It'll be really hard to help you without seeing your config files. At least proxy and ssl part. Usually people use mod_rewrite and mod_proxy for proxying front-end HTTPS requests to the backend servers. With SSLProxyEngine on it works just fine. On 9/18/06, sniedermeyer@xxxxxxx <sniedermeyer@xxxxxxx> wrote:
I've been trying to find a good reference for setting up ssl between our Apache reverse proxy server and back-end web application servers. No luck so far. Here's our setup: Apache 2.2.2 reverse proxy server (RPS) =============================================== Reverse proxy function is working great for HTTP traffic SSL connections to the RPS are working great (using a www.domain.com cert) Back-end web application (Web App) =============================================== Running IIS and server up HTTP requests to RPS just fine Also has secure content with its own SSL cert Web App users can access this server via SSL when they connect directly to it via a subdomain (using a subdomain.domain.com cert) Current Issue =============================================== When we try to proxy HTTPS requests through the RPS on to the Web App (SSL bridging ?), the Internet browser detects the Web App SSL cert (subdomain.domain.com) and the URL in the address bar changes from http://www.domain.com to https://private-ip-address/web-app/ instead of https://www.domain.com/web-app/. So two problems: 1) For some reason the RPS is serving up the private ip address instead inserting the www.domain.com in front of the content being server. 2) The Internet browser is detecting the Web App subdomain.domain.com SSL cert instead of only seeing the RPS www.domain.com SSL cert. This causes the browser to warn to visitor that the cert doesn't match the server name. Solutions =============================================== My understanding is there are three options: 1) Have a wildcard SSL cert (*.domain.com) issued and install it on both RPS and Web App servers. 2) Configure Apache on the RPS to "recognize" the Web App server SSL cert and then transparently act as an SSL "bridge" so the browser never sees that second cert. 3) Same as # 2 above, only instead of having two independent SSL certs from a public Certification Authority, you can create an internal certificate that authenticates with an internal Certification Authority for the Web App server and then use a cert on the RPS from a public Certification Authority. Regarding the options above, we don't know how to configure #2 or #3 and haven't been able to locate documentation on the Internet. We've touched base with a few of our vendors and they start getting glassy-eyed. #1 might work for us, but our understanding is that opens us up to having all web apps compromised at once if the wildcard SSL cert is compromised. I've been looking for an Apache how to book for months now that covers 2.2.2, mod_rewrite, and mod_ssl with no luck. Looks like there might be a book on mod_rewrite finally coming out, but SSL remains a white buffalo. Any reference material or info you can pass along to help us out we be appreciated. Thanks. ____________________________ Steven Niedermeyer Bellingham, WA --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|