Apache proxy / redirect https to https with one ip
I tried the info from ezra-s "SSLProxyEngine on" but i still get the error:
The proxy server could not handle the request GET /
Reason: Error during SSL Handshake with remote server
After some searching I found a working solution.
my config /etc/apache2/sites-available/B.domain.com.conf now:
<VirtualHost *:443>
ServerName B.domain.com
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateFile /etc/letsencrypt/live/B.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/B.domain.com/privkey.pem
ProxyPass / https://1.1.1.2/
ProxyPassReverse / https://1.1.1.2/
But is the connection from outside still secure now?
Related videos on Youtube
rovivo
Updated on September 18, 2022Comments
-
rovivo almost 2 years
I have one WAN-IP with an apache webserver which host A.domain.com and I will reverse proxy to B.domain.com to another server in the same local network.
Without SSL I solved it this way in the vhosts:
<VirtualHost *:80> ServerName Z.domain.com ProxyRequests Off ProxyPass / http://1.1.1.7/ ProxyPassReverse / http://1.1.1.7/
but with SSL enabled it doesn't work this way...
for better understanding I tried to draw it:
-- A.domain.com(local IP:1.1.1.1) | WAN --¦Firewall (NAT to 1.1.1.1) ¦-- LAN | -- B.domain.com(local IP:1.1.1.2)
Server 1.1.1.1 should redirect to 1.1.1.2
my config /etc/apache2/sites-available/B.domain.com.conf:
<VirtualHost *:443> ServerName B.domain.com SSLEngine on SSLCertificateFile /etc/letsencrypt/live/B.domain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/B.domain.com/privkey.pem ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / https://1.1.1.2/ ProxyPassReverse / https://1.1.1.2/ </VirtualHost>
I have activated it with:
a2ensite B.domain.com
and restarted apache. Result is an internal server error if i call the site. Without the I have the same fault.If i call
apache2ctl -S
it looks all good.-
Admin over 7 yearswhat do you mean with "it doesn't work that way" exactly? SSL virtualhost will be exactly the same thing but enabling ssl and loading certificates, and just setting the proxy directives the same way wherever you want to point them, and if you wanted to proxy to a SSL backend the main difference is you need to add "SSLProxyEngine on". What is it you tried? what problems you get? The picture may look pretty clear in your head but from here it looks rather confusing.
-
-
ezra-s over 7 yearsYou need to understand that, if you reverse proxy to a server and use the ip, that "name" must match the CN in the backend certificate, otherwise you will need additional SSLProxy directives to make apache ignore the CN in the backend certificate. That is you will probably need to add these directives too or at least one of them:
SSLProxyCheckPeerCN off
and/orSSLProxyCheckPeerName off
.