Re: [users@httpd] mod_ssl and mod_proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



It'll be really hard to help you without seeing your config files. At
least proxy and ssl part. Usually people use mod_rewrite and mod_proxy
for proxying front-end HTTPS requests to the backend servers. With
SSLProxyEngine on it works just fine.

On 9/18/06, sniedermeyer@xxxxxxx <sniedermeyer@xxxxxxx> wrote:
I've been trying to find a good reference for setting up ssl between our
Apache reverse proxy server and back-end web application servers.  No luck
so far.  Here's our setup:

Apache 2.2.2 reverse proxy server (RPS)
===============================================
Reverse proxy function is working great for HTTP traffic
SSL connections to the RPS are working great (using a www.domain.com cert)

Back-end web application (Web App)
===============================================
Running IIS and server up HTTP requests to RPS just fine
Also has secure content with its own SSL cert
Web App users can access this server via SSL when they connect directly to
it via a subdomain (using a subdomain.domain.com cert)

Current Issue
===============================================
When we try to proxy HTTPS requests through the RPS on to the Web App (SSL
bridging ?), the Internet browser detects the Web App  SSL cert
(subdomain.domain.com) and the URL in the address bar changes from
http://www.domain.com to https://private-ip-address/web-app/ instead of
https://www.domain.com/web-app/.

So two problems:

1) For some reason the RPS is serving up the private ip address instead
inserting the www.domain.com in front of the content being server.
2) The Internet browser is detecting the Web App subdomain.domain.com SSL
cert instead of only seeing the RPS www.domain.com SSL cert.  This causes
the browser to warn to visitor that the cert doesn't match the server name.

Solutions
===============================================
My understanding is there are three options:

1) Have a wildcard SSL cert  (*.domain.com) issued and install it on both
RPS and Web App servers.
2) Configure Apache on the RPS to "recognize" the Web App server SSL cert
and then transparently act as an SSL "bridge" so the browser never sees
that second cert.
3) Same as # 2 above, only instead of having two independent SSL certs from
a public Certification Authority, you can create an internal certificate
that authenticates with an internal Certification Authority for the Web App
server and then use a cert on the RPS from a public Certification
Authority.

Regarding the options above, we don't know how to configure #2 or #3 and
haven't been able to locate documentation on the Internet.  We've touched
base with a few of our vendors and they start getting glassy-eyed.  #1
might work for us, but our understanding is that opens us up to having all
web apps compromised at once if the wildcard SSL cert is compromised.
I've been looking for an Apache how to book for months now that covers
2.2.2, mod_rewrite, and mod_ssl with no luck.  Looks like there might be a
book on mod_rewrite finally coming out, but SSL remains a white buffalo.
Any reference material or info you can pass along to help us out we be
appreciated.

Thanks.
____________________________
Steven Niedermeyer
Bellingham, WA


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux