You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Zvi Kave <tz...@razlee.com> on 2008/01/07 15:02:22 UTC
[users@httpd] Re: Reverse Proxy to SSL web server: configuration example
Do you mean, that I must copy the SSL crt/key files from the web
server to the proxy server ?
Zvi
"Axel-Stephane SMORGRAV" <Ax...@europe.adp.com> wrote in
message news:28D87C00C6E83540A814CFAE3FA63E3F5FEEF9@EXCHSUR.gaia.fr...
If you add the config below to a vanilla httpd.conf, you'll be pretty close
to what you are looking for. Just replace the tokens %%TOKEN%% with whatever
value you want.
Listen %%svcb_HTTP_ADDR%%:%%HTTP_PORT%%
Listen %%svcb_HTTP_ADDR%%:%%HTTPS_PORT%%
<VirtualHost %%svcb_HTTP_ADDR%%:%%HTTPS_PORT%%>
ServerName %%svcb_PUBLIC_NAME%%:%%HTTPS_PORT%%
SSLCertificateFile %%X509_ROOT%%/ssl.crt/%%svcb_PUBLIC_NAME%%.crt
SSLCertificateKeyFile %%X509_ROOT%%/ssl.key/%%svcb_PUBLIC_NAME%%.key
SSLEngine on
DocumentRoot %%SERVER_ROOT%%/htdocs/svcB
ErrorLog %%SERVER_LOGS%%/svcB/reverse_error_log
CustomLog %%SERVER_LOGS%%/svcB/reverse_access_log combined env=!dontlog
## Enter additional configuration here
</VirtualHost>
<VirtualHost %%svcb_HTTP_ADDR%%:%%HTTP_PORT%%>
ServerName %%svcb_PUBLIC_NAME%%:%%HTTP_PORT%%
DocumentRoot %%SERVER_ROOT%%/htdocs/svcB
ErrorLog %%SERVER_LOGS%%/svcB/reverse_error_log
CustomLog %%SERVER_LOGS%%/svcB/reverse_access_log combined env=!dontlog
## Enter additional configuration here
</VirtualHost>
-ascs
-----Message d'origine-----
De : news [mailto:news@ger.gmane.org] De la part de Zvi Kave
Envoy� : lundi 7 janvier 2008 12:16
� : users@httpd.apache.org
Objet : [users@httpd] Reverse Proxy to SSL web server: configuration example
Dear friends,
I am trying to find the configuration for a Reverse Proxy server which has
to work with a SSL / non-SSL web server.
Can someone send me full httpd.conf example for such thing?
I need something with probably 2 Virtual hosts for ports 80 / 443.
I hope that I have not to deal with the web server SSL crt/key.
Thanks,
Zvi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Re: Reverse Proxy to SSL web server: configuration example
Posted by Zvi Kave <tz...@razlee.com>.
Axel,
You are right.
The only one thing I have to add to your configuration was
(in both virtual servers):
ProxyPass / https://my_web_server.com/
ProxyPassReverse / https://my_web_server.com/
Thanks,
Zvi
"Axel-Stephane SMORGRAV" <Ax...@europe.adp.com> wrote in
message news:28D87C00C6E83540A814CFAE3FA63E3F5FEF66@EXCHSUR.gaia.fr...
Definitely yes.
-ascs
-----Message d'origine-----
De : news [mailto:news@ger.gmane.org] De la part de Zvi Kave
Envoy� : lundi 7 janvier 2008 15:02
� : users@httpd.apache.org
Objet : [users@httpd] Re: Reverse Proxy to SSL web server: configuration
example
Do you mean, that I must copy the SSL crt/key files from the web server to
the proxy server ?
Zvi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Re: Re: Reverse Proxy to SSL web server: configuration example
Posted by Axel-Stephane SMORGRAV <Ax...@europe.adp.com>.
You need SSLProxyEngine On ONLY if you intend to proxy to a SSL-enabled server as seems to be your case.
However if your reverse proxy takes care of SSL termination, encrypting the backend connection may not be very useful.
-ascs
-----Message d'origine-----
De : news [mailto:news@ger.gmane.org] De la part de Zvi Kave
Envoyé : lundi 7 janvier 2008 15:49
À : users@httpd.apache.org
Objet : [users@httpd] Re: Re: Reverse Proxy to SSL web server: configuration example
Axel,
To complete all the parameters, I saw that directive SSLProxyEngine On is needed as well.(It was hiding there from previous test) So to make it clear, here are the successfull directives:
(The SSL key/crt files are copied from the web server)
<VirtualHost *:80>
ServerAdmin admin@web.com
ServerName proxy80.com
ProxyPass / http://mywebserver.com/
ProxyPassReverse / http://mywebserver.com/
ErrorLog logs/error80.log
TransferLog logs/access80.log
</VirtualHost>
# This creates a virtual host for SSL conections. They'll be proxy'ed w/o SSL.
<VirtualHost *:443>
ServerAdmin admin@web.com
ServerName proxy443.com
SSLProxyEngine On
ProxyPass / https://mywebserver.com/
ProxyPassReverse / https://mywebserver.com/
SSLEngine on
SSLCertificateFile /etc/httpd/conf/server.crt
SSLCertificateKeyFile /etc/httpd/conf/server.key
ErrorLog logs/ssl-error.log
TransferLog logs/ssl-access.log
</VirtualHost>
Best regards,
Zvi
"Axel-Stephane SMORGRAV" <Ax...@europe.adp.com> wrote in message news:28D87C00C6E83540A814CFAE3FA63E3F5FEF66@EXCHSUR.gaia.fr...
Definitely yes.
-ascs
-----Message d'origine-----
De : news [mailto:news@ger.gmane.org] De la part de Zvi Kave
Envoyé : lundi 7 janvier 2008 15:02
À : users@httpd.apache.org
Objet : [users@httpd] Re: Reverse Proxy to SSL web server: configuration
example
Do you mean, that I must copy the SSL crt/key files from the web server to
the proxy server ?
Zvi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: Re: Reverse Proxy to SSL web server: configuration example
Posted by Zvi Kave <tz...@razlee.com>.
Axel,
To complete all the parameters, I saw that directive
SSLProxyEngine On
is needed as well.(It was hiding there from previous test)
So to make it clear, here are the successfull directives:
(The SSL key/crt files are copied from the web server)
<VirtualHost *:80>
ServerAdmin admin@web.com
ServerName proxy80.com
ProxyPass / http://mywebserver.com/
ProxyPassReverse / http://mywebserver.com/
ErrorLog logs/error80.log
TransferLog logs/access80.log
</VirtualHost>
# This creates a virtual host for SSL conections. They'll be proxy'ed w/o
SSL.
<VirtualHost *:443>
ServerAdmin admin@web.com
ServerName proxy443.com
SSLProxyEngine On
ProxyPass / https://mywebserver.com/
ProxyPassReverse / https://mywebserver.com/
SSLEngine on
SSLCertificateFile /etc/httpd/conf/server.crt
SSLCertificateKeyFile /etc/httpd/conf/server.key
ErrorLog logs/ssl-error.log
TransferLog logs/ssl-access.log
</VirtualHost>
Best regards,
Zvi
"Axel-Stephane SMORGRAV" <Ax...@europe.adp.com> wrote in
message news:28D87C00C6E83540A814CFAE3FA63E3F5FEF66@EXCHSUR.gaia.fr...
Definitely yes.
-ascs
-----Message d'origine-----
De : news [mailto:news@ger.gmane.org] De la part de Zvi Kave
Envoy� : lundi 7 janvier 2008 15:02
� : users@httpd.apache.org
Objet : [users@httpd] Re: Reverse Proxy to SSL web server: configuration
example
Do you mean, that I must copy the SSL crt/key files from the web server to
the proxy server ?
Zvi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Re: Reverse Proxy to SSL web server: configuration example
Posted by Axel-Stephane SMORGRAV <Ax...@europe.adp.com>.
Definitely yes.
-ascs
-----Message d'origine-----
De : news [mailto:news@ger.gmane.org] De la part de Zvi Kave
Envoyé : lundi 7 janvier 2008 15:02
À : users@httpd.apache.org
Objet : [users@httpd] Re: Reverse Proxy to SSL web server: configuration example
Do you mean, that I must copy the SSL crt/key files from the web server to the proxy server ?
Zvi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org