On 08/03/2015 10:01 AM, "A M" <amm.priv2@xxxxxxxxx> wrote:
>
>
> Hello experts,
>
> I am trying to set up a classical frontend HTTPS Apache Reverse Proxy
> for a couple of plain backend HTTP servers sitting on a backend private
> network. The plaform is Centos 6, the Apache rpm is httpd-2.2.15-39.el6.centos.
>
> I first created three DNS entries, all pointing to the same public IP:
>
> apachefrontend.example.com
> appserver1.example.com
> appserver2.example.com
>
> I then generated the SSL cert and key for the frontend host and verified that
> SSL config was correct (all settings and key/cert were defined inside the file
> /etc/httpd/conf.d/ssl.conf). The URL "https://apachefrontend.example.com"
> replied OK.
>
> I have then set up a forced redirection to port 443 on the mother
> server and defined two virtual hosts, in this manner:
>
> ..
> NameVirtualHost *:80
>
First change this:
> <VirtualHost *:80>
> ServerName apachefrontend.example.com
> RedirectMatch ^/(.*) https://apachefrontend.example.com/$1
> </VirtualHost>
>
to:
<VirtualHost *:80>
ServerName apachefrontend.example.com
ServerAlias appserver1.example.com appserver2.example.com
RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
</VirtualHost>
Then get rid of these two:
> <VirtualHost *:80>
> ServerName appserver1.example.com
> ProxyRequests Off
> ProxyPass / http://appserver1.backend/
> ProxyPassReverse / http://appserver1.backend/
> </VirtualHost>
>
> <VirtualHost *:80>
> ServerName appserver2.example.com
> ProxyRequests Off
> ProxyPass / http://appserver2.backend/
> ProxyPassReverse / http://appserver2.backend/
> </VirtualHost>
> ..
More specific convert them to ssl vhosts:
<VirtualHost *:443>
ServerName appserver1.example.com
ProxyRequests Off
ProxyPass / http://appserver1.backend/
ProxyPassReverse / http://appserver1.backend/
</VirtualHost>
<VirtualHost *:443>
ServerName appserver2.example.com
ProxyRequests Off
ProxyPass / http://appserver2.backend/
ProxyPassReverse / http://appserver2.backend/
</VirtualHost>
which will effectively do what you want which is terminate ssl on the frontend.
> Now,
>
> - If I go to "http://apachefrontend.example.com", I am
> correctly ending up at "https://apachefrontend.example.com";
>
> - If I go to "http://appserver1[2].example.com", I arrive to
> the backend servers allright, but only via the port 80.
>
> This behaviour is apparently correct, but so far I have not found
> the right configuration options needed to enforce the secure
> connection to the backend servers via the reverse proxy (I may
> not enable SSL on the backend servers as they are running some
> privately managed applications and cannot be tweaked).
>
> Could someone kindly post an example of working configuration
> of the same type?
>
> Thanks ahead for any advice!
>
> Andy.
>
>
>