[TriLUG] ssl through reverse proxy

Paul G. Szabady paul at thyservice.com
Sat Aug 25 11:09:45 EDT 2012 

Greetings,

I am trying to enable ssl through the following scenario, running apache 
2.2 on separate servers.  Basically, I want the reverse proxy (RP) 
server to do just that, proxying.  I have done this hundreds of times 
behind load balancers (e.g. Big IP F5), but here at $HOME, I don't have 
that luxury.

client (httpS) > firewall > Apache RP > (domain1 | domain2)

It seems I have two choices, either to pass ssl traffic through the 
reverse proxy to the back end server (preferred) OR offload ssl on the 
reverse proxy server some how.

Issues:

  - passing ssl:  How does one do this with multiple domain names and 
multiple back-end servers when the hostname is encrypted?

  - offload ssl and connect to back-end servers over http:  Dr. Google 
and I have battled a bit on the proper search term(s) and I have not 
been able to find a solution.  Is this even possible?

Notes:
  - I have straight http working as expected, so all my mods are in 
place for proxying.


Misc info...
============
[root at web ~]# cat /etc/redhat-release
CentOS release 6.3 (Final)
[root at web ~]# /usr/local/apache-standard/bin/httpd -v
Server version: Apache/2.2.22 (Unix)
Server built:   Aug 23 2012 19:49:06
[root at web ~]# /usr/local/apache-standard/bin/httpd -l
Compiled in modules:
   core.c
   mod_authn_file.c
   mod_authn_default.c
   mod_authz_host.c
   mod_authz_groupfile.c
   mod_authz_user.c
   mod_authz_default.c
   mod_auth_basic.c
   mod_include.c
   mod_filter.c
   mod_log_config.c
   mod_env.c
   mod_expires.c
   mod_headers.c
   mod_setenvif.c
   mod_version.c
   prefork.c
   http_core.c
   mod_mime.c
   mod_status.c
   mod_autoindex.c
   mod_asis.c
   mod_cgi.c
   mod_negotiation.c
   mod_dir.c
   mod_actions.c
   mod_alias.c
   mod_rewrite.c
   mod_so.c
[root at web ~]# grep LoadModule /usr/local/apache-standard/conf/httpd.conf
# have to place corresponding `LoadModule' lines at this location so the
# LoadModule foo_module modules/mod_foo.so
LoadModule log_forensic_module modules/mod_log_forensic.so
LoadModule logio_module modules/mod_logio.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule ssl_module modules/mod_ssl.so
[root at web ~]#


 From /usr/local/apache-standard/conf/httpd.conf
===============================================
#ProxyPreserveHost On
ProxyRequests off
SSLProxyEngine on

<Proxy *>
   Order deny,allow
   Allow from all
</Proxy>

 From /usr/local/apache-standard/conf/extra/httpd-vhosts.conf
============================================================

NameVirtualHost 192.168.2.24:80
NameVirtualHost 192.168.2.24:443

KeepAlive Off

<VirtualHost 192.168.2.24:80>
   ServerName srv04
   DocumentRoot /usr/local/apache-standard/htdocs
</VirtualHost>

<VirtualHost 192.168.2.24:443>
   ServerName srv04
   DocumentRoot /usr/local/apache-standard/htdocs
</VirtualHost>

<VirtualHost 192.168.2.24:80>
   ServerName domain1.com
   ServerAlias www.domain1.com
   DocumentRoot /usr/local/apache-standard/htdocs/domain1

   RewriteEngine On
   ProxyPreserveHost on
   ProxyPassMatch ^/(.*) http://192.168.2.25/$1 retry=0 disablereuse=On

    <Location />
     Order allow,deny
     Allow from all
    </Location>

</VirtualHost>

<VirtualHost 192.168.2.24:443>
   ServerName domain1.com
   ServerAlias www.domain1.com
   DocumentRoot /usr/local/apache-standard/htdocs/domain1

   RewriteEngine On
   ProxyPreserveHost on
   ProxyPassMatch ^/(.*) https://192.168.2.25/$1 retry=0 disablereuse=On

    <Location />
     Order allow,deny
     Allow from all
ProxyPass https://192.168.2.25/
ProxyPassReverse https://192.168.2.25/
    </Location>

ProxyVia On
RequestHeader set Front-End-Https "on"
ProxyPreserveHost On
SSLEngine On
SSLProxyEngine On
SSLProxyCACertificateFile "/usr/local/apache-standard/conf/ca-bundle.crt"
SSLCertificateKeyFile "/usr/local/apache-standard/conf/domain1.key"
SSLCertificateFile "/usr/local/apache-standard/conf/domain1.crt"
</VirtualHost>


 From /usr/local/apache-standard/conf/extra/httpd-ssl.conf
=========================================================
Listen 443

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog  builtin
SSLSessionCache 
"shmcb:/usr/local/apache-standard/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300
SSLMutex  "file:/usr/local/apache-standard/logs/ssl_mutex"

<VirtualHost _default_:443>

DocumentRoot "/usr/local/apache-standard/htdocs"
ServerName www.example.com:443
ServerAdmin you at example.com
ErrorLog "/usr/local/apache-standard/logs/error_log"
TransferLog "/usr/local/apache-standard/logs/access_log"

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile "/usr/local/apache-standard/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache-standard/conf/server.key"
SSLCACertificatePath "/usr/local/apache-standard/conf"
SSLCACertificateFile "/usr/local/apache-standard/conf/ca-bundle.crt"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
     SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache-standard/cgi-bin">
     SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
          nokeepalive ssl-unclean-shutdown \
          downgrade-1.0 force-response-1.0

CustomLog "/usr/local/apache-standard/logs/ssl_request_log" \
           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>
[root at web ~]#

 From the outside world:
=======================
$ openssl s_client -connect domain1.com:443
CONNECTED(00000003)
3078105288:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
protocol:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 226 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
$

(NOTE: The 503 in the following is actually correct and expected.)
$ curl -I http://domain1.com
HTTP/1.1 503 Service Temporarily Unavailable
Date: Sat, 25 Aug 2012 15:07:24 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Status: 503 Service Temporarily Unavailable
Cache-Control: no-cache
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Set-Cookie: 85acadc666944cb437f95adff26d71b7=n9pgc5epp4nh8c6rd8t5fr01r6; 
path=/
Connection: close

$ curl -Ik https://domain1.com
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
protocol
$

Any help / pointers would be much appreciated!
Thanks!

--
Paul
@ Thy Service

More information about the TriLUG mailing list