3

I would like to have an Apache 2.4 proxy which redirects port 80 and 443 requests to different machines in the local network, depending on the host name. I used mod_proxy and it works fine with port 80.

Now I am trying to do a HTTPS->HTTPS redirect. Following code works:

<VirtualHost *:443>
    ServerName domain.tld
    ServerAlias www.domain.tld

    SSLProxyEngine On
    ProxyPass / https://new.domain.tld/
    ProxyPassReverse / https://new.domain.tld/

    SSLEngine on
    SSLCertificateFile /etc/myssl/public.pem
    SSLCertificateKeyFile /etc/myssl/privkey.pem
    SSLCertificateChainFile /etc/myssl/chain-class2.pem
</VirtualHost>

The problem is that the proxy needs to have all the SSL keyfiles of the machines, which produces a lot of overhead in the yearly certificate renewal.

I do understand that the proxy needs to establish an encrypted connection using its own key material to inspect the Host: HTTP-header to find out which VirtualHost to use.

But since today's browsers usually implement SNI, I would like to use this information to delegate to the correct VirtualHost without requiring any key material at the proxy. Is this possible in Apache 2.4?

Daniel Marschall
  • 785
  • 4
  • 8
  • 19
  • Did you ever figure this out? – mikewaters Mar 19 '15 at 16:06
  • @mikewaters No. I still search for an answer. I think the Apache people don't want to implement this feature. – Daniel Marschall Mar 20 '15 at 13:13
  • Some work has been done in that direction, see here: http://apache-http-server.18135.x6.nabble.com/Patch-mod-tcp-mod-proxy-tcp-mod-ssl-tcp-td5028493.html. Another solution would be to use `haproxy` like so: http://serverfault.com/a/625364/340480 – koniu Jun 13 '16 at 02:02

0 Answers0