Solved

Configuring a https reverse proxy with apache

Posted on 2013-02-07
5
673 Views
Last Modified: 2013-03-19
Hi guys,

I have installed a web Server with SSL certificate for test purpose.
The Certificate was generated from startssl
The  site works if I put it on the DMZ and try to access to it from internet. Https access too.

Now I want to put a reverse proxy in the DMZ and put the webserver in the lan

I made some test without ssl and the reverse proxy works.

But when I try to access to https://example.com I get this error :

Internet Explorer ne peut pas afficher cette page Web


on my public dns zone

example.com       A       XX.XX.X.XXX
www.example.com CNAME example.com






DNS ZONE 172.16.3.0

Reverse proxy server RVPROXY 172.16.3.10

virtual host on the proxy server

/etc/apache2/sites-available/default-ssl

     
NameVirtualHost *:443
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLProxyEngine on
ProxyRequests off
ProxyVia off
ProxyPreserveHost on

<proxy *>
        Order deny,allow
        Deny from all
        Allow from all
</proxy>

SSLCertificateFile /etc/apache2/ssl/servexample.crt
SSLCertificateKeyFile /etc/apache2/ssl/servexample.key
SSLCACertificateFile /etc/apache2/ssl/ca.cer
ProxyPass / http://10.200.12.10/
ProxyPassReverse / https://10.200.12.10/

</Virtualhost>

Open in new window




SRVWEB


virtual host on the website

/etc/apache2/sites-available/example.https

NameVirtualHost *:443
<VirtualHost *:443>

Servername example.com
DocumentRoot /var/www/example

SSLEngine On
SSLOPtions +FakeBasicAuth


SSLCertificateFile /etc/apache2/ssl/servexample.crt
SSLCertificateKeyFile /etc/apache2/ssl/servexample.key

</VirtualHost>

Open in new window


The ssl certifcate must be present on the reverse proxy and also on the web server ?

Thanks for your help
0
Comment
Question by:wahrani16
  • 3
  • 2
5 Comments
 
LVL 9

Expert Comment

by:oheil
ID: 38863017
I believe that SSL is causing the problems.
http://wiki.apache.org/httpd/NameBasedSSLVHosts

I switched to GnuTLS to allow VirtualHosts for SSL.
http://www.gnutls.org/

I am unsure in your case, as my guess does not really adresses the reverse proxy setup, but that is what I would look for at first, because your setup works with http but not with https.

Oli
0
 

Author Comment

by:wahrani16
ID: 38863133
Thanks oheil,
But the link http://wiki.apache.org/httpd/NameBasedSSLVHosts is for multiple SSL Vhosts on a same ip.
Mine is one ssl vhost only :)
Thank you
0
 
LVL 9

Expert Comment

by:oheil
ID: 38863163
You can check:
Configure your apache without VirtualHost.

If the problem disappears I was right ;-)

Oli
0
 

Author Comment

by:wahrani16
ID: 38863258
Ok I will test without virtual hosts.
The certificate for my site www.example.com must be present on the proxy server and on the web server ?
0
 
LVL 9

Accepted Solution

by:
oheil earned 500 total points
ID: 38863320
If you run a transparent proxy than only on the web server, if it is not-transparent, than you need two different certificates, the startssl on on the proxy, and an internal selfmade one on the web server.

But, in the case on non-transparancy you dont need any SSL between proxy and web server at all if the only access is through the proxy. This might also help in solving the problem. There is no need for encryption between proxy and web server as it is your internal LAN.

I would be glad, if some other experts would comment here to, I feel not comfortable, giving advice from the far on this very important security questions.

Oli
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now