Wednesday, March 6, 2019

Apache SSL reverse proxy with two name virtual host




I have an Apache reverse proxy that correctly proxies an https internal server. It is configured to use a wildcard self signed certificate and to be a name-based virtual host with ServerName directive.



I am trying to add a second https internal server to proxy, I copied the configuration from the first server, changed ServerName , but it does not work: If I try to connect to the name of the second server, it always proxies me to the first.



Here is the configuration:



NameVirtualHost *:443



        ServerAdmin webmaster@siteX.com
        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

        SSLCertificateFile /etc/apache2/siteX-cert/wildcard.siteX.com.crt
        SSLCertificateKeyFile /etc/apache2/siteX-cert/wildcard.siteX.com.key
        SSLCACertificateFile /etc/apache2/siteX-cert/my-ca.crt

        ServerName      "website.siteX.com"


        CustomLog       "/var/log/apache2/website.siteX.com-ssl-access.log" combined
        ErrorLog        "/var/log/apache2/website.siteX.com-ssl-error.log"

        # We're not an open proxy
        ProxyRequests off

        # Proxying is available for anyone
        
                Order deny,allow
                Allow from all

        

        # The site we're proxying through 
        ProxyPass / https://10.3.0.16/
        ProxyPassReverse / https://10.3.0.16/

        # Allows the proxying of an SSL connection
        SSLProxyEngine On



        ServerAdmin webmaster@siteX.com

        SSLEngine on
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

        SSLCertificateFile /etc/apache2/siteX-cert/wildcard.siteX.com.crt
        SSLCertificateKeyFile /etc/apache2/siteX-cert/wildcard.siteX.com.key
        SSLCACertificateFile /etc/apache2/siteX-cert/my-ca.crt

        ServerName      "website2.siteX.com"


        CustomLog       "/var/log/apache2/website.siteX.com-ssl-access.log" combined
        ErrorLog        "/var/log/apache2/website.siteX.com-ssl-error.log"

        #We're not an open proxy
        ProxyRequests off

        # Proxying is available for anyone
        
                Order deny,allow

                Allow from all
        

        # The site we're proxying through 
        ProxyPass / https://10.3.0.26/
        ProxyPassReverse / https://10.3.0.26/

        # Allows the proxying of an SSL connection
        SSLProxyEngine On



Answer



I switched to Nginx and managed to get the two https sites working, with a quite simple configuration:



ssl_certificate  /etc/nginx/siteX-cert/wildcard.siteX.com.crt;
ssl_certificate_key  /etc/nginx/siteX-cert/wildcard.siteX.com.key;
ssl_session_timeout  5m;
ssl_prefer_server_ciphers  on;
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers  AES256+EECDH:AES256+EDH:!aNULL;


server {
        listen 443 ssl;
        server_name website.siteX.com;
        ssl on;
        location / {
                proxy_pass https://10.3.0.16/;
        }
}


server {
        listen 443 ssl;
        server_name website2.siteX.com;
        ssl on;
        location / {
                proxy_pass https://10.3.0.26/;
        }
}

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...