logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Reverse Proxy to a internal website hosted on Windows 2008
Author
impeeza



Joined: 10 Apr 2024
Posts: 3
Location: Colombia

PostPosted: Wed 10 Apr '24 20:18    Post subject: Reverse Proxy to a internal website hosted on Windows 2008 Reply with quote

1. Problem:
Until now I am running a Reverse Proxy service on a Windows 2022 server, running Apache Haus httpd-2.4.55-o111s-x64-vs17.zip (Built using C sources from the ASF and OpenSSL on Visual Studio 2022 (VS17).)
With the next modifications to default Config Files:
1.1. \conf\httpd.conf

First enabled the next modules removing comment to:
Code:

LoadModule cache_module modules/mod_cache.so
LoadModule cache_disk_module modules/mod_cache_disk.so
LoadModule filter_module modules/mod_filter.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_express_module modules/mod_proxy_express.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule xml2enc_module modules/mod_xml2enc.so

And added this at end of file:
Code:

#initialize default website (for handle no published URLs)
<VirtualHost *:80>
   ServerName VCSMCELPUB01.grupomun.com
</VirtualHost>


#Log Rotation
LoadModule log_rotate_module modules/mod_log_rotate.so
RotateLogs On
RotateInterval 172800


#Include folder with reversed proxy sites.
Include conf/sites/*.conf


1.2. \conf\extra\httpd-ahssl.conf
Setup of public certificates and enable SSL Proxy:
Code:
  SSLCertificateFile "${SRVROOT}/conf/ssl/PublicCert.crt"
  SSLCertificateKeyFile "${SRVROOT}/conf/ssl/PublicCert.key"


# Enable HTTPS Proxy
SSLProxyEngine on


1.3. \conf\httpd-ssl.conf
Code:
SSLCertificateFile "${SRVROOT}/conf/ssl/PublicCert.crt"
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/PublicCert.key"
SSLCACertificateFile "${SRVROOT}/conf/ssl/PublicCert.cer"


1.4. The site is published via reverse proxy with the file:
\conf\sites\external.url.site.conf
Code:

<VirtualHost *:80>
  ServerName external.url.site
  CustomLog logs/external.url.site.access_log combined
  ErrorLog logs/external.url.site.error_log

  #IF EXTERNAL USER MAKE HTTP CONNECTION, REDIRECTION TO HTTPS URL TO AVOID EXTERNAL HTTP CONNECTIONS.
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{SERVER_NAME}$1
</VirtualHost>


<VirtualHost *:443>
  SSLEngine on
  ProxyRequests off
  ServerName external.url.site:443
  SSLCertificateFile "${SRVROOT}/conf/ssl/StarGM.crt"
  SSLCertificateKeyFile "${SRVROOT}/conf/ssl/StarGM.key"
  CustomLog logs/external.url.site_HTTPS.access_log combined
  ErrorLog logs/external.url.site_HTTPS.error_log
  Timeout 300

  #Redirección del sitio raíz.
  RewriteEngine On
  RewriteCond %{REQUEST_URI} ^/$
  Rewriterule ^(.*)$ https://%{SERVER_NAME}/wfrmLogin.aspx [L,R=301]

  #Proxy Reverso
  ProxyPreserveHost On
  ProxyPass / https://INTERNAL.SERVER.site:443/ retry=0
  ProxyPassReverse / https://INTERNAL.SERVER.site:443/
</virtualhost>


2. Site access
The site is on a Windows 2008 server using IIS, can be accessed internally without proxy and using the external URL via proxy:

[img]https://ibb.co/PNThNz1[/img]

[hr]

Upgrading to latest Apache Lounge “httpd-2.4.59-240404-win64-VS17.zip” The Access to site using the external URL you get the next error:

[img]https://ibb.co/gRG5XR7[/img]

Proxy Error
The proxy server could not handle the request
Reason: Error during SSL Handshake with remote server


On the Apache site log using debug you get:

Code:

[Wed Apr 10 12:18:16.845591 2024] [ssl:info] [pid 1004:tid 364] AH01914: Configuring server external.url.site:443 for SSL protocol
[Wed Apr 10 12:18:16.845591 2024] [ssl:debug] [pid 1004:tid 364] ssl_engine_init.c(526): AH01893: Configuring TLS extension handling
[Wed Apr 10 12:18:16.845591 2024] [ssl:debug] [pid 1004:tid 364] ssl_util_ssl.c(451): AH02412: [external.url.site:443] Cert matches for name 'external.url.site' [subject: CN=*.grupomun.com,O=Centro de Servicios Mundial S A S,L=Medellin,ST=Antioquia,C=CO / issuer: CN=GeoTrust TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US / serial: 014AC21754392E769F5FB21145304435 / notbefore: Apr 26 00:00:00 2023 GMT / notafter: Apr 26 23:59:59 2024 GMT]
[Wed Apr 10 12:18:16.845591 2024] [ssl:info] [pid 1004:tid 364] AH02568: Certificate and private key external.url.site:443:0 configured from C:/Apache24/conf/ssl/starGM.crt and C:/Apache24/conf/ssl/StarGM.key
[Wed Apr 10 12:18:19.011930 2024] [ssl:info] [pid 1004:tid 364] AH01914: Configuring server external.url.site:443 for SSL protocol
[Wed Apr 10 12:18:19.011930 2024] [ssl:debug] [pid 1004:tid 364] ssl_engine_init.c(526): AH01893: Configuring TLS extension handling
[Wed Apr 10 12:18:19.011930 2024] [ssl:debug] [pid 1004:tid 364] ssl_util_ssl.c(451): AH02412: [external.url.site:443] Cert matches for name 'external.url.site' [subject: CN=*.grupomun.com,O=Centro de Servicios Mundial S A S,L=Medellin,ST=Antioquia,C=CO / issuer: CN=GeoTrust TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US / serial: 014AC21754392E769F5FB21145304435 / notbefore: Apr 26 00:00:00 2023 GMT / notafter: Apr 26 23:59:59 2024 GMT]
[Wed Apr 10 12:18:19.011930 2024] [ssl:info] [pid 1004:tid 364] AH02568: Certificate and private key external.url.site:443:0 configured from C:/Apache24/conf/ssl/starGM.crt and C:/Apache24/conf/ssl/StarGM.key
[Wed Apr 10 12:18:21.668445 2024] [ssl:info] [pid 6112:tid 392] AH01914: Configuring server external.url.site:443 for SSL protocol
[Wed Apr 10 12:18:21.668445 2024] [ssl:debug] [pid 6112:tid 392] ssl_engine_init.c(526): AH01893: Configuring TLS extension handling
[Wed Apr 10 12:18:21.668445 2024] [ssl:debug] [pid 6112:tid 392] ssl_util_ssl.c(451): AH02412: [external.url.site:443] Cert matches for name 'external.url.site' [subject: CN=*.grupomun.com,O=Centro de Servicios Mundial S A S,L=Medellin,ST=Antioquia,C=CO / issuer: CN=GeoTrust TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US / serial: 014AC21754392E769F5FB21145304435 / notbefore: Apr 26 00:00:00 2023 GMT / notafter: Apr 26 23:59:59 2024 GMT]
[Wed Apr 10 12:18:21.668445 2024] [ssl:info] [pid 6112:tid 392] AH02568: Certificate and private key external.url.site:443:0 configured from C:/Apache24/conf/ssl/starGM.crt and C:/Apache24/conf/ssl/StarGM.key
[Wed Apr 10 12:18:23.746585 2024] [ssl:info] [pid 6112:tid 392] AH01914: Configuring server external.url.site:443 for SSL protocol
[Wed Apr 10 12:18:23.746585 2024] [ssl:debug] [pid 6112:tid 392] ssl_engine_init.c(526): AH01893: Configuring TLS extension handling
[Wed Apr 10 12:18:23.746585 2024] [ssl:debug] [pid 6112:tid 392] ssl_util_ssl.c(451): AH02412: [external.url.site:443] Cert matches for name 'external.url.site' [subject: CN=*.grupomun.com,O=Centro de Servicios Mundial S A S,L=Medellin,ST=Antioquia,C=CO / issuer: CN=GeoTrust TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US / serial: 014AC21754392E769F5FB21145304435 / notbefore: Apr 26 00:00:00 2023 GMT / notafter: Apr 26 23:59:59 2024 GMT]
[Wed Apr 10 12:18:23.746585 2024] [ssl:info] [pid 6112:tid 392] AH02568: Certificate and private key external.url.site:443:0 configured from C:/Apache24/conf/ssl/starGM.crt and C:/Apache24/conf/ssl/StarGM.key
[Wed Apr 10 12:18:25.183730 2024] [proxy:debug] [pid 6112:tid 392] proxy_util.c(2123): AH00925: initializing worker https://INTERNAL.SERVER.site/ shared
[Wed Apr 10 12:18:25.183730 2024] [proxy:debug] [pid 6112:tid 392] proxy_util.c(2183): AH00927: initializing worker https://INTERNAL.SERVER.site/ local
[Wed Apr 10 12:18:25.183730 2024] [proxy:debug] [pid 6112:tid 392] proxy_util.c(2214): AH00930: initialized pool in child 6112 for (INTERNAL.SERVER.site:443) min=0 max=159 smax=159
[Wed Apr 10 12:18:25.214995 2024] [ssl:debug] [pid 6112:tid 2236] ssl_engine_kernel.c(415): [remote 10.60.3.28:49252] AH02034: Subsequent (No.2) HTTPS request received for child 16131 (server external.url.site:443)
[Wed Apr 10 12:18:25.214995 2024] [authz_core:debug] [pid 6112:tid 2236] mod_authz_core.c(843): [remote 10.60.3.28:49252] AH01628: authorization result: granted (no directives)
[Wed Apr 10 12:18:25.214995 2024] [proxy:debug] [pid 6112:tid 2236] mod_proxy.c(1506): [remote 10.60.3.28:49252] AH01143: Running scheme https handler (attempt 0)
[Wed Apr 10 12:18:25.214995 2024] [proxy:debug] [pid 6112:tid 2236] proxy_util.c(2538): AH00942: https: has acquired connection for (INTERNAL.SERVER.site:443)
[Wed Apr 10 12:18:25.214995 2024] [proxy:debug] [pid 6112:tid 2236] proxy_util.c(2596): [remote 10.60.3.28:49252] AH00944: connecting https://INTERNAL.SERVER.site/wfrmLogin.aspx to INTERNAL.SERVER.site:443
[Wed Apr 10 12:18:25.214995 2024] [proxy:debug] [pid 6112:tid 2236] proxy_util.c(2819): [remote 10.60.3.28:49252] AH00947: connected /wfrmLogin.aspx to INTERNAL.SERVER.site:443
[Wed Apr 10 12:18:25.214995 2024] [proxy:debug] [pid 6112:tid 2236] proxy_util.c(3291): AH02824: https: connection established with 10.60.1.239:443 (INTERNAL.SERVER.site:443)
[Wed Apr 10 12:18:25.214995 2024] [proxy:debug] [pid 6112:tid 2236] proxy_util.c(3480): AH00962: https: connection complete to 10.60.1.239:443 (INTERNAL.SERVER.site)
[Wed Apr 10 12:18:25.214995 2024] [ssl:info] [pid 6112:tid 2236] [remote 10.60.1.239:443] AH01964: Connection to child 0 established (server external.url.site:443)
[Wed Apr 10 12:18:25.230621 2024] [ssl:debug] [pid 6112:tid 2236] ssl_engine_kernel.c(1764): [remote 10.60.1.239:443] AH02275: Certificate Verification, depth 1, CRL checking mode: none (0) [subject: CN=GeoTrust TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US / issuer: CN=DigiCert Global Root G2,OU=www.digicert.com,O=DigiCert Inc,C=US / serial: 0D07782A133FC6F9A57296E131FFD179 / notbefore: Nov  2 12:23:37 2017 GMT / notafter: Nov  2 12:23:37 2027 GMT]
[Wed Apr 10 12:18:25.230621 2024] [ssl:debug] [pid 6112:tid 2236] ssl_engine_kernel.c(1764): [remote 10.60.1.239:443] AH02275: Certificate Verification, depth 0, CRL checking mode: none (0) [subject: CN=*.grupomun.com,O=Centro de Servicios Mundial S A S,L=Medellin,ST=Antioquia,C=CO / issuer: CN=GeoTrust TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US / serial: 014AC21754392E769F5FB21145304435 / notbefore: Apr 26 00:00:00 2023 GMT / notafter: Apr 26 23:59:59 2024 GMT]
[Wed Apr 10 12:18:25.230621 2024] [socache_shmcb:debug] [pid 6112:tid 2236] mod_socache_shmcb.c(570): AH00837: socache_shmcb_remove (0xfb -> subcache 27)
[Wed Apr 10 12:18:25.230621 2024] [socache_shmcb:debug] [pid 6112:tid 2236] mod_socache_shmcb.c(585): AH00839: leaving socache_shmcb_remove successfully
[Wed Apr 10 12:18:25.230621 2024] [ssl:info] [pid 6112:tid 2236] [remote 10.60.1.239:443] AH02003: SSL Proxy connect failed
[Wed Apr 10 12:18:25.230621 2024] [ssl:info] [pid 6112:tid 2236] SSL Library Error: error:0A0C0103:SSL routines::internal error
[Wed Apr 10 12:18:25.230621 2024] [ssl:info] [pid 6112:tid 2236] [remote 10.60.1.239:443] AH01998: Connection closed to child 0 with abortive shutdown (server external.url.site:443)
[Wed Apr 10 12:18:25.230621 2024] [ssl:info] [pid 6112:tid 2236] [remote 10.60.1.239:443] AH01997: SSL handshake failed: sending 502
[Wed Apr 10 12:18:25.230621 2024] [proxy:error] [pid 6112:tid 2236] (20014)Internal error (specific information not available): [remote 10.60.3.28:49252] AH01084: pass request body failed to 10.60.1.239:443 (INTERNAL.SERVER.site)
[Wed Apr 10 12:18:25.230621 2024] [proxy:error] [pid 6112:tid 2236] [remote 10.60.3.28:49252] AH00898: Error during SSL Handshake with remote server returned by /wfrmLogin.aspx
[Wed Apr 10 12:18:25.230621 2024] [proxy_http:error] [pid 6112:tid 2236] [remote 10.60.3.28:49252] AH01097: pass request body failed to 10.60.1.239:443 (INTERNAL.SERVER.site) from 10.60.3.28 ()
[Wed Apr 10 12:18:25.230621 2024] [proxy:debug] [pid 6112:tid 2236] proxy_util.c(2554): AH00943: https: has released connection for (INTERNAL.SERVER.site:443)
[Wed Apr 10 12:18:25.230621 2024] [:debug] [pid 6112:tid 3420] mod_log_rotate.c(209): New: 2590720000, old: 2590720000
[Wed Apr 10 12:18:30.235858 2024] [ssl:debug] [pid 6112:tid 3420] ssl_engine_io.c(1147): [client 10.60.3.28:49252] AH02001: Connection closed to child 63 with standard shutdown (server external.url.site:443)


3. Internal site SSL Analysis
Making an análisis of the internal site using TESTSSL.SH you get:

Code:

$ ./testssl.sh https://INTERNAL.SERVER.site


###########################################################
    testssl.sh       3.2rc3 from https://testssl.sh/dev/
    (5581499 2024-04-02 11:15:12)

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)" [~94 ciphers]
 on VCSMCELPUB01:/usr/bin/openssl
 (built: "Jan 30 20:20:57 2024", platform: "Cygwin-x86_64")


 Start 2024-04-09 16:05:47                -->> 10.10.10.10:443 (INTERNAL.SERVER.site) <<--

 rDNS (10.60.1.239):     INTERNAL.SERVER.site
 Service detected:       HTTP


 Testing protocols via sockets except NPN+ALPN

 SSLv2      offered (NOT ok), also VULNERABLE to DROWN attack -- 2 ciphers
 SSLv3      offered (NOT ok)
 TLS 1      offered (deprecated)
 TLS 1.1    not offered
 TLS 1.2    not offered and downgraded to a weaker protocol
 TLS 1.3    not offered and downgraded to a weaker protocol
 NPN/SPDY   not offered
 ALPN/HTTP2 not offered

 Testing cipher categories

 NULL ciphers (no encryption)                      not offered (OK)
 Anonymous NULL Ciphers (no authentication)        not offered (OK)
 Export ciphers (w/o ADH+NULL)                     not offered (OK)
 LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export)      offered (NOT ok)
 Triple DES Ciphers / IDEA                         offered
 Obsoleted CBC ciphers (AES, ARIA etc.)            offered
 Strong encryption (AEAD ciphers) with no FS       not offered
 Forward Secrecy strong encryption (AEAD ciphers)  not offered


 Testing server's cipher preferences

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
SSLv2 (listed by strength)
 x010080 RC4-MD5                           RSA        RC4         128      SSL_CK_RC4_128_WITH_MD5
 x0700c0 DES-CBC3-MD5                      RSA        3DES        168      SSL_CK_DES_192_EDE3_CBC_WITH_MD5
SSLv3 (server order)
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA
 x05     RC4-SHA                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_SHA
 x04     RC4-MD5                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_MD5
TLSv1 (server order)
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 x39     DHE-RSA-AES256-SHA                DH 1024    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA
 x33     DHE-RSA-AES128-SHA                DH 1024    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA
 x05     RC4-SHA                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_SHA
 x04     RC4-MD5                           RSA        RC4         128      TLS_RSA_WITH_RC4_128_MD5
TLSv1.1
 -
TLSv1.2
 -
TLSv1.3
 -

 Has server cipher order?     yes (OK)


 Testing robust forward secrecy (FS) -- omitting Null Authentication/Encryption, 3DES, RC4

 FS is offered (OK)           ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA
 Elliptic curves offered:     prime256v1 secp384r1
 DH group offered:            RFC2409/Oakley Group 2 (1024 bits)

 Testing server defaults (Server Hello)

 TLS extensions (standard)    "status request/#5" "renegotiation info/#65281" "extended master secret/#23"
 Session Ticket RFC 5077 hint no -- no lifetime advertised
 SSL Session ID support       yes
 Session Resumption           Tickets no, ID: yes
 TLS clock skew               -12 sec from localtime
 Client Authentication        none
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits (exponent is 65537)
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
 Serial                       014AC21754392E769F5FB21145304435 (OK: length 16)
 Fingerprints                 SHA1 4567B04CB8240E1E6F688A14C021907176E186CA
                              SHA256 FA6F3A4B9F5462505AAE2AC8BB623E80CE491E0F1D85B42AE1091207919F40BE
 Common Name (CN)             *.grupomun.com
 subjectAltName (SAN)         *.grupomun.com grupomun.com
 Trust (hostname)             Ok via SAN wildcard and CN wildcard (same w/o SNI)
                              wildcard certificate could be problematic, see other hosts at
                              https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=FA6F3A4B9F5462505AAE2AC8BB623E80CE491E0F1D85B42AE1091207919F40BE
 Chain of trust               Ok
 EV cert (experimental)       no
 Certificate Validity (UTC)   expires < 30 days (17) (2023-04-26 00:00 --> 2024-04-26 23:59)
 ETS/"eTLS", visibility info  not present
 Certificate Revocation List  http://cdp.geotrust.com/GeoTrustTLSRSACAG1.crl
 OCSP URI                     http://status.geotrust.com
 OCSP stapling                offered, not revoked
 OCSP must staple extension   --
 DNS CAA RR (experimental)    unknown query type: type257
unknown query type: type257
unknown query type: type257
*** FCSMMDEADS02.grupomun.com can't find com.: Server failed
not offered
 Certificate Transparency     yes (certificate extension)
 Certificates provided        2
 Issuer                       GeoTrust TLS RSA CA G1 (DigiCert Inc from US)
 Intermediate cert validity   #1: ok > 40 days (2027-11-02 12:23). GeoTrust TLS RSA CA G1 <-- DigiCert Global Root G2
 Intermediate Bad OCSP (exp.) Ok


 Testing HTTP header response @ "/"

 HTTP Status Code             302 Found, redirecting to "/wfrmLogin.aspx"
 HTTP clock skew              -1 (± 1.5) sec from localtime
 Strict Transport Security    not offered
 Public Key Pinning           --
 Server banner                Microsoft-IIS/7.5
 Application banner           X-AspNet-Version: 4.0.30319
                              X-Powered-By: ASP.NET
 Cookie(s)                    1 issued: NOT secure, 1/1 HttpOnly -- maybe better try target URL of 30x
 Security headers             Cache-Control: private
 Reverse Proxy banner         --


 Testing vulnerabilities

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK), no session ticket extension
 ROBOT                                     not vulnerable (OK)
 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     likely not vulnerable (OK), timed out
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    no gzip/deflate/compress/br HTTP compression (OK)  - only supplied "/" tested
 POODLE, SSL (CVE-2014-3566)               VULNERABLE (NOT ok), uses SSLv3+CBC (check TLS_FALLBACK_SCSV mitigation below)
 TLS_FALLBACK_SCSV (RFC 7507)              Downgrade attack prevention NOT supported and vulnerable to POODLE SSL
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    VULNERABLE, uses 64 bit block ciphers for SSLv2 and above
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      VULNERABLE (NOT ok), SSLv2 offered with 2 ciphers
                                           Make sure you don't use this certificate elsewhere, see:
                                           https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=FA6F3A4B9F5462505AAE2AC8BB623E80CE491E0F1D85B42AE1091207919F40BE
 LOGJAM (CVE-2015-4000), experimental      VULNERABLE (NOT ok): common prime: RFC2409/Oakley Group 2 (1024 bits),
                                           but no DH EXPORT ciphers
 BEAST (CVE-2011-3389)                     SSL3: DES-CBC3-SHA
                                           TLS1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA DES-CBC3-SHA
                                           VULNERABLE -- and no higher protocols as mitigation supported
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 Winshock (CVE-2014-6321), experimental    not vulnerable (OK) - doesn't seem to be IIS 8.x
 RC4 (CVE-2013-2566, CVE-2015-2808)        VULNERABLE (NOT ok): RC4-SHA RC4-MD5 RC4-MD5


 Running client simulations (HTTP) via sockets

 Browser                      Protocol  Cipher Suite Name (OpenSSL)       Forward Secrecy
------------------------------------------------------------------------------------------------
 Android 6.0                  TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Android 7.0 (native)         TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Android 8.1 (native)         TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Android 9.0 (native)         TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Android 10.0 (native)        TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Android 11 (native)          TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Android 12 (native)          TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Chrome 79 (Win 10)           TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Chrome 101 (Win 10)          No connection
 Firefox 66 (Win 8.1/10)      TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Firefox 100 (Win 10)         No connection
 IE 6 XP                      SSLv3     DES-CBC3-SHA                      No FS
 IE 8 Win 7                   TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 IE 8 XP                      TLSv1.0   DES-CBC3-SHA                      No FS
 IE 11 Win 7                  TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 IE 11 Win 8.1                TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 IE 11 Win Phone 8.1          TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 IE 11 Win 10                 TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Edge 15 Win 10               TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Edge 101 Win 10 21H2         No connection
 Safari 12.1 (iOS 12.2)       TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Safari 13.0 (macOS 10.14.6)  TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Safari 15.4 (macOS 12.3.1)   TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Java 7u25                    TLSv1.0   ECDHE-RSA-AES128-SHA              256 bit ECDH (P-256)
 Java 8u161                   TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Java 11.0.2 (OpenJDK)        TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Java 17.0.3 (OpenJDK)        No connection
 go 1.17.8                    TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 LibreSSL 2.8.3 (Apple)       TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 OpenSSL 1.0.2e               TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 OpenSSL 1.1.0l (Debian)      TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 OpenSSL 1.1.1d (Debian)      No connection
 OpenSSL 3.0.3 (git)          TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Apple Mail (16.0)            TLSv1.0   ECDHE-RSA-AES256-SHA              256 bit ECDH (P-256)
 Thunderbird (91.9)           No connection


 Rating (experimental)

 Rating specs (not complete)  SSL Labs's 'SSL Server Rating Guide' (version 2009q from 2020-01-30)
 Specification documentation  https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide
 Protocol Support (weighted)  0 (0)
 Key Exchange     (weighted)  0 (0)
 Cipher Strength  (weighted)  0 (0)
 Final Score                  0
 Overall Grade                F
 Grade cap reasons            Grade capped to F. Vulnerable to DROWN
                              Grade capped to F. SSLv2 is offered
                              Grade capped to C. Vulnerable to POODLE
                              Grade capped to C. TLS 1.2 is not offered
                              Grade capped to B. Vulnerable to BEAST
                              Grade capped to B. TLS 1.0 offered
                              Grade capped to B. SSLv3 is offered
                              Grade capped to B. RC4 ciphers offered
                              Grade capped to A. HSTS is not offered
                              Grade capped to A. Does not support TLS_FALLBACK_SCSV

 Done 2024-04-09 16:42:52 [2680s] -->> 10.60.1.239:443 (INTERNAL.SERVER.site) <<--



What should I do to be able to access to the site using the reverse proxy?
Back to top
impeeza



Joined: 10 Apr 2024
Posts: 3
Location: Colombia

PostPosted: Thu 11 Apr '24 7:30    Post subject: Reply with quote

I just create a parallel setup to make tests, and discover what using the same version of Apache Haus but the OpenSSL 3 version (Apache 2.4.x OpenSSL 3.0.x VS17) I have the same problem, so is something about OpenSSL.

On OpenSSL 1 the Windows 2008 SSl site can be proxied without problem, but OpenSSL3 have the «Error during SSL Handshake with remote server».

Any Toughs?

There is a Apache Lounge version using OpenSSl 1?

Thanks.
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Fri 12 Apr '24 20:36    Post subject: Reply with quote

Believe your problem lies in the fact your internal server doesn't support anything later than TLSv1, as shown by your Internal Site SSL Analysis.
    SSLv2 offered (NOT ok), also VULNERABLE to DROWN attack -- 2 ciphers
    SSLv3 offered (NOT ok)
    TLS 1 offered (deprecated)
    TLS 1.1 not offered
    TLS 1.2 not offered and downgraded to a weaker protocol
    TLS 1.3 not offered and downgraded to a weaker protocol
    NPN/SPDY not offered
    ALPN/HTTP2 not offered
OpenSSL v3 defaults to Security Level 1, and these days TLS 1 is classed as Security Level 0.

There are a few posts on this site that pick up on this issue, notably https://www.apachelounge.com/viewtopic.php?t=9083 and workaround https://www.apachelounge.com/viewtopic.php?p=41572.

However, if you set your openssl.conf file to allow security level 0, you'll need to need to tighten up and manage the SSL protocol and cipher options on your site front end, as much as specifying what SSL protocols and ciphers to use with the backend connection (SSLProxyProtocol and SSLProxyCipherSuite).

As far as your front end is concerned, there are a number of posts from moderator James Blond where he describes recommended SSL configuration options, e.g. https://www.apachelounge.com/viewtopic.php?t=9180

Realistically, in the limit, you need to get your internal site upgraded to support more recent SSL protocol standards.
Back to top
impeeza



Joined: 10 Apr 2024
Posts: 3
Location: Colombia

PostPosted: Fri 12 Apr '24 22:11    Post subject: Reply with quote

Thanks a lot, you are completely right, Windows Server 2008 only support TLS 1.0 and NEVER will support any new.

The migration project for that server will take 1 or 2 years more, the quirks of legacy software!

So my Workaround was: on the virtual host proxy definition changed the PROXYPASS directive to INTERNALLY use HTTP and externally only uses HTTPS, so the external clients only can use the HTTPS front end of the Apache server and Apache communicate using HTTP with the internal server.

The only drawback is that communication becomes vulnerable for a MiTM attack but that is only on the internal servers network so is an almost impossible scenery because is inside protected data-center.

Thanks a lot for taking the time to answer.
Back to top


Reply to topic   Topic: Reverse Proxy to a internal website hosted on Windows 2008 View previous topic :: View next topic
Post new topic   Forum Index -> Apache