Solved

Configuring a https reverse proxy with apache

Posted on 2013-02-07
5
692 Views
Last Modified: 2013-03-19
Hi guys,

I have installed a web Server with SSL certificate for test purpose.
The Certificate was generated from startssl
The  site works if I put it on the DMZ and try to access to it from internet. Https access too.

Now I want to put a reverse proxy in the DMZ and put the webserver in the lan

I made some test without ssl and the reverse proxy works.

But when I try to access to https://example.com I get this error :

Internet Explorer ne peut pas afficher cette page Web


on my public dns zone

example.com       A       XX.XX.X.XXX
www.example.com CNAME example.com






DNS ZONE 172.16.3.0

Reverse proxy server RVPROXY 172.16.3.10

virtual host on the proxy server

/etc/apache2/sites-available/default-ssl

     
NameVirtualHost *:443
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLProxyEngine on
ProxyRequests off
ProxyVia off
ProxyPreserveHost on

<proxy *>
        Order deny,allow
        Deny from all
        Allow from all
</proxy>

SSLCertificateFile /etc/apache2/ssl/servexample.crt
SSLCertificateKeyFile /etc/apache2/ssl/servexample.key
SSLCACertificateFile /etc/apache2/ssl/ca.cer
ProxyPass / http://10.200.12.10/
ProxyPassReverse / https://10.200.12.10/

</Virtualhost>

Open in new window




SRVWEB


virtual host on the website

/etc/apache2/sites-available/example.https

NameVirtualHost *:443
<VirtualHost *:443>

Servername example.com
DocumentRoot /var/www/example

SSLEngine On
SSLOPtions +FakeBasicAuth


SSLCertificateFile /etc/apache2/ssl/servexample.crt
SSLCertificateKeyFile /etc/apache2/ssl/servexample.key

</VirtualHost>

Open in new window


The ssl certifcate must be present on the reverse proxy and also on the web server ?

Thanks for your help
0
Comment
Question by:wahrani16
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 9

Expert Comment

by:oheil
ID: 38863017
I believe that SSL is causing the problems.
http://wiki.apache.org/httpd/NameBasedSSLVHosts

I switched to GnuTLS to allow VirtualHosts for SSL.
http://www.gnutls.org/

I am unsure in your case, as my guess does not really adresses the reverse proxy setup, but that is what I would look for at first, because your setup works with http but not with https.

Oli
0
 

Author Comment

by:wahrani16
ID: 38863133
Thanks oheil,
But the link http://wiki.apache.org/httpd/NameBasedSSLVHosts is for multiple SSL Vhosts on a same ip.
Mine is one ssl vhost only :)
Thank you
0
 
LVL 9

Expert Comment

by:oheil
ID: 38863163
You can check:
Configure your apache without VirtualHost.

If the problem disappears I was right ;-)

Oli
0
 

Author Comment

by:wahrani16
ID: 38863258
Ok I will test without virtual hosts.
The certificate for my site www.example.com must be present on the proxy server and on the web server ?
0
 
LVL 9

Accepted Solution

by:
oheil earned 500 total points
ID: 38863320
If you run a transparent proxy than only on the web server, if it is not-transparent, than you need two different certificates, the startssl on on the proxy, and an internal selfmade one on the web server.

But, in the case on non-transparancy you dont need any SSL between proxy and web server at all if the only access is through the proxy. This might also help in solving the problem. There is no need for encryption between proxy and web server as it is your internal LAN.

I would be glad, if some other experts would comment here to, I feel not comfortable, giving advice from the far on this very important security questions.

Oli
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question