Implementing SSL with redirects

I am hosting a couple of web sites on couple Linux boxes and OWA on a Windows box in my office. Currently http is forwarded to Host_W and https is forwarded to Host_M.  Host_W serves pages for www.site-m.biz, www.site-d.net, and www.site-f.com while it forwards requests for host_l.site-s.org and www.site-s.org to Host_L. The current structure looks like this:
 
Current Config
What I want to do is forward both http and https to Host_W while serving the same three sites and forward https requests for mail.site-m.biz to Host_M and requests for site-s.org to Host_L. The structure would look something like:

Disired Config
 I have attached sanitized copies of what I think are the relevant config files.
 
The port forward is not a problem, simple change on the firewall. Installing Let's Encrypt certificate on both Nginx and Apache2 are heavily documented and a Godaddy certificate for mail.site-m.biz is already installed on Host-M.

What I don't have a handle on is the changes needed on the Apache2 on Host_W. I think it would be just to add something to the site-m.biz.conf like (and something similar to site-l.org.conf):

<VirtualHost *:443>
        ServerName mail.site-m.biz

        SSLEngine On
        SSLProxyEngine On
        ProxyRequests Off
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off
        SSLInsecureRenegotiation on
        SSLProxyVerify none
        SSLVerifyClient none
        
        ProxyPass / https://mail.site-m.biz/
        ProxyPassReverse / https://mail.site-m.biz/

        <Location "/">
                Require all granted
        </Location>
</VirtualHost>

Open in new window


I found the above at Server Fault and removed the SSLCertificateFile and SSLCertificateKeyFile directives as the certificate for mail.site-m.biz is not installed on Host-W.

Do I need to install the certificate from Host-M for mail.site-m.biz on Host-W? If so would I add the SSLCertificateFile and SSLCertificateKeyFile directives?
Host_L---default.txt
site-s.org.conf.txt
site-m.biz.conf.txt
James McKeandTechnical ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Just issue...

curl -I -L $first-site

Open in new window


To see your entire redirect chain + also allow you to debug your redirect chains, without fighting with HSTS or browser caching.

Simple solution. Don't use any SSL Proxy directives at all. You'll waste hours of your life, you'll never get back.

Sounds like you already have a good handle on using LetsEncrypt certs.

Easy solution, is just ensure every single site is SSL wrapped + you'll be done.

Also... sigh... regards your GoDaddy cert... Likely best to change this to an LE cert too (unless it's an EV cert), so you can auto renew this cert via CRON, just like all your other LE certs. Otherwise, you'll always have one oddball machine... which someone will have to go through many manual steps to update every time it expires. Just a thought.
0
arnoldCommented:
Having difficulty untangling what you are after.
You can setup a reverse proxy that will see the http, HTTPS requests and then do whatever you need load balance, or direct the queries to which ever node, nodes.....

Using squid as a reverse proxy that distributes the requests based on the URL ....
0
James McKeandTechnical ConsultantAuthor Commented:
I currently have https forwarded from my firewall to my Microsoft Exchange Server for OWA and etc. If I forward https from my firewall to my Apache web server, what do I need to add to the attached above site-m.biz.conf.txt file to send https over to my Exchange Server.

 I have LE certs on other servers that I did not mention but because of https going to my Exchange I have to manually renew (every 90 days) via DNS validation. I would like to start using https validation on my other sites.

The GoDaddy Cert on my Exchange Server will expire in mid-2019 - at that point I will be replacing it with a LE cert.
0
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

nociSoftware EngineerCommented:
IMHO try haproxy, nginx or squid as reverse proxy.
Those are made to handle these kind of issues.
haproxy will have relatively low overhead, and it can even dispatch on domain name without decrypting the stream using  SNI.
0
arnoldCommented:
You would need to add the proxyPass to forward the requests to the owa
And then reverse to strip out the references to reflect.

The difficulty you may run into us owa may code the responses based on the requesting source.


Test it out first to make sure,
I.e. /somefolder will be the root of the owa
Proxypass /somefolder HTTPS://exchange server/owa
Reverseproxypass HTTPS://exchangeserver/owa /somefolder

Test the functionality. Often exchange owa sets up in HTTPS which adds overhead.... If http to the internal system....
Not sure why you have certs terminating every 90 days, lets encrypt ?
0
James McKeandTechnical ConsultantAuthor Commented:
Thanks for the input from everyone. I experimented with HAProxy but could not get it to work. Tried enginx as a passthrough proxy and it works. https is forwarded to a new box  (Let's call it Host-P - for proxy...) I was able to get a LE certificate on Host-L for www.site-s.org. SSL Labs test for www.site-s.org shows the correct certificate and a test for mail.site-m.biz shows the GoDaddy cert.

Here is a sanitized version of the pertinent configuration.
stream {
    map $ssl_preread_server_name $name {
        mail.site-m.biz mailsite-mbiz;
        www.site-m.biz wwwsite-mbiz;
        host-l.site-s.org wwwsite-sorg;
        www.site-s.org wwwsite-sorg;
        default https_default_backend;
    }

    upstream mailsite-mbiz {
        server <Host-M IP>:443 max_fails=3 fail_timeout=10s;
    }

    upstream wwwsite-mbiz {
        server <Host-W IP>:443 max_fails=3 fail_timeout=10s;
    }

    upstream wwwsite-sorg {
        server <Host-L IP>:443 max_fails=3 fail_timeout=10s;
    }

    upstream https_default_backend {
        server 127.0.0.1:443;
    }

    log_format basic '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time "$upstream_addr" '
                 '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

    access_log /var/log/nginx/passthrough_access.log basic;
    error_log  /var/log/nginx/passthrough_error.log;

    server {
        listen 443;
        proxy_pass $name;
        proxy_next_upstream on;
        ssl_preread on;
    }
}

Open in new window


For now I am leaving it as that. OWA is working and https to site-s.org is working. My next step will be to get a certificate on Host-w for site-m.biz.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nociSoftware EngineerCommented:
in haproxy:  (core description)   for HTTP PROXY
...
 frontend 
        bind :::443  v4v6 ssl cert /some/certificate/for *-site-m.mbiz
        mode http
        acl ISMAIL header(req.hostname)  mail.site-m.biz
        acl ISWWW header(req.hostname)  www.site-m.biz
        acl ISHOSTL header(req.hostname) host-l.site-s.org
        acl ISWWWO req.hostname)  www.site-s.org
        use-backend be_mail if ISMAIL
        use-backend be_wwwb if ISWWW
        use-backend be_wwwo if ISWWWO
        default_backend  https_default_backend;

backend be_mail
       mode http
       server srv_mail1 mailsite-mbiz:443 ssl  
       server srv_mail2 mailsite-mbiz-server2:443 ssl  

Open in new window


in haproxy:  (core description)   for HTTPS SNI (no certificate on proxy, backend server provides the correct certificate.
...
 frontend 
        bind :::443  v4v6 
        mode tcp
       tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }
        acl ISMAIL req_ssl_sni   mail.site-m.biz
        acl ISWWW req_ssl_sni  www.site-m.biz
        use_backend bes_mail if ISMAIL 
        use_backend bes_wwwo if ISWWWO
        default_backend bes_ssl

backend bes_mail
       mode tcp
       server ssrv_mail1 mailsite-mbiz:443   
       server ssrv_mail2 mailsite-mbiz-server2:443 

Open in new window


THe examples are not complete, log options etc. etc. are left out for clarity.
0
James McKeandTechnical ConsultantAuthor Commented:
Thanks , That is kind of what I tried with HAProxy - and failed. The Nginx  solution I posted above is what is working.
0
nociSoftware EngineerCommented:
ok np.  
(wrt. haproxy SNI only works in tcp mode,    req.header only in http mode... which is the major difference between the two configs.)

Most important is a working solution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.