• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 540
  • Last Modified:

HTTPS configuration for simultaneous access over LAN and Internet.

How to configure SSL/HTTPS for LAN as well as Public IP without showing certificate error?

Web server: Apache 2.2.22
0
dev_meddiff
Asked:
dev_meddiff
1 Solution
 
SebastianAbbinantiCommented:
Great question. If you are using active directory and integrated DNS its very easy.

First, make sure you have a signed certificate from a trusted authority with the FQDN.

In DNS, create a new forward lookup zone with the exact FQDN of your server (internet facing just like your certificate).

Then create an a record, level the hostname blank, and enter the internal IP address of the server.

Now when you access the server, use the FQDN on the LAN or the WAN. Since the certificate will match the web address, no certificate error!

Thanks,
S.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
*or* be aware that modern certificates can have more than one name in them!

the system is called "Subject Alternative Name" and is used for (for example) exchange servers who often have to support multiple names.

another solution is to note that often an internal host will have an "rfc 1918" address (like 10.x or 192.168.x) and use a router to "translate" that to an internet-facing IP address. if that is true, then the same router can *also* translate 443 to (say) 8443; once that is done, you can have one apache listener (on 8443) with the outside name, and one on 443 with the certificate containing the inside name. as a bonus, you can then have two different logs, with "internet" traffic logged separately from "lan", and even slightly different sites (with additional features, such as phpmyadmin, exposed only to internal users)
0
 
arober11Commented:
Alternatively:

1) If your website server and office LAN share the same gateway (router) to the outside world, and it supports a hairpin NAT rule you could simply add a rule to permit bodies on the LAN to use the external hostname e.g. http://wiki.mikrotik.com/wiki/Hairpin_NAT

2) Depending on how you handle the http <-> https redirection, obtain a second signed SSL certificate for the internal name, and add a new name based Virtual Host definition to your apache httpd.conf, and include the new certificate.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now