?
Solved

HTTPS configuration for simultaneous access over LAN and Internet.

Posted on 2012-08-25
3
Medium Priority
?
537 Views
Last Modified: 2012-08-30
How to configure SSL/HTTPS for LAN as well as Public IP without showing certificate error?

Web server: Apache 2.2.22
0
Comment
Question by:dev_meddiff
3 Comments
 
LVL 6

Expert Comment

by:SebastianAbbinanti
ID: 38333120
Great question. If you are using active directory and integrated DNS its very easy.

First, make sure you have a signed certificate from a trusted authority with the FQDN.

In DNS, create a new forward lookup zone with the exact FQDN of your server (internet facing just like your certificate).

Then create an a record, level the hostname blank, and enter the internal IP address of the server.

Now when you access the server, use the FQDN on the LAN or the WAN. Since the certificate will match the web address, no certificate error!

Thanks,
S.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 1500 total points
ID: 38340863
*or* be aware that modern certificates can have more than one name in them!

the system is called "Subject Alternative Name" and is used for (for example) exchange servers who often have to support multiple names.

another solution is to note that often an internal host will have an "rfc 1918" address (like 10.x or 192.168.x) and use a router to "translate" that to an internet-facing IP address. if that is true, then the same router can *also* translate 443 to (say) 8443; once that is done, you can have one apache listener (on 8443) with the outside name, and one on 443 with the certificate containing the inside name. as a bonus, you can then have two different logs, with "internet" traffic logged separately from "lan", and even slightly different sites (with additional features, such as phpmyadmin, exposed only to internal users)
0
 
LVL 26

Expert Comment

by:arober11
ID: 38343962
Alternatively:

1) If your website server and office LAN share the same gateway (router) to the outside world, and it supports a hairpin NAT rule you could simply add a rule to permit bodies on the LAN to use the external hostname e.g. http://wiki.mikrotik.com/wiki/Hairpin_NAT

2) Depending on how you handle the http <-> https redirection, obtain a second signed SSL certificate for the internal name, and add a new name based Virtual Host definition to your apache httpd.conf, and include the new certificate.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question