Thanks to the hints provided by Igor Cicimov, I was able to set up the desired configuration.
Just in case someone might find it useful, am citing here the full recipe.
Cheers - Andy.
Given:
----------
1. Three public names, "
apachefrontend.example.com", "
appserver1.example.com"
and "
appserver2.example.com" are all pointing to the same IP defined with three
identical "A" records inside DNS; an institutional firewall forwards ports 80
and 443 to a web server "www.backend" sitting on a private network behind
the firewall;
2. Two distinct hosts, "appserver1.backend" and "appserver2.backend" run
unmodifiable vendor-provided HTTP-only-based services of different kind; they
are also situated on the "backend" private network and cannot be reached;
Goal:
-----------
Set up the "www.backend" as a reverse proxy for the two internal servers in
such a way that the outside connection passes via HTTPS while internal still
goes over a plain HTTP.
Receipe:
------------
The "www.backend" is a Centos 6.X host with a default httpd rpm installed.
One more RPM was added, mod_proxy_html:
# rpm -q httpd mod_proxy_html
httpd-2.2.15-39.el6.centos.x86_64
mod_proxy_html-3.1.2-6.el6.x86_64
Our first action was to generate the wildchar SSL cert and key for
"*.
example.com" on the proxy host "www.backend" with the following command:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 \
-keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
Then, to have a one-page view of the configuration we rename the default "ssl.conf"
file from "/etc/httpd/conf.d/ssl.conf" into "/etc/httpd/conf.d/ssl.conf.disab"
and copy a couple of relevant lines from there directly into the main config
file "/etc/httpd/conf/httpd.conf". The relevant part of the final file "httpd.conf"
may be seen below. It includes the forced redirection of port 80 requests to the
port 443 of the *right* backend server done with the help of "RewriteEngine"
followed by the <VirtualHost *:443> sections (one per backend server) that
contain the corresponding SSL, Proxy, ProxyReverse and ProxyPreserveHost
directives).
....
# Proxy-related load pack
LoadModule headers_module modules/mod_headers.so
LoadFile /usr/lib64/libxml2.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
# General SSL options transferred from ssl.conf for better viewing
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
NameVirtualHost *:80
NameVirtualHost *:443
# Decide which virtual host to address and enforce usage of port 443 on the right proxy host
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
# Our "Mother host",
apachefrontend.example.com, is still available for hosting of some web site
<VirtualHost *:443>
ServerName
apachefrontend.example.comErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
# Appserver 1
<VirtualHost *:443>
ServerName
appserver1.example.comErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
ProxyRequests Off
ProxyPass /
http://appserver1.backend/ProxyPassReverse /
http://appserver1.backend/ProxyPreserveHost On
</VirtualHost>
# Appserver 2
<VirtualHost *:443>
ServerName
appserver2.example.comErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
ProxyRequests Off
ProxyPass /
http://appserver2.backend/ProxyPassReverse /
http://appserver2.backend/ProxyPreserveHost On
</VirtualHost>
