disable or change the port it's on so that I can push 443 to the inside server than that is fine.

On the inside server https is used to login and do e-commerce stuff.

If I passed the SSL data would this cause issues with my certificates or would it still use the certificate off the inside server that the traffic is passed to?
0
 

Author Comment

by:BlakeEM
ID: 22680856
Oh to add, the outside server runs many websites, so that proxy pass you do wouldn't work because it would pass all port 80 data if I'm reading it correctly. I have tried similar code that specified the domain but I had issues getting it to work at all so I went back to the RewriteRule method because I had no issues with it, at least for port 80.
0
 
LVL 4

Accepted Solution

by:
urgoll earned 1000 total points
ID: 22681024
 Oh to add, the outside server runs many websites, so that proxy pass you do wouldn't work because it would pass all port 80 data if I'm reading it correctly. I have tried similar code that specified the domain but I had issues getting it to work at all so I went back to the RewriteRule method because I had no issues with it, at least for port 80.              
As long as the ProxyPass statements are inside of your VirtualHost block, they apply only to HTTP requests related to that virtualhost.

The external server listening to port 443 was an issue because it wouldn't allow me to add a listen 443 into the httpd.conf file, at least that is how I was trying to forward the traffic before. The SSL on the outside server currently isn't used for anything so if I have to disable or change the port it's on so that I can push 443 to the inside server than that is fine.
If you are not using the HTTPS on the outside server, then it should be disabled. That's a basic security rule to have enabled only what you need.

However, if you use Apache to proxy your HTTPS connections from the outside server to the internal one, the SSL certificat used would be the one on the outside server, and traffic between inside and outside server would not be encrypted. If you require encryption between the end-user and the internal server, then you need a TCP-level proxy running on the external host. If you are running Linux, the xinetd daemon is able to do that for you and is fairly easy to setup. Let me know if that's what you have and I'll tell you how to do it.

As ahoffmann mentioned earlier, only one process (your web server) can listen on one port per IP. So you must first disable HTTPS on port 443 on the external server.          
Regards,
Christophe
0
 

Author Comment

by:BlakeEM
ID: 22681764
Ok I got it working by simply forwarding port 443 via the firewall, this seemed the easiest way and worked well once SSL was disabled on the firewall server. This also got around the certificate issue.
0
 
LVL 4

Expert Comment

by:urgoll
ID: 22682375
Well, I glad you have a working solution.

Good day,
Christophe
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question