0

I have one WAN-IP with an apache webserver which host A.domain.com and I will reverse proxy to B.domain.com to another server in the same local network.

Without SSL I solved it this way in the vhosts:

<VirtualHost *:80>
ServerName Z.domain.com
ProxyRequests Off

ProxyPass / http://1.1.1.7/
ProxyPassReverse / http://1.1.1.7/

but with SSL enabled it doesn't work this way...

for better understanding I tried to draw it:

                                       -- A.domain.com(local IP:1.1.1.1)
                                      |
WAN --¦Firewall (NAT to 1.1.1.1) ¦-- LAN
                                      |
                                       -- B.domain.com(local IP:1.1.1.2)

Server 1.1.1.1 should redirect to 1.1.1.2

my config /etc/apache2/sites-available/B.domain.com.conf:

<VirtualHost *:443>
        ServerName B.domain.com
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/B.domain.com/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/B.domain.com/privkey.pem

        ProxyRequests Off
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
        ProxyPass / https://1.1.1.2/
        ProxyPassReverse / https://1.1.1.2/
</VirtualHost>

I have activated it with:a2ensite B.domain.com and restarted apache. Result is an internal server error if i call the site. Without the I have the same fault.

If i call apache2ctl -S it looks all good.

rovivo
  • 21
  • 1
  • 4
  • 2
    what do you mean with "it doesn't work that way" exactly? SSL virtualhost will be exactly the same thing but enabling ssl and loading certificates, and just setting the proxy directives the same way wherever you want to point them, and if you wanted to proxy to a SSL backend the main difference is you need to add "SSLProxyEngine on". What is it you tried? what problems you get? The picture may look pretty clear in your head but from here it looks rather confusing. – ezra-s Jan 19 '17 at 08:55

2 Answers2

1

I tried the info from ezra-s "SSLProxyEngine on" but i still get the error:

The proxy server could not handle the request GET /

Reason: Error during SSL Handshake with remote server

After some searching I found a working solution.

my config /etc/apache2/sites-available/B.domain.com.conf now:

<VirtualHost *:443>
    ServerName B.domain.com
    SSLProxyEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    SSLCertificateFile /etc/letsencrypt/live/B.domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/B.domain.com/privkey.pem

    ProxyPass / https://1.1.1.2/
    ProxyPassReverse / https://1.1.1.2/

But is the connection from outside still secure now?

rovivo
  • 21
  • 1
  • 4
  • You need to understand that, if you reverse proxy to a server and use the ip, that "name" must match the CN in the backend certificate, otherwise you will need additional SSLProxy directives to make apache ignore the CN in the backend certificate. That is you will probably need to add these directives too or at least one of them: `SSLProxyCheckPeerCN off` and/or `SSLProxyCheckPeerName off`. – ezra-s Jan 23 '17 at 09:28
0

Try a simpler method and change ProxyPass https to http.

    ProxyPass        / http://1.1.1.2/
    ProxyPassReverse / http://1.1.1.2/

It's quite usual for a frontend (aka a reverse proxy) to talk to backend with plain http if you reasonably secure the 1.1.1.0 net.

Chances are you haven't implemented https server on 1.1.1.2 at all... this would give you the internal error 50x symptoms you describe.

kubanczyk
  • 13,502
  • 5
  • 40
  • 55