Hi Serge,
I changed the following:
ProxyPass /eConnect https://192.168.1.3:443/eConnect
ProxyPassReverse /eConnect https://192.168.1.3:443/eConnect
to:
ProxyPass /eConnect https://subdomain.mydomain.com:443/eConnect
ProxyPassReverse /eConnect https://subdomain.mydomain.com:443/eConnect
Now the Internet browser is not complaining about the cert. I didn't
realize the IP address or hostname you entered into the proxypass
directives was literally translated into an IP address or hostname in the
URL. In fact, the proxypass directives for the same web app that stays
HTTP doesn't incorporate the IP address, even though I'm using it in the
directive. But by making the changes above it appears to be working. Thank
you for the point in the right direction.
I'm curious if you know off-hand if a public cert on the backend web app
server is required in addition to the one on the reverse proxy server. It
looks like it will work with the two certs, but wondering if we need to
have a unique cert on every backend web app server. I've also heard that a
wildcard cert might be a good way to go to take care of that aspect.
Thanks again for your help.
____________________________
Steven Niedermeyer
Bellingham, WA
"Serge Dubrouski"
<sergeyfd@xxxxxxx
om> To
"sniedermeyer@xxxxxxx"
09/18/2006 03:14 <sniedermeyer@xxxxxxx>
PM cc
Subject
Re: [users@httpd] Re:mod_ssl and
mod_proxy RPS config file
Sorry lost it from the very beggining :-) Ok. The problem is your
Proxy configuration. SSL Certificate is issued to the server name and
you have to use that server name in the URL. So https://192.168.1.3
will complain because the certificate was issued to for another name,
not for 192.168.1.3. Try to use real name in your SSL proxy
configuration,
On 9/18/06, sniedermeyer@xxxxxxx <sniedermeyer@xxxxxxx> wrote:
> Hi Serge,
>
> The backend app supports both HTTP and HTTPS protocols (part of the
content
> is unsecured and part is secured). The HTTP proxying to the backend
server
> is working properly. The HTTPS proxying is not.
>
> ____________________________
> Steven Niedermeyer
> Bellingham, WA 98225
>
>
>
>
> "Serge Dubrouski"
> <sergeyfd@xxxxxxx
> om>
To
> users@xxxxxxxxxxxxxxxx
> 09/18/2006 03:01
cc
> PM
>
Subject
> Re: [users@httpd] Re:mod_ssl and
> Please respond to mod_proxy RPS config file
> users@xxxxxxxxxxx
> e.org
>
>
>
>
>
>
>
>
> First of all. It sounds like your backend application support HTTPS
> protocol only and you are trying to open access to it through HTTP.
> Are you sure that you want exactly this? Most probably your backend
> applications send redirects to HTTPS for any HTTP requests. And Apache
> just proxying them to the client.
>
> On 9/18/06, sniedermeyer@xxxxxxx <sniedermeyer@xxxxxxx> wrote:
> > I must admit I am new to Apache so there may be some obvious errors in
> our
> > reverse proxy server apache config...but here it is:
> >
> > Listen *:80
> > Listen *:443
> >
> > LoadModule proxy_module modules/mod_proxy.so
> > LoadModule proxy_connect_module modules/mod_proxy_connect.so
> > LoadModule proxy_html_module modules/mod_proxy_html/mod_proxy_html.so
> > LoadModule proxy_http_module modules/mod_proxy_http.so
> > LoadModule rewrite_module modules/mod_rewrite.so
> > LoadModule ssl_module modules/mod_ssl.so
> >
> > ProxyRequests Off
> >
> > NameVirtualHost *:80
> >
> > <VirtualHost *:443>
> > ServerName www.mydomain.com
> > ServerAlias mydomain.com
> > DocumentRoot "z:/Apache2/httpsdocs"
> > <Directory "z:/apache2/httpsdocs">
> > Options FollowSymLinks
> > AllowOverride None
> > Order allow,deny
> > Allow from all
> > </Directory>
> > SSLEngine on
> > SSLProxyEngine on
> > SSLCertificateFile z:/public.crt
> > SSLCertificateKeyFile z:/private.key
> > SSLCertificateChainFile z:/intermediate.crt
> > ProxyPass /eConnect https://192.168.1.3:443/eConnect
> > ProxyPassReverse /eConnect https://192.168.1.3:443/eConnect
> > </VirtualHost>
> >
> > <VirtualHost *:80>
> > ServerName www.mydomain.com
> > ServerAlias mydomain.com
> > DocumentRoot "z:/Apache2"
> > <Directory "z:/Apache2">
> > Options FollowSymLinks
> > AllowOverride None
> > Order allow,deny
> > Allow from all
> > </Directory>
> > #
> > #Proxy settings for Web App #1
> > #
> > ProxyPass /audio http://192.168.1.1:3881/audio
> > ProxyPassReverse /audio http://10.101.2.39:3881/audio
> >
> > #
> > #Proxy settings for Web App #2
> > #
> > ProxyPass /PIRPressSummary
http://192.168.1.2:3882/PIRPressSummary
> > ProxyPassReverse /PIRPressSummary
> > http://192.168.1.2:3882/PIRPressSummary
> >
> > #
> > #Proxy settings for Web App #3
> > #
> > ProxyPass /eConnect http://192.168.1.3:3883/eConnect
> > ProxyPassReverse /eConnect http://192.168.1.3:3883/eConnect
> >
> > #
> > #Proxy settings for Primary website content
> > #
> > ProxyPass / http://192.168.1.100/
> > ProxyPassReverse / http://192.168.1.100/
> > </VirtualHost>
> >
> > <VirtualHost *:80>
> > ServerName www.myseconddomain.com
> > ServerAlias myseconddomain.com *.myseconddomain.com
> > DocumentRoot "z:/Apache2/myseconddomain"
> > <Directory "z:/Apache2/myseconddomain">
> > Options FollowSymLinks
> > AllowOverride None
> > Order allow,deny
> > Allow from all
> > </Directory>
> > ProxyPass / http://192.168.1.200:3342/
> > ProxyPassReverse / http://192.168.1.200:3342/
> > </VirtualHost>
> >
> >
> > <IfModule ssl_module>
> > SSLRandomSeed startup builtin
> > SSLRandomSeed connect builtin
> > </IfModule>
> >
> >
> > We get the SSL warning when trying to access Web App #3 while going
from
> > HTTP section of the application to an HTTPS section and the URL from
> > http://www.mydomain.com/eConnect/ to http://192.168.1.3/eConnect/. The
> > certificate warning references the cert issued to the subdomain
assigned
> to
> > the Web App #3 server (subdomain.mydomain.com). The IP address that
> > appears in the URL is the private IP of Web App #3 server.
> >
> > ____________________________
> > Steven Niedermeyer
> > Bellingham, WA
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> >
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|