Solved

Apache to forward/rewrite port 443/https/SSL to another server on the network

Posted on 2008-10-08
9
2,195 Views
Last Modified: 2012-08-13
We have a server running on the outside and a webserver on the inside network that hosts a single e-commerce website (Interchange). Currently I an using a RewriteRule in a virtual host entry to push the domain to the correct server and this works great.

My issue is that https doesn't work because the forward I setup is only for port 80.
I'm not able to add a listen to port 443 in the httpd.conf because SSL is already listening to that port. I changed the port to 444 in the ssl.conf and tried to listen to port 443 within my httpd.conf however I wasn't able to get any of my rewrites to work and I know there has to be a better way to do this.

What is the correct way to push https data from a specific domain to another server though Apache? Is this possible to do within a virtual host entry in httpd.conf?
0
Comment
Question by:BlakeEM
  • 4
  • 4
9 Comments
 
LVL 4

Expert Comment

by:urgoll
ID: 22675459
Hello,

I'm not sure I understand completely you curretn setup and what you want to achieve. If you could post the relevant portions of your Apache configuration, it would definitely help clear things up.

Specifically, are you trying to forward from the internal server to the external one or the other way around? And by forward, do you mean redirect (HTTP 302) or proxy requests ?

by internal network and external network, are those two separate physical servers, or just two network interfaces on a single server ?

I will try to help as much as I can, but I need more information.

Regards,
Christophe
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 22676588
I also have some difficulties to understand your problem.

Facts are:
  - you can redirect to multiple other servers on whatever port you like
  - only one process (your web server) can listen on one port per IP, usually
  - apache can be configured with ip-based and name-based virtual hosts
  - you can have only one name-based SSL (virtual hosted) web server
0
 

Author Comment

by:BlakeEM
ID: 22680080
I read over it and I thought it was clear that there are 2 servers. One has 2 adapters and is also used as a firewall. It has one adapter with an outside address and the other on the inside.
I then have another separate server running Interchange/apache with only an inside address (not accessible from the outside) that I need to hand off all the https traffic to.
Currently I pass http traffic using this

<VirtualHost *:80>
    ServerName gourmetculinary.com
    ServerAlias www.gourmetculinary.com

    RewriteEngine     On
    RewriteRule       ^(.*)$       http://10.0.1.106:80$1  [P]
</VirtualHost>

I just need to know how to create a virtualhost entry that will pass https traffic this same way. I tried doing it as I have read in various places but nothing seemed to work.

Also, would I need to disable or change ports for ssl on the firewall/outside server so it doesn't interfere with the forward?
0
 
LVL 4

Expert Comment

by:urgoll
ID: 22680509
First of all, your current proxying would be better achieved by replace your two rewrite lines with:

ProxyPass / http://10.0.1.106:80
ProxyPassReverse / http://10.0.1.106:80

The first line does the same thing as your RewriteRule, but the second line is specific to reverse-proxying (what you are doing) and adjusts the content of the server responses to avoid bypassing the proxy.

Refer to Apache's mod_proxy for additional description:
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxypassreverse

In your original post, you mentioned that your external server already listens on port 443 - is that related to your current endeavor, or is it for another purpose ? There are several ways what you want can be done, but one is to make another virtualhost on your external server listen to port 443 with HTTPS and use the same proxypass/proxypassreverse to redirect queries to the internal server.

Your question:
>Also, would I need to disable or change ports for ssl on the firewall/outside server so it doesn't >interfere with the forward?

well, it depends on what the ssl on the outside server currently does.

Regards,
Christophe
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:BlakeEM
ID: 22680804
The external server listening to port 443 was an issue because it wouldn't allow me to add a listen 443 into the httpd.conf file, at least that is how I was trying to forward the traffic before. The SSL on the outside server currently isn't used for anything so if I have to disable or change the port it's on so that I can push 443 to the inside server than that is fine.

On the inside server https is used to login and do e-commerce stuff.

If I passed the SSL data would this cause issues with my certificates or would it still use the certificate off the inside server that the traffic is passed to?
0
 

Author Comment

by:BlakeEM
ID: 22680856
Oh to add, the outside server runs many websites, so that proxy pass you do wouldn't work because it would pass all port 80 data if I'm reading it correctly. I have tried similar code that specified the domain but I had issues getting it to work at all so I went back to the RewriteRule method because I had no issues with it, at least for port 80.
0
 
LVL 4

Accepted Solution

by:
urgoll earned 250 total points
ID: 22681024
 Oh to add, the outside server runs many websites, so that proxy pass you do wouldn't work because it would pass all port 80 data if I'm reading it correctly. I have tried similar code that specified the domain but I had issues getting it to work at all so I went back to the RewriteRule method because I had no issues with it, at least for port 80.              
As long as the ProxyPass statements are inside of your VirtualHost block, they apply only to HTTP requests related to that virtualhost.

The external server listening to port 443 was an issue because it wouldn't allow me to add a listen 443 into the httpd.conf file, at least that is how I was trying to forward the traffic before. The SSL on the outside server currently isn't used for anything so if I have to disable or change the port it's on so that I can push 443 to the inside server than that is fine.
If you are not using the HTTPS on the outside server, then it should be disabled. That's a basic security rule to have enabled only what you need.

However, if you use Apache to proxy your HTTPS connections from the outside server to the internal one, the SSL certificat used would be the one on the outside server, and traffic between inside and outside server would not be encrypted. If you require encryption between the end-user and the internal server, then you need a TCP-level proxy running on the external host. If you are running Linux, the xinetd daemon is able to do that for you and is fairly easy to setup. Let me know if that's what you have and I'll tell you how to do it.

As ahoffmann mentioned earlier, only one process (your web server) can listen on one port per IP. So you must first disable HTTPS on port 443 on the external server.          
Regards,
Christophe
0
 

Author Comment

by:BlakeEM
ID: 22681764
Ok I got it working by simply forwarding port 443 via the firewall, this seemed the easiest way and worked well once SSL was disabled on the firewall server. This also got around the certificate issue.
0
 
LVL 4

Expert Comment

by:urgoll
ID: 22682375
Well, I glad you have a working solution.

Good day,
Christophe
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now