Topic: Example rev. proxy conf. for HTTPS frontend + HTTP backends

[oldapple]

Hello experts,

I am trying to set up a classical frontend HTTPS
Apache Reverse Proxy for a couple of plain backend HTTP servers sitting on a backend private network. The plaform is Centos 6, the Apache rpm is httpd
-2.2.15-39.el6.centos.

I first created three DNS entries, all pointing to
the same public IP:

apachefrontend.example.com
appserver1.example.com
appserver2.example.com

I then generated the SSL cert and key for the
frontend host and verified that SSL config was correct (all settings and key/cert were defined inside the file /etc/httpd/conf.d/ssl.conf). The
URL "https://apachefrontend.example.com"
replied OK.

I have then set up a forced redirection to port
443 on the mother server and defined two virtual hosts, in this manner:

..
NameVirtualHost *:80

<VirtualHost *:80>
ServerName apachefrontend.example.com
RedirectMatch ^/(.*) https://apachefrontend.example.com/$1
</VirtualHost>

<VirtualHost *:80>
ServerName appserver1.example.com
ProxyRequests Off
ProxyPass / http://appserver1.backend/
ProxyPassReverse / http://appserver1.backend/
</VirtualHost>

<VirtualHost *:80>
ServerName appserver2.example.com
ProxyRequests Off
ProxyPass / http://appserver2.backend/
ProxyPassReverse / http://appserver2.backend/
</VirtualHost>
..

Now,

- If I go to "http://apachefrontend.example.com",
I am correctly ending up at "https://apachefrontend.example.com";

- If I go to "http://appserver1[2].example.com", I arrive to the backend servers allright, but only via the port 80.

This behaviour is apparently correct, but so far I
have not found the right configuration options
needed to enforce the secure connection to the
backend servers via the reverse proxy (I may not
enable SSL on the backend servers as they are
running some privately managed applications and
cannot be tweaked).

Could someone kindly post an example of working configuration of the same type?

Thanks ahead for any advice!

Andy.

[Eddieturbo]

Hi Andy,

Typically when you use a ProxyPassReverse you are trying to have your users talk to Server A only but serve content from Server B...Z.

The flow is usually one of the following combinations

SSL All the way: Browser (https) --> Proxy Inbound (https) / Proxy Outbound (https) --> Backend server (https)

SSL from brower to Proxy only: Browser (https) --> Proxy Inbound (https) / Proxy Outbound (http) --> Backend server (http)

SSL only from Proxy to Backend: Browser (http) --> Proxy Inbound (http) / Proxy Outbound (https) --> Backend server (https)

So you can see from above that in fact the Proxy Server element of the end-to-end solution is really two configurable pieces.

I notice that you are trying to enforce the secure connection to the backend servers via the reverse proxy but you can't do this without enabling SSL on the backend servers and then using an 'SSLProxyEngine On' plus changing the ProxyPassReverse to https://<backend_servers>.

If you think about it .... you can't get a server to accept an SSL connection if it hasn't been configured to accept SSL! So you can't get the backend servers to accept connections on SSL.

From what I see from your information this is the only option available:

SSL from brower to Proxy only: Browser (https) --> Proxy Inbound (https) / Proxy Outbound (http) --> Backend server (http)


Have I misundertood what it is you are trying to achieve here?

EddieT

[oldapple]

Hello, I have actually managed, with the help of some
expert "apacher", to achieve the goal (I needed HTTPS
between a browser and a proxy, and then plain HTTP
between the proxy and backend servers).

I have also posted a summary on this matter here:

http://mail-archives.apache.org/mod_mbox/httpd-users/201503.mbox/%3CCAAdiD2ZBi0zs-578cfM2-qF%2BChAtjd9bPTUTOcHfPWO4rvAGag%40mail.gmail.com%3E

Andy.