configure secure SSL Apache reverse proxy

apache ssl https proxy
10,836

Turns out adding certificates via SSLProxyCACertificateFile does not skip name checks, which makes total sense. So in order for custom certificates to work, they still need to be issued to the correct name, or in my case, the IP. After I made a new certificate issued to that IP, my configuration works now. Here are the relevant parts:

<VirtualHost *:443>
    ServerName somehostname.com
    SSLProxyEngine On
    SSLProxyVerify require
    SSLProxyCACertificateFile /path/to/custom_cert.pem
    SSLProxyCheckPeerCN on  # or omit, default is on
    SSLProxyCheckPeerName on  # same
    ProxyPass / https://123.45.67.89/
    ProxyPassReverse / https://123.45.67.89/
</VirtualHost>
Share:
10,836
Felk
Author by

Felk

Updated on July 29, 2022

Comments

  • Felk
    Felk over 1 year

    I'm trying to establish a reverse proxy setup with apache that securely supports SSL all the way through:

    Client   <-->   Proxy @ somehostname.com   <-->   Server @ 123.45.67.89

    Note that my proxy server has a hostname, but the remote server does not. The SSL setup between clients and the proxy works fine with a letsencrypt setup. However, I am struggling to secure the connection between the proxy and the remote server.

    Because the remote server doesn't have a hostname, and letsencrypt doesn't issue certificates for IPs only, my idea was to generate a self-signed certificate and copy the certificate over to the proxy for it to only trust that one. Unfortunately I don't know how.

    If I just disable these certificate checks, the connection works, as the proxy just trusts every certificate:

    SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off

    While encryption will work fine, to my understanding authenticity is compromised and I am subject to MitM attacks during the handshake. This is not ideal.

    Instead, I've instructed Apache to trust my self-signed certificate with

    SSLProxyCACertificateFile /path/to/cert.pem

    and then tried to enforce a valid certificate with

    SSLProxyVerify require

    but despite me explicitly listing the certificate, and the documentation of SSLProxyCACertificateFile saying "These are used for Remote Server Authentication", it seems to not trust it.

    Is there a way to make sure the connection between the proxy and remote server is safe, for example by enforcing Apache to always connect to the proxy using that specific certificate?

  • Diego Ramos
    Diego Ramos about 3 years
    Hi Felk, I am facing the same issue, I have the same config than you: C <--> Reverse Proxy <--> Server (https), as I understand to make the secured connection between Reverse Proxy and Server I need to add a trustEntry in the Reverse Proxy, and this is done via SSLProxyCACertificateFile /path/to/custom_cert.pem correct? Thank you...
  • Felk
    Felk about 3 years
    Yes. Specifying the certificate in a SSLProxyCACertificateFile directive basically circumvents the restriction that all certificates usually need to be issued by one of a predefined list of certificate authorities.
  • Diego Ramos
    Diego Ramos about 3 years
    Thanks for the reply Felk, I've noticed that my Server is also requesting a certificate (2 way SSL ie Client Auth) in this case I would also need to have a Key in the Webserver right ? Which will be accepted (authenticated) by the Server ? Thanks
  • Felk
    Felk about 3 years
    If you are facing a particular problem, please open a new question. You can link it here and ping me and I'll take a look
  • Diego Ramos
    Diego Ramos about 3 years
    Ok Thanks Felk, I will elaborate it and will ping back, good day :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apache proxypass https to https
How to setup ssl using only .htaccess file
HTTP SSL Proxy with Java Apache HttpClient
Nginx config to proxy pass to external ip and port (https -> http)
How to enable HTTPS for Zabbix
Why do I get browser warnings on my new lets encrypt ssl setup?
Change ssl port of apache2 server. (ERR_SSL_PROTOCOL_ERROR)
How to block specific HTTPS traffic?
nginx http to https proxy with self-signed certificate
Set up IIS as forward proxy for HTTPS requests