Hello Dino / HTH,
Thank you for your very elaborate answer!!
Your 'diagram' made it very clear!
Clients --> INTERNET --> Apache httpd reverse proxy (answer to HTTPS requests made by your clients) --> Your internal backend(s) (answer to HTTPS requests coming from your proxy).
It's also good to know that I set-up my reverse proxy in the correct way (only installing the SSL certificates on the reverse proxy).
My set-up is: Clients --> HTTPS - -> reverse proxy --> HTTP --> back-end server
There is no need in my set-up to use HTTPS between the reverse proxy and the back-end server.
Thanks for clarification!
Jeroen
--------------------------------------------------------
Support the independent web, use Firefox
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, January 13th, 2022 at 7:15 PM, Dino Ciuffetti <dino@xxxxxxxxx> wrote:
Apache httpd works at layer 7 (HTTP/HTTPS).
You CANNOT have a reverse proxy at layer 4 with apache httpd where the X509 certificates are only needed on your backends (like HAProxy does).
Clients --> INTERNET --> Apache httpd reverse proxy (answer to HTTPS requests made by your clients) --> Your internal backend(s) (answer to HTTPS requests coming from your proxy).
The traffic between your internet clients and apache httpd is protected via TLS protocol (HTTPS) so you need a X509 certificate and its private key on your httpd public facing reverse proxy virtual host to terminate TLS internet traffic to your reverse proxy.
If you also want your reverse proxy to talk to your internal backend(s) via HTTPS you also need a X509 certificate and private key on your HTTPS backend servers.
RECAP: You will need a certificate released by a public (known to all major browsers) Certification Authority for your reverse proxy and a certificate released by a private Certification Authority (only known by your proxy and your backends) on your backends. You could even use self signed certificates on your private side, or mantain a private CA by yourself via openssl.
HTH
13 gennaio 2022 12:58, "Jeroen Verhoeckx" <j.verhoeckx@xxxxxxxxxxxxxx.invalid> wrote:
Thanks, great to know that it is possible!
You write that you need to install the SSL certificates on both the reverse proxy and in the virtual machine (or another local server)?
Is that really necessary? I try to avoid duplication whenever that is possible.
Do you have an example set-up somewhere?
Thanks!!
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, January 12th, 2022 at 5:23 PM, Dino Ciuffetti <dino@xxxxxxxxx> wrote:
My question:
Would it have been possible to install the SSL certificates in the virtual machines?
YES. It's possibile to send Internet HTTPS traffic to an internal HTTPS service behind apache httpd as a reverse proxy.
You eventally need to install same SSL certificates (but you don't have to necessarily) on both the reverse proxy and the internal service, enable SSLProxyProtol on your VHs and send the traffic to HTTPS via your ProxyPass.