Solved

Reverse proxy and self signed SSL Certificate

Posted on 2012-03-12
7
689 Views
Last Modified: 2012-04-06
I am running an internal web server which has the public DNS https://xyz.com
This is accesible via our reverse proxy server (Apache) http://proxyserver.com

I have the problem when external users go to  https://xyz.com, and try to install the self signed cerificate into the trusted root certificates for Internet explorer they are issued with the certifcate from our reverse proxy http://proxyserver.com

I know this works because on my home pc (outside of work, Vista) I am issued with the certificate from https://xyz.com.  

So here are the steps
User uses IE and enters in https://xyz.com, they get a certifcate error, they then click on view certificates and see that the certifcate is for proxyserver.com ,not xyz.com.
Of course when they try to install the certifcate correctly everytime they go to xyz.com they will get the certificate error.
0
Comment
Question by:IandINSW
  • 4
  • 2
7 Comments
 
LVL 12

Expert Comment

by:Amick
ID: 37712057
0
 
LVL 5

Expert Comment

by:ACECORP
ID: 37712076
I believe that the only way you can fix the issue is to modify your architecture.

I would advise the following...

If a user tries to access http://xyz.com the public address for http://xyz.com must be an IP address associated with the apache instance for xyz.com on your reverse proxy server (you will have a ton of them).

When the external user hits that reverse proxy apache site, your reverse proxy server apache site will then execute a re-write rule to re-write your request to the proper internal server inside your network.

The external user's web browser will never see or know about this re-write rule because they are interacting with http://xyz.com on your reverse proxy server. Not with http://myinternalwebsite.local thats inside your network.

The SSL Certificate for xyz.com must sit on the reverse proxy server's apache site for xyz.com
0
 
LVL 1

Author Comment

by:IandINSW
ID: 37712125
The strange thing is I am issued the right certificate on some computers and not on others!!! :(
On one machine using Windows server 2008 R2 IE 9.0 I get the certificate for xyz.com.
On another machine WIn 7 Ultimate IE9.08 they are getting the proxyserver.com certificate.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 5

Expert Comment

by:ACECORP
ID: 37714840
You may need to trace out the traffic at the packet level using a sniffer to get to the bottom of the situation.
0
 
LVL 1

Author Comment

by:IandINSW
ID: 37718223
Packet sniffer just takes it to another level which will not help me as I can not read or understand the results.  I did find on the IE 9.0 this fixed the problem.  Tools --> Options --> Advanced TAB in the SSL options, I made sure only SSL 3.0 was selected, but on IE 8.0 on the XP machine the problem is still occuring! :(
0
 
LVL 1

Accepted Solution

by:
IandINSW earned 0 total points
ID: 37794199
I found out that on some computers it is an IIE setting for SSL certificates.
Tools --> Internet options --> Advanced TAB, Use SSL3.0 only tick selected and untick Use SSl 2.0. Fixed it on some.
0
 
LVL 1

Author Closing Comment

by:IandINSW
ID: 37815461
I resolved it so only good.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now