You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by mail mail <po...@yandex.ru> on 2020/04/17 17:25:52 UTC

[users@httpd] Two web-servers with different IP in LAN

Hello.

There are two web servers in LAN:

192.168.1.10

\- site1.mydom.com

\- site2.mydom.com

\- site3.mydom.com

192.168.1.20

\- portal.mydom.com

in iptables, all requests for ports 80 and 443 are redirected to 192.168.1.10.

The certificates received from letsencrypt for site1,2,3 are stored and
connected on 192.168.1.10 - and here everything works, there are no questions.

The certificates received from letsencrypt for the portal are stored and
connected to 192.168.1.20 - and the question is:

How to write VirtualHost to 192.168.1.10 so that all requests (http, https)
for portal.mydom.com go to 192.168.1.20?

Thank you in advance!

\--------------------------------------------------------------------- To
unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional
commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Two web-servers with different IP in LAN

Posted by Antony Stone <An...@apache.open.source.it>.

On Saturday 18 April 2020 at 16:35:30, mail mail wrote:

> I get error:
>  
> Sat Apr 18 17:07:06.005494 2020] [ssl:emerg] [pid 16506:tid
> 139660538349440] AH02572: Failed to configure at least one certificate and
> key for portal.mydom.com:443
> [Sat Apr 18 17:07:06.005643 2020] [ssl:emerg] [pid 16506:tid
> 139660538349440] SSL Library Error: error:140A80B1:SSL
> routines:SSL_CTX_check_private_key:no certificate assigned 

> And it is true. Those certificates stored in 192.168.1.20 

If you configure a machine *either* as an HTTPS proxy *or* as an HTTPS web 
server, it needs to have the requested site's SSL certificate on it, otherwise 
clients will refuse to connect, or the server will refuse to start.

HTTPS is a security mechanism between a client and the server it is connecting 
to.  The client knows nothing asbout what that server might do afterwards 
(such as connecting on to another server, as a proxy does).

It's entirely feasible to have a web proxy accept HTTP connections and pass 
the requests on as HTTPS, or vice versa.  If both connections are HTTPS, then 
the proxy needs a certificate for the site the client is asking to connect to, 
and the proxy needs to trust the certificate presented by the ultimate origin 
server (ie: the "real" web server).  Those certificates might both be the same 
(in which case you probably need a pretty unusual DNS setup), but the basic 
rule is that anything answering HTTPS requests has to have a valid certificate 
for what is being requested.

Regards,

Antony.

-- 
Douglas was one of those writers who honourably failed to get anywhere with 
'weekending'.  It put a premium on people who could write things that lasted 
thirty seconds, and Douglas was incapable of writing a single sentence that 
lasted less than thirty seconds.

 - Geoffrey Perkins, about Douglas Adams

                                                   Please reply to the list;
                                                         please *don't* CC me.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Two web-servers with different IP in LAN

Posted by mail mail <po...@yandex.ru>.

18.04.2020, 09:37, "Walter H." <wa...@mathemainzel.info>:

> you can configure 192.168.1.10 as a proxy for 192.168.1.20 for  
> accessing portal.mydom.com  
>  
> this looks simiar to this:  
>  
> <VirtualHost 192.168.1.10:80>  
> ServerName portal.mydom.com:80  
>  
> ProxyPass / <http://192.168.1.20/>  
> ProxyPassReverse / <http://192.168.1.20/>  
> </VirtualHost>  
>  
> similar with 443 (https)

Thanks for answer, but not worked. I get error:

Sat Apr 18 17:07:06.005494 2020] [ssl:emerg] [pid 16506:tid 139660538349440]
AH02572: Failed to configure at least one certificate and key for
portal.mydom.com:443

[Sat Apr 18 17:07:06.005643 2020] [ssl:emerg] [pid 16506:tid 139660538349440]
SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no
certificate assigned

And it is true. Those certificates stored in 192.168.1.20

My VirtualHost now is:

<VirtualHost *:80>

ServerName portal.mydom.com:80

ProxyPass / http://192.168.1.20/

ProxyPassReverse / http://192.168.1.20/

</VirtualHost>

<VirtualHost *:443>

ServerName portal.mydom.com:443

ProxyPass / https://192.168.1.20/

ProxyPassReverse / <https://192.168.1.20/>

</VirtualHost>

Re: [users@httpd] Two web-servers with different IP in LAN

Posted by "Walter H." <Wa...@mathemainzel.info>.

On 17.04.2020 19:25, mail mail wrote:
> Hello.
> There are two web servers in LAN:
> 192.168.1.10
> - site1.mydom.com
> - site2.mydom.com
> - site3.mydom.com
> 192.168.1.20
> - portal.mydom.com
> in iptables, all requests for ports 80 and 443 are redirected to 
> 192.168.1.10.
> The certificates received from letsencrypt for site1,2,3 are stored 
> and connected on 192.168.1.10 - and here everything works, there are 
> no questions.
> The certificates received from letsencrypt for the portal are stored 
> and connected to 192.168.1.20 - and the question is:
> How to write VirtualHost to 192.168.1.10 so that all requests (http, 
> https) for portal.mydom.com go to 192.168.1.20?
> Thank you in advance!

you can configure 192.168.1.10 as a proxy for 192.168.1.20 for 
accessing  portal.mydom.com

this looks simiar to this:

<VirtualHost 192.168.1.10:80>
ServerName portal.mydom.com:80

ProxyPass / http://192.168.1.20/
ProxyPassReverse / http://192.168.1.20/
</VirtualHost>

similar with 443 (https)