proxypass or redirect external https to internal https

["Shaw, Dan" <DShaw@xxxxxxxxxxxxxxxxxx>]

Hello,

Has anyone setup apache to either ProxyPass or Redirect incoming https (internet end user) connection to internal https?

I would have thought that ssl_mod would have taken care of this but it does not seem to be the case.

 

I know this maybe asking quit a bit but below is our inherited ssl.conf.

 

Any help is greatly appreciated.

 

BEGINN --à

 

#

# This is the Apache server configuration file providing SSL support.

# It contains the configuration directives to instruct the server how to

# serve pages over an https connection. For detailing information about these

# directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html>

#

# Do NOT simply read the instructions in here without understanding

# what they do.  They're here only as hints or reminders.  If you are unsure

# consult the online docs. You have been warned. 

#

 

#

# Pseudo Random Number Generator (PRNG):

# Configure one or more sources to seed the PRNG of the SSL library.

# The seed data should be of good random quality.

# WARNING! On some platforms /dev/random blocks if not enough entropy

# is available. This means you then cannot use the /dev/random device

# because it would lead to very long connection times (as long as

# it requires to make more entropy available). But usually those

# platforms additionally provide a /dev/urandom device which doesn't

# block. So, if available, use this one instead. Read the mod_ssl User

# Manual for more details.

#

# Note: This must come before the <IfDefine SSL> container to support

#       starting without SSL on platforms with no /dev/random equivalent

#       but a statically compiled-in mod_ssl.

#

SSLRandomSeed startup builtin

SSLRandomSeed connect builtin

#SSLRandomSeed startup file:/dev/random  512

#SSLRandomSeed startup file:/dev/urandom 512

#SSLRandomSeed connect file:/dev/random  512

#SSLRandomSeed connect file:/dev/urandom 512

 

<IfDefine SSL>

 

#

# When we also provide SSL we have to listen to the

# standard HTTP port (see above) and to the HTTPS port

#

# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two

#       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"

#

Listen 443

 

##

##  SSL Global Context

##

##  All SSL configuration in this context applies both to

##  the main server and all SSL-enabled virtual hosts.

##

 

#

#   Some MIME-types for downloading Certificates and CRLs

#

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl    .crl

 

#   Pass Phrase Dialog:

#   Configure the pass phrase gathering process.

#   The filtering dialog program (`builtin' is a internal

#   terminal dialog) has to provide the pass phrase on stdout.

SSLPassPhraseDialog  builtin

 

#   Inter-Process Session Cache:

#   Configure the SSL Session Cache: First the mechanism

#   to use and second the expiring timeout (in seconds).

#SSLSessionCache        none

#SSLSessionCache        shmht:/usr/local/apache2/logs/ssl_scache(512000)

#SSLSessionCache        shmcb:/usr/local/apache2/logs/ssl_scache(512000)

SSLSessionCache         dbm:/usr/local/apache2/logs/ssl_scache

SSLSessionCacheTimeout  300

 

#   Semaphore:

#   Configure the path to the mutual exclusion semaphore the

#   SSL engine uses internally for inter-process synchronization.

SSLMutex  file:/usr/local/apache2/logs/ssl_mutex

 

##

## SSL Virtual Host Context

##

 

<VirtualHost 192.168.45.154:443>

 

ProxyRequests On

        ProxyVia On

        <Proxy *>

        Order deny,allow

        Deny from all

        Allow from all

        </Proxy>

        ProxyPass /chat http://192.168.45.80

        ProxyPassReverse /chat http://192.168.45.80

        ProxyPass /LeadsRequest/ http://192.168.45.148/LeadsRequest/

        ProxyPassReverse /LeadsRequest/ http://192.168.45.148/LeadsRequest/

## Added the following 2 redirects per request from Shawn Miller

# Rick Minato  -  Mon Jan 28 13:24:35 PST 2008

#Redirect /tps https://ccqa.roadloans.com/tps/MyAccounts/Public/Login.aspx

#Redirect /tps/ https://ccqa.roadloans.com/tps/MyAccounts/Public/Login.aspx

#ProxyPass /tps https://ccqa.roadloans.com/tps/

#ProxyPassReverse /tps https://ccqa.roadloans.com/tps/

ProxyPass /tps/ https://ccqa.roadloans.com/tps/

ProxyPassReverse /tps/ https://ccqa.roadloans.com/tps/

 

#   General setup for the virtual host

DocumentRoot "/usr/local/apache2/docs"

ServerName qa3.roadloans.com:443

ServerAdmin hostmaster@xxxxxxxxxxxxxxxxxx

ErrorLog /usr/local/apache2/logs/roadloans_ssl_error_log

TransferLog /usr/local/apache2/logs/roadloans_ssl_access_log

 

#   SSL Engine Switch:

#   Enable/Disable SSL for this virtual host.

SSLEngine on

 

#   SSL Cipher Suite:

#   List the ciphers that the client is permitted to negotiate.

#   See the mod_ssl documentation for a complete list.

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

 

#   Server Certificate:

#   Point SSLCertificateFile at a PEM encoded certificate.  If

#   the certificate is encrypted, then you will be prompted for a

#   pass phrase.  Note that a kill -HUP will prompt again.  Keep

#   in mind that if you have both an RSA and a DSA certificate you

#   can configure both in parallel (to also allow the use of DSA

#   ciphers, etc.)

SSLCertificateFile /usr/local/apache2/certs/qa3.roadloans.crt

#SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server-dsa.crt

 

#   Server Private Key:

#   If the key is not combined with the certificate, use this

#   directive to point at the key file.  Keep in mind that if

#   you've both a RSA and a DSA private key you can configure

#   both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /usr/local/apache2/certs/server.key

#SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server-dsa.key

 

#   Server Certificate Chain:

#   Point SSLCertificateChainFile at a file containing the

#   concatenation of PEM encoded CA certificates which form the

#   certificate chain for the server certificate. Alternatively

#   the referenced file can be the same as SSLCertificateFile

#   when the CA certificates are directly appended to the server

#   certificate for convinience.

#SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt

 

#   Certificate Authority (CA):

#   Set the CA certificate verification path where to find CA

#   certificates for client authentication or alternatively one

#   huge file containing all of them (file must be PEM encoded)

#   Note: Inside SSLCACertificatePath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCACertificatePath /usr/local/apache2/conf/ssl.crt

#SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle.crt

 

#   Certificate Revocation Lists (CRL):

#   Set the CA revocation path where to find CA CRLs for client

#   authentication or alternatively one huge file containing all

#   of them (file must be PEM encoded)

#   Note: Inside SSLCARevocationPath you need hash symlinks

#         to point to the certificate files. Use the provided

#         Makefile to update the hash symlinks after changes.

#SSLCARevocationPath /usr/local/apache2/conf/ssl.crl

#SSLCARevocationFile /usr/local/apache2/conf/ssl.crl/ca-bundle.crl

 

#   Client Authentication (Type):

#   Client certificate verification type and depth.  Types are

#   none, optional, require and optional_no_ca.  Depth is a

#   number which specifies how deeply to verify the certificate

#   issuer chain before deciding the certificate is not valid.

#SSLVerifyClient require

#SSLVerifyDepth  10

 

#   Access Control:

#   With SSLRequire you can do per-directory access control based

#   on arbitrary complex boolean expressions containing server

#   variable checks and other lookup directives.  The syntax is a

#   mixture between C and Perl.  See the mod_ssl documentation

#   for more details.

#<Location />

#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \

#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \

#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \

#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \

#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \

#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

#</Location>

 

#   SSL Engine Options:

#   Set various options for the SSL engine.

#   o FakeBasicAuth:

#     Translate the client X.509 into a Basic Authorisation.  This means that

#     the standard Auth/DBMAuth methods can be used for access control.  The

#     user name is the `one line' version of the client's X.509 certificate.

#     Note that no password is obtained from the user. Every entry in the user

#     file needs this password: `xxj31ZMTZzkVA'.

#   o ExportCertData:

#     This exports two additional environment variables: SSL_CLIENT_CERT and

#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the

#     server (always existing) and the client (only existing when client

#     authentication is used). This can be used to import the certificates

#     into CGI scripts.

#   o StdEnvVars:

#     This exports the standard SSL/TLS related `SSL_*' environment variables.

#     Per default this exportation is switched off for performance reasons,

#     because the extraction step is an expensive operation and is usually

#     useless for serving static content. So one usually enables the

#     exportation for CGI and SSI requests only.

#   o CompatEnvVars:

#     This exports obsolete environment variables for backward compatibility

#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this

#     to provide compatibility to existing CGI scripts.

#   o StrictRequire:

#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even

#     under a "Satisfy any" situation, i.e. when it applies access is denied

#     and no other module can change it.

#   o OptRenegotiate:

#     This enables optimized SSL connection renegotiation handling when SSL

#     directives are used in per-directory context.

#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire

<Files ~ "\.(cgi|shtml|phtml|php3?)$">

    SSLOptions +StdEnvVars

</Files>

<Directory "/usr/local/apache2/cgi-bin">

    SSLOptions +StdEnvVars

</Directory>

 

#   SSL Protocol Adjustments:

#   The safe and default but still SSL/TLS standard compliant shutdown

#   approach is that mod_ssl sends the close notify alert but doesn't wait for

#   the close notify alert from client. When you need a different shutdown

#   approach you can use one of the following variables:

#   o ssl-unclean-shutdown:

#     This forces an unclean shutdown when the connection is closed, i.e. no

#     SSL close notify alert is send or allowed to received.  This violates

#     the SSL/TLS standard but is needed for some brain-dead browsers. Use

#     this when you receive I/O errors because of the standard approach where

#     mod_ssl sends the close notify alert.

#   o ssl-accurate-shutdown:

#     This forces an accurate shutdown when the connection is closed, i.e. a

#     SSL close notify alert is send and mod_ssl waits for the close notify

#     alert of the client. This is 100% SSL/TLS standard compliant, but in

#     practice often causes hanging connections with brain-dead browsers. Use

#     this only for browsers where you know that their SSL implementation

#     works correctly.

#   Notice: Most problems of broken clients are also related to the HTTP

#   keep-alive facility, so you usually additionally want to disable

#   keep-alive for those clients, too. Use variable "nokeepalive" for this.

#   Similarly, one has to force some clients to use HTTP/1.0 to workaround

#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and

#   "force-response-1.0" for this.

SetEnvIf User-Agent ".*MSIE.*" \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0

 

#   Per-Server Logging:

#   The home of a custom SSL log file. Use this when you want a

#   compact non-error SSL logfile on a virtual host basis.

CustomLog /usr/local/apache2/logs/ssl_request_log \

          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

 

</VirtualHost>                                  

 

<VirtualHost 192.168.45.155:443>

 

 

#Proxy for eGain Chat Server - T.Rider 5/11/05

 

ProxyRequests On

        ProxyVia On

        <Proxy *>

        Order deny,allow

        Deny from all

        Allow from all

        </Proxy>

        ProxyPass /chat/ http://192.168.45.80/

        ProxyPassReverse /chat/ http://192.168.45.80/

        ProxyPass /LeadsRequest/ http://192.168.45.148/LeadsRequest/

        ProxyPassReverse /LeadsRequest/ http://192.168.45.148/LeadsRequest/

 

 

#   General setup for the virtual host

DocumentRoot "/usr/local/apache2/docs/tfc"

ServerName qa3.triadfinancial.com:443

ServerAdmin hostmaster@xxxxxxxxxxxxxxxxxx

ErrorLog /usr/local/apache2/logs/triadfinancial_ssl_error_log

TransferLog /usr/local/apache2/logs/triadfinancial_ssl_access_log

 

SSLEngine on

 

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

 

SSLCertificateFile /usr/local/apache2/certs/qa3.triadfinancial.crt

 

SSLCertificateKeyFile /usr/local/apache2/certs/server.key

 

<Files ~ "\.(cgi|shtml|phtml|php3?)$">

    SSLOptions +StdEnvVars

</Files>

<Directory "/usr/local/apache2/cgi-bin">

    SSLOptions +StdEnvVars

</Directory>

 

 

SetEnvIf User-Agent ".*MSIE.*" \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0

 

CustomLog /usr/local/apache2/logs/ssl_request_log \

          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

 

</VirtualHost>

 

</IfDefine>

 

 

END ->

 

 

 

Thanks again,

 

DPS