Avatar of James McKeand
James McKeand
Flag for United States of America asked on

Implementing SSL with redirects

I am hosting a couple of web sites on couple Linux boxes and OWA on a Windows box in my office. Currently http is forwarded to Host_W and https is forwarded to Host_M.  Host_W serves pages for www.site-m.biz, www.site-d.net, and www.site-f.com while it forwards requests for host_l.site-s.org and www.site-s.org to Host_L. The current structure looks like this:
 
Current Config
What I want to do is forward both http and https to Host_W while serving the same three sites and forward https requests for mail.site-m.biz to Host_M and requests for site-s.org to Host_L. The structure would look something like:

Disired Config
 I have attached sanitized copies of what I think are the relevant config files.
 
The port forward is not a problem, simple change on the firewall. Installing Let's Encrypt certificate on both Nginx and Apache2 are heavily documented and a Godaddy certificate for mail.site-m.biz is already installed on Host-M.

What I don't have a handle on is the changes needed on the Apache2 on Host_W. I think it would be just to add something to the site-m.biz.conf like (and something similar to site-l.org.conf):

<VirtualHost *:443>
        ServerName mail.site-m.biz

        SSLEngine On
        SSLProxyEngine On
        ProxyRequests Off
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
        SSLInsecureRenegotiation on
        SSLProxyVerify none
        SSLVerifyClient none
        
        ProxyPass / https://mail.site-m.biz/
        ProxyPassReverse / https://mail.site-m.biz/

        <Location "/">
                Require all granted
        </Location>
</VirtualHost>

Open in new window


I found the above at Server Fault and removed the SSLCertificateFile and SSLCertificateKeyFile directives as the certificate for mail.site-m.biz is not installed on Host-W.

Do I need to install the certificate from Host-M for mail.site-m.biz on Host-W? If so would I add the SSLCertificateFile and SSLCertificateKeyFile directives?
Host_L---default.txt
site-s.org.conf.txt
site-m.biz.conf.txt
LinuxSSL / HTTPS* NginxApache Web Server

Avatar of undefined
Last Comment
noci

8/22/2022 - Mon
David Favor

Just issue...

curl -I -L $first-site

Open in new window


To see your entire redirect chain + also allow you to debug your redirect chains, without fighting with HSTS or browser caching.

Simple solution. Don't use any SSL Proxy directives at all. You'll waste hours of your life, you'll never get back.

Sounds like you already have a good handle on using LetsEncrypt certs.

Easy solution, is just ensure every single site is SSL wrapped + you'll be done.

Also... sigh... regards your GoDaddy cert... Likely best to change this to an LE cert too (unless it's an EV cert), so you can auto renew this cert via CRON, just like all your other LE certs. Otherwise, you'll always have one oddball machine... which someone will have to go through many manual steps to update every time it expires. Just a thought.
arnold

Having difficulty untangling what you are after.
You can setup a reverse proxy that will see the http, HTTPS requests and then do whatever you need load balance, or direct the queries to which ever node, nodes.....

Using squid as a reverse proxy that distributes the requests based on the URL ....
James McKeand

ASKER
I currently have https forwarded from my firewall to my Microsoft Exchange Server for OWA and etc. If I forward https from my firewall to my Apache web server, what do I need to add to the attached above site-m.biz.conf.txt file to send https over to my Exchange Server.

 I have LE certs on other servers that I did not mention but because of https going to my Exchange I have to manually renew (every 90 days) via DNS validation. I would like to start using https validation on my other sites.

The GoDaddy Cert on my Exchange Server will expire in mid-2019 - at that point I will be replacing it with a LE cert.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
noci

IMHO try haproxy, nginx or squid as reverse proxy.
Those are made to handle these kind of issues.
haproxy will have relatively low overhead, and it can even dispatch on domain name without decrypting the stream using  SNI.
arnold

You would need to add the proxyPass to forward the requests to the owa
And then reverse to strip out the references to reflect.

The difficulty you may run into us owa may code the responses based on the requesting source.


Test it out first to make sure,
I.e. /somefolder will be the root of the owa
Proxypass /somefolder HTTPS://exchange server/owa
Reverseproxypass HTTPS://exchangeserver/owa /somefolder

Test the functionality. Often exchange owa sets up in HTTPS which adds overhead.... If http to the internal system....
Not sure why you have certs terminating every 90 days, lets encrypt ?
ASKER CERTIFIED SOLUTION
James McKeand

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
noci

in haproxy:  (core description)   for HTTP PROXY
...
 frontend 
        bind :::443  v4v6 ssl cert /some/certificate/for *-site-m.mbiz
        mode http
        acl ISMAIL header(req.hostname)  mail.site-m.biz
        acl ISWWW header(req.hostname)  www.site-m.biz
        acl ISHOSTL header(req.hostname) host-l.site-s.org
        acl ISWWWO req.hostname)  www.site-s.org
        use-backend be_mail if ISMAIL
        use-backend be_wwwb if ISWWW
        use-backend be_wwwo if ISWWWO
        default_backend  https_default_backend;

backend be_mail
       mode http
       server srv_mail1 mailsite-mbiz:443 ssl  
       server srv_mail2 mailsite-mbiz-server2:443 ssl  

Open in new window


in haproxy:  (core description)   for HTTPS SNI (no certificate on proxy, backend server provides the correct certificate.
...
 frontend 
        bind :::443  v4v6 
        mode tcp
       tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }
        acl ISMAIL req_ssl_sni   mail.site-m.biz
        acl ISWWW req_ssl_sni  www.site-m.biz
        use_backend bes_mail if ISMAIL 
        use_backend bes_wwwo if ISWWWO
        default_backend bes_ssl

backend bes_mail
       mode tcp
       server ssrv_mail1 mailsite-mbiz:443   
       server ssrv_mail2 mailsite-mbiz-server2:443 

Open in new window


THe examples are not complete, log options etc. etc. are left out for clarity.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
James McKeand

ASKER
Thanks , That is kind of what I tried with HAProxy - and failed. The Nginx  solution I posted above is what is working.
noci

ok np.  
(wrt. haproxy SNI only works in tcp mode,    req.header only in http mode... which is the major difference between the two configs.)

Most important is a working solution.