Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Configuring a https reverse proxy with apache

Posted on 2013-02-07
5
Medium Priority
?
704 Views
Last Modified: 2013-03-19
Hi guys,

I have installed a web Server with SSL certificate for test purpose.
The Certificate was generated from startssl
The  site works if I put it on the DMZ and try to access to it from internet. Https access too.

Now I want to put a reverse proxy in the DMZ and put the webserver in the lan

I made some test without ssl and the reverse proxy works.

But when I try to access to https://example.com I get this error :

Internet Explorer ne peut pas afficher cette page Web


on my public dns zone

example.com       A       XX.XX.X.XXX
www.example.com CNAME example.com






DNS ZONE 172.16.3.0

Reverse proxy server RVPROXY 172.16.3.10

virtual host on the proxy server

/etc/apache2/sites-available/default-ssl

     
NameVirtualHost *:443
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLProxyEngine on
ProxyRequests off
ProxyVia off
ProxyPreserveHost on

<proxy *>
        Order deny,allow
        Deny from all
        Allow from all
</proxy>

SSLCertificateFile /etc/apache2/ssl/servexample.crt
SSLCertificateKeyFile /etc/apache2/ssl/servexample.key
SSLCACertificateFile /etc/apache2/ssl/ca.cer
ProxyPass / http://10.200.12.10/
ProxyPassReverse / https://10.200.12.10/

</Virtualhost>

Open in new window




SRVWEB


virtual host on the website

/etc/apache2/sites-available/example.https

NameVirtualHost *:443
<VirtualHost *:443>

Servername example.com
DocumentRoot /var/www/example

SSLEngine On
SSLOPtions +FakeBasicAuth


SSLCertificateFile /etc/apache2/ssl/servexample.crt
SSLCertificateKeyFile /etc/apache2/ssl/servexample.key

</VirtualHost>

Open in new window


The ssl certifcate must be present on the reverse proxy and also on the web server ?

Thanks for your help
0
Comment
Question by:wahrani16
  • 3
  • 2
5 Comments
 
LVL 9

Expert Comment

by:oheil
ID: 38863017
I believe that SSL is causing the problems.
http://wiki.apache.org/httpd/NameBasedSSLVHosts

I switched to GnuTLS to allow VirtualHosts for SSL.
http://www.gnutls.org/

I am unsure in your case, as my guess does not really adresses the reverse proxy setup, but that is what I would look for at first, because your setup works with http but not with https.

Oli
0
 

Author Comment

by:wahrani16
ID: 38863133
Thanks oheil,
But the link http://wiki.apache.org/httpd/NameBasedSSLVHosts is for multiple SSL Vhosts on a same ip.
Mine is one ssl vhost only :)
Thank you
0
 
LVL 9

Expert Comment

by:oheil
ID: 38863163
You can check:
Configure your apache without VirtualHost.

If the problem disappears I was right ;-)

Oli
0
 

Author Comment

by:wahrani16
ID: 38863258
Ok I will test without virtual hosts.
The certificate for my site www.example.com must be present on the proxy server and on the web server ?
0
 
LVL 9

Accepted Solution

by:
oheil earned 1500 total points
ID: 38863320
If you run a transparent proxy than only on the web server, if it is not-transparent, than you need two different certificates, the startssl on on the proxy, and an internal selfmade one on the web server.

But, in the case on non-transparancy you dont need any SSL between proxy and web server at all if the only access is through the proxy. This might also help in solving the problem. There is no need for encryption between proxy and web server as it is your internal LAN.

I would be glad, if some other experts would comment here to, I feel not comfortable, giving advice from the far on this very important security questions.

Oli
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
Loops Section Overview
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses
Course of the Month7 days, 20 hours left to enroll

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question