Apache proxy / redirect https to https with one ip

apache-2.4 ubuntu-16.04

5,121

I tried the info from ezra-s "SSLProxyEngine on" but i still get the error:

The proxy server could not handle the request GET /

Reason: Error during SSL Handshake with remote server

After some searching I found a working solution.

my config /etc/apache2/sites-available/B.domain.com.conf now:

<VirtualHost *:443>
    ServerName B.domain.com
    SSLProxyEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    SSLCertificateFile /etc/letsencrypt/live/B.domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/B.domain.com/privkey.pem

    ProxyPass / https://1.1.1.2/
    ProxyPassReverse / https://1.1.1.2/

But is the connection from outside still secure now?

5,121

rovivo

Updated on September 18, 2022

Comments

rovivo almost 2 years
I have one WAN-IP with an apache webserver which host A.domain.com and I will reverse proxy to B.domain.com to another server in the same local network.

Without SSL I solved it this way in the vhosts:
```
<VirtualHost *:80>
ServerName Z.domain.com
ProxyRequests Off

ProxyPass / http://1.1.1.7/
ProxyPassReverse / http://1.1.1.7/
```
but with SSL enabled it doesn't work this way...

for better understanding I tried to draw it:
```
                                       -- A.domain.com(local IP:1.1.1.1)
                                      |
WAN --¦Firewall (NAT to 1.1.1.1) ¦-- LAN
                                      |
                                       -- B.domain.com(local IP:1.1.1.2)
```
Server 1.1.1.1 should redirect to 1.1.1.2
my config /etc/apache2/sites-available/B.domain.com.conf:
```
<VirtualHost *:443>
        ServerName B.domain.com
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/B.domain.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/B.domain.com/privkey.pem

        ProxyRequests Off
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
        ProxyPass / https://1.1.1.2/
        ProxyPassReverse / https://1.1.1.2/
</VirtualHost>
```
I have activated it with:a2ensite B.domain.com and restarted apache. Result is an internal server error if i call the site. Without the I have the same fault.

If i call apache2ctl -S it looks all good.
- Admin over 7 years
  
  what do you mean with "it doesn't work that way" exactly? SSL virtualhost will be exactly the same thing but enabling ssl and loading certificates, and just setting the proxy directives the same way wherever you want to point them, and if you wanted to proxy to a SSL backend the main difference is you need to add "SSLProxyEngine on". What is it you tried? what problems you get? The picture may look pretty clear in your head but from here it looks rather confusing.
ezra-s over 7 years

You need to understand that, if you reverse proxy to a server and use the ip, that "name" must match the CN in the backend certificate, otherwise you will need additional SSLProxy directives to make apache ignore the CN in the backend certificate. That is you will probably need to add these directives too or at least one of them: SSLProxyCheckPeerCN off and/or SSLProxyCheckPeerName off.