Re: Example Apache reverse proxy configuration for HTTPS frontend and several HTTP backends

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Hello Igor, and many thanks for your comment!

I have followed your advice, but now the server refuses to start at all.

So now I have in httpd.conf:

------------------------------------------------
NameVirtualHost *:80

<VirtualHost *:80>
     ServerName apachefrontend.example.com
     ServerAlias appserver1.example.com appserver2.example.com
     RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
</VirtualHost>

<VirtualHost *:443>
     ServerName appserver1.example.com
     ProxyRequests Off
     ProxyPass / http://appserver1.backend
     ProxyPassReverse / http://appserver1.backend
</VirtualHost>

<VirtualHost *:443>
     ServerName appserver2.example.com
     ProxyRequests Off
     ProxyPass / http://appserver2.backend
     ProxyPassReverse / http://appserver2.backend
</VirtualHost>

------------------------------------------------------------------------

And these uncommented lines in ssl.conf:

-----------------------------------------------------------------------

LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>
ServerName apachefrontend.example.com:443

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>

<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

-----------------------------------------------------------------------------------

[root@www conf]# apachectl -S

[Sun Mar 08 12:28:37 2015] [warn] module headers_module is already loaded, skipping
[Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is already loaded, skipping
[Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already loaded, skipping
[Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
[Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:8443         apachefrontend.example.com (/etc/httpd/conf.d/nss.conf:84)
_default_:443          apachefrontend.example.com (/etc/httpd/conf.d/ssl.conf:74)
*:443                  appserver1.backend (/etc/httpd/conf/httpd.conf:1034)
*:443                  appserver2.backend (/etc/httpd/conf/httpd.conf:1041)
*:80                   is a NameVirtualHost
         default server apachefrontend.example.com (/etc/httpd/conf/httpd.conf:1028)
         port 80 namevhost apachefrontend.example.com (/etc/httpd/conf/httpd.conf:1028)
                 alias appserver1.example.com
                 alias appserver2.example.com
Syntax OK

.. and the server refuses to start at all..

Playing with NameVirtualHost: *.443 and/or specifying explicitly server names
with ServerName does not help me tp get rid of the overlap on 443.  At most, I
am receiving the missing SSL support errors for the backend servers (and I
cannot add SSL support for them, they have to remain plain HTTP)..

If you have any further ideas on what to try, please let me know.

Thanks again and best regards - Andy.



On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <icicimov@xxxxxxxxx> wrote:


On 08/03/2015 10:01 AM, "A M" <amm.priv2@xxxxxxxxx> wrote:
>
>
> Hello experts,
>
> I am trying to set up a classical frontend HTTPS Apache Reverse Proxy
> for a couple of plain backend HTTP servers sitting on a backend private
> network. The plaform is Centos 6, the Apache rpm is httpd-2.2.15-39.el6.centos.
>
> I first created three DNS entries, all pointing to the same public IP:
>
>          apachefrontend.example.com
>          appserver1.example.com
>          appserver2.example.com
>
> I then generated the SSL cert and key for the frontend host and verified that
> SSL config was correct (all settings and key/cert were defined inside the file
> /etc/httpd/conf.d/ssl.conf). The URL "https://apachefrontend.example.com"
> replied OK.
>
> I have then set up a forced redirection to port 443 on the mother
> server and defined two virtual hosts, in this manner:
>
> ..
> NameVirtualHost *:80
>

First change this:

> <VirtualHost *:80>
>      ServerName apachefrontend.example.com
>      RedirectMatch ^/(.*)    https://apachefrontend.example.com/$1
> </VirtualHost>
>

to:

<VirtualHost *:80>
     ServerName apachefrontend.example.com
        ServerAlias appserver1.example.com appserver2.example.com

     RedirectMatch ^/(.*)    https://%{HTTP_HOST}/$1
</VirtualHost>

Then get rid of these two:

> <VirtualHost *:80>
>      ServerName appserver1.example.com
>      ProxyRequests Off
>      ProxyPass / http://appserver1.backend/
>      ProxyPassReverse / http://appserver1.backend/
> </VirtualHost>
>
> <VirtualHost *:80>
>      ServerName appserver2.example.com
>      ProxyRequests Off
>      ProxyPass / http://appserver2.backend/
>      ProxyPassReverse / http://appserver2.backend/
> </VirtualHost>
> ..

More specific convert them to ssl vhosts:

<VirtualHost *:443>
     ServerName appserver1.example.com
     ProxyRequests Off
     ProxyPass / http://appserver1.backend/
     ProxyPassReverse / http://appserver1.backend/
</VirtualHost>

<VirtualHost *:443>
     ServerName appserver2.example.com
     ProxyRequests Off
     ProxyPass / http://appserver2.backend/
     ProxyPassReverse / http://appserver2.backend/
</VirtualHost>

which will effectively do what you want which is terminate ssl on the frontend.

> Now,
>
> - If I go to "http://apachefrontend.example.com", I am
> correctly ending up at "https://apachefrontend.example.com";
>
> - If I go to "http://appserver1[2].example.com", I arrive to
> the backend servers allright, but only via the port 80.
>
> This behaviour is apparently correct, but so far I have not found
> the right configuration options needed  to enforce the secure
> connection to the backend servers via the reverse proxy (I may
> not enable SSL on the backend servers as they are running some
> privately managed applications and cannot be tweaked).
>
> Could someone kindly post an example of working configuration
> of the same type?
>
> Thanks ahead for any advice!
>
> Andy.
>
>
>


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux