You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by A M <am...@gmail.com> on 2015/03/07 23:59:31 UTC
[users@httpd] Example Apache reverse proxy configuration for HTTPS frontend and
several HTTP backends
Hello experts,
I am trying to set up a classical frontend HTTPS Apache Reverse Proxy
for a couple of plain backend HTTP servers sitting on a backend private
network. The plaform is Centos 6, the Apache rpm is
httpd-2.2.15-39.el6.centos.
I first created three DNS entries, all pointing to the same public IP:
apachefrontend.example.com
appserver1.example.com
appserver2.example.com
I then generated the SSL cert and key for the frontend host and verified
that
SSL config was correct (all settings and key/cert were defined inside the
file
/etc/httpd/conf.d/ssl.conf). The URL "https://apachefrontend.example.com"
replied OK.
I have then set up a forced redirection to port 443 on the mother
server and defined two virtual hosts, in this manner:
..
NameVirtualHost *:80
<VirtualHost *:80>
ServerName apachefrontend.example.com
RedirectMatch ^/(.*) https://apachefrontend.example.com/$1
</VirtualHost>
<VirtualHost *:80>
ServerName appserver1.example.com
ProxyRequests Off
ProxyPass / http://appserver1.backend/
ProxyPassReverse / http://appserver1.backend/
</VirtualHost>
<VirtualHost *:80>
ServerName appserver2.example.com
ProxyRequests Off
ProxyPass / http://appserver2.backend/
ProxyPassReverse / http://appserver2.backend/
</VirtualHost>
..
Now,
- If I go to "http://apachefrontend.example.com", I am
correctly ending up at "https://apachefrontend.example.com";
- If I go to "http://appserver1[2].example.com", I arrive to
the backend servers allright, but only via the port 80.
This behaviour is apparently correct, but so far I have not found
the right configuration options needed to enforce the secure
connection to the backend servers via the reverse proxy (I may
not enable SSL on the backend servers as they are running some
privately managed applications and cannot be tweaked).
Could someone kindly post an example of working configuration
of the same type?
Thanks ahead for any advice!
Andy.
[users@httpd] 答复: [users@httpd] Example Apache reverse proxy configuration for HTTPS frontend and several HTTP backends
Posted by 吴昊 <wu...@7500.com.cn>.
Hello experts,
pls correct me if im wrong. Im still a noob on apache http
I think the main reason causing vhost overlap on port 443 error is that ssl vhost is ip-based if you don’t enabled sni (means no --with-ssl during compile) that makes you have to use different ip or port on each and every ssl vhosts. and these two ssl cconfig in httpd.conf, you have to add SSLCertificateFile SSLCertificateKeyFile and maybe need another certificate chin directive. You cannot use mod_ssl without certificates
about the name-base ssl: https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
Tks & b.rgds
--
Chris
发件人: Igor Cicimov [mailto:icicimov@gmail.com]
发送时间: Monday, March 09, 2015 5:56 PM
收件人: users
主题: Re: [users@httpd] Example Apache reverse proxy configuration for HTTPS frontend and several HTTP backends
On 09/03/2015 8:01 PM, "A M" <am...@gmail.com>> wrote:
>
>
> Hello Jeff,
>
> this is what happens:
>
> [root@www httpd]# service httpd start
> Starting httpd: [Mon Mar 09 09:51:53 2015] [warn] module headers_module is already loaded, skipping
> [Mon Mar 09 09:51:53 2015] [warn] module proxy_html_module is already loaded, skipping
> [Mon Mar 09 09:51:53 2015] [warn] module ssl_module is already loaded, skipping
> [Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
> [Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
> [FAILED]
>
First looks like you have same configuration included twice somewhere.
> And then there is only one line in the error log:
>
> [Mon Mar 09 09:51:53 2015] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] ((null):0)
>
> "apachectl configtest" gives me the same infos as "apachectl -S".
>
> Following the last advice of Igor, I assume that I'll have to generate two other certificates,
> one for appserver1.example.com<http://appserver1.example.com>, and another - for appserver2.example.com<http://appserver2.example.com>, and then
Or use the same certificate if you were clever enough to generate a wild card one ie *.example.com<http://example.com> since you need to front multiple subdomains of the same domain ;-)
> add a reference to them in the VirtualHost *443 definition for these two aliased servers.
Correct, also please refer to the ssl vhost section on the apache web site so you fully understand the subject. It's also recommended you make your self familiar with SNI.
> Will try it later in the day..
>
> Greetings - Andy.
>
>
>
>
>
>
> On Mon, Mar 9, 2015 at 5:22 AM, jeffmonte101 . <je...@gmail.com>> wrote:
>>
>> Andy,
>>
>> What do you see in error logs and proxy logs when you try to bring up the web server?
>>
>>
>>
>> On Sun, Mar 8, 2015 at 5:11 PM, A M <am...@gmail.com>> wrote:
>>>
>>>
>>> Hello Igor, and many thanks for your comment!
>>>
>>> I have followed your advice, but now the server refuses to start at all.
>>>
>>> So now I have in httpd.conf:
>>>
>>> ------------------------------------------------
>>> NameVirtualHost *:80
>>>
>>> <VirtualHost *:80>
>>> ServerName apachefrontend.example.com<http://apachefrontend.example.com>
>>> ServerAlias appserver1.example.com<http://appserver1.example.com> appserver2.example.com<http://appserver2.example.com>
>>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1<https://%25%7bHTTP_HOST%7d/$1>
>>> </VirtualHost>
>>>
>>> <VirtualHost *:443>
>>> ServerName appserver1.example.com<http://appserver1.example.com>
>>> ProxyRequests Off
>>> ProxyPass / http://appserver1.backend
>>> ProxyPassReverse / http://appserver1.backend
>>> </VirtualHost>
>>>
>>> <VirtualHost *:443>
>>> ServerName appserver2.example.com<http://appserver2.example.com>
>>> ProxyRequests Off
>>> ProxyPass / http://appserver2.backend
>>> ProxyPassReverse / http://appserver2.backend
>>> </VirtualHost>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> And these uncommented lines in ssl.conf:
>>>
>>> -----------------------------------------------------------------------
>>>
>>> LoadModule ssl_module modules/mod_ssl.so
>>> Listen 443
>>> SSLPassPhraseDialog builtin
>>> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
>>> SSLSessionCacheTimeout 300
>>> SSLMutex default
>>> SSLRandomSeed startup file:/dev/urandom 256
>>> SSLRandomSeed connect builtin
>>> SSLCryptoDevice builtin
>>>
>>> <VirtualHost _default_:443>
>>> ServerName apachefrontend.example.com:443<http://apachefrontend.example.com:443>
>>>
>>> ErrorLog logs/ssl_error_log
>>> TransferLog logs/ssl_access_log
>>> LogLevel warn
>>>
>>> SSLEngine on
>>> SSLProtocol all -SSLv2 -SSLv3
>>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>>> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
>>> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
>>>
>>> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>>> SSLOptions +StdEnvVars
>>> </Files>
>>>
>>> <Directory "/var/www/cgi-bin">
>>> SSLOptions +StdEnvVars
>>> </Directory>
>>>
>>> SetEnvIf User-Agent ".*MSIE.*" \
>>> nokeepalive ssl-unclean-shutdown \
>>> downgrade-1.0 force-response-1.0
>>>
>>> CustomLog logs/ssl_request_log \
>>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>>>
>>> </VirtualHost>
>>>
>>> -----------------------------------------------------------------------------------
>>>
>>> [root@www conf]# apachectl -S
>>>
>>> [Sun Mar 08 12:28:37 2015] [warn] module headers_module is already loaded, skipping
>>> [Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is already loaded, skipping
>>> [Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already loaded, skipping
>>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
>>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
>>> VirtualHost configuration:
>>> wildcard NameVirtualHosts and _default_ servers:
>>> _default_:8443 apachefrontend.example.com<http://apachefrontend.example.com> (/etc/httpd/conf.d/nss.conf:84)
>>> _default_:443 apachefrontend.example.com<http://apachefrontend.example.com> (/etc/httpd/conf.d/ssl.conf:74)
>>> *:443 appserver1.backend (/etc/httpd/conf/httpd.conf:1034)
>>> *:443 appserver2.backend (/etc/httpd/conf/httpd.conf:1041)
>>> *:80 is a NameVirtualHost
>>> default server apachefrontend.example.com<http://apachefrontend.example.com> (/etc/httpd/conf/httpd.conf:1028)
>>> port 80 namevhost apachefrontend.example.com<http://apachefrontend.example.com> (/etc/httpd/conf/httpd.conf:1028)
>>> alias appserver1.example.com<http://appserver1.example.com>
>>> alias appserver2.example.com<http://appserver2.example.com>
>>> Syntax OK
>>>
>>> .. and the server refuses to start at all..
>>>
>>> Playing with NameVirtualHost: *.443 and/or specifying explicitly server names
>>> with ServerName does not help me tp get rid of the overlap on 443. At most, I
>>> am receiving the missing SSL support errors for the backend servers (and I
>>> cannot add SSL support for them, they have to remain plain HTTP)..
>>>
>>> If you have any further ideas on what to try, please let me know.
>>>
>>> Thanks again and best regards - Andy.
>>>
>>>
>>>
>>> On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <ic...@gmail.com>> wrote:
>>>>
>>>>
>>>> On 08/03/2015 10:01 AM, "A M" <am...@gmail.com>> wrote:
>>>> >
>>>> >
>>>> > Hello experts,
>>>> >
>>>> > I am trying to set up a classical frontend HTTPS Apache Reverse Proxy
>>>> > for a couple of plain backend HTTP servers sitting on a backend private
>>>> > network. The plaform is Centos 6, the Apache rpm is httpd-2.2.15-39.el6.centos.
>>>> >
>>>> > I first created three DNS entries, all pointing to the same public IP:
>>>> >
>>>> > apachefrontend.example.com<http://apachefrontend.example.com>
>>>> > appserver1.example.com<http://appserver1.example.com>
>>>> > appserver2.example.com<http://appserver2.example.com>
>>>> >
>>>> > I then generated the SSL cert and key for the frontend host and verified that
>>>> > SSL config was correct (all settings and key/cert were defined inside the file
>>>> > /etc/httpd/conf.d/ssl.conf). The URL "https://apachefrontend.example.com"
>>>> > replied OK.
>>>> >
>>>> > I have then set up a forced redirection to port 443 on the mother
>>>> > server and defined two virtual hosts, in this manner:
>>>> >
>>>> > ..
>>>> > NameVirtualHost *:80
>>>> >
>>>>
>>>> First change this:
>>>>
>>>> > <VirtualHost *:80>
>>>> > ServerName apachefrontend.example.com<http://apachefrontend.example.com>
>>>> > RedirectMatch ^/(.*) https://apachefrontend.example.com/$1
>>>> > </VirtualHost>
>>>> >
>>>>
>>>> to:
>>>>
>>>> <VirtualHost *:80>
>>>> ServerName apachefrontend.example.com<http://apachefrontend.example.com>
>>>> ServerAlias appserver1.example.com<http://appserver1.example.com> appserver2.example.com<http://appserver2.example.com>
>>>>
>>>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1<https://%25%7bHTTP_HOST%7d/$1>
>>>> </VirtualHost>
>>>>
>>>> Then get rid of these two:
>>>>
>>>> > <VirtualHost *:80>
>>>> > ServerName appserver1.example.com<http://appserver1.example.com>
>>>> > ProxyRequests Off
>>>> > ProxyPass / http://appserver1.backend/
>>>> > ProxyPassReverse / http://appserver1.backend/
>>>> > </VirtualHost>
>>>> >
>>>> > <VirtualHost *:80>
>>>> > ServerName appserver2.example.com<http://appserver2.example.com>
>>>> > ProxyRequests Off
>>>> > ProxyPass / http://appserver2.backend/
>>>> > ProxyPassReverse / http://appserver2.backend/
>>>> > </VirtualHost>
>>>> > ..
>>>>
>>>> More specific convert them to ssl vhosts:
>>>>
>>>> <VirtualHost *:443>
>>>> ServerName appserver1.example.com<http://appserver1.example.com>
>>>> ProxyRequests Off
>>>> ProxyPass / http://appserver1.backend/
>>>> ProxyPassReverse / http://appserver1.backend/
>>>> </VirtualHost>
>>>>
>>>> <VirtualHost *:443>
>>>> ServerName appserver2.example.com<http://appserver2.example.com>
>>>> ProxyRequests Off
>>>> ProxyPass / http://appserver2.backend/
>>>> ProxyPassReverse / http://appserver2.backend/
>>>> </VirtualHost>
>>>>
>>>> which will effectively do what you want which is terminate ssl on the frontend.
>>>>
>>>> > Now,
>>>> >
>>>> > - If I go to "http://apachefrontend.example.com", I am
>>>> > correctly ending up at "https://apachefrontend.example.com";
>>>> >
>>>> > - If I go to "http://appserver1[2].example.com<http://example.com>", I arrive to
>>>> > the backend servers allright, but only via the port 80.
>>>> >
>>>> > This behaviour is apparently correct, but so far I have not found
>>>> > the right configuration options needed to enforce the secure
>>>> > connection to the backend servers via the reverse proxy (I may
>>>> > not enable SSL on the backend servers as they are running some
>>>> > privately managed applications and cannot be tweaked).
>>>> >
>>>> > Could someone kindly post an example of working configuration
>>>> > of the same type?
>>>> >
>>>> > Thanks ahead for any advice!
>>>> >
>>>> > Andy.
>>>> >
>>>> >
>>>> >
>>>
>>>
>>
>
Re: [users@httpd] Example Apache reverse proxy configuration for
HTTPS frontend and several HTTP backends
Posted by A M <am...@gmail.com>.
Thanks again Igor.
Yesterday I have in fact posted a summary, it is available at this URL:
http://mail-archives.apache.org/mod_mbox/httpd-users/201503.mbox/browser
On Mon, Mar 9, 2015 at 10:42 PM, Igor Cicimov <ic...@gmail.com> wrote:
>
> On 10/03/2015 4:13 AM, "A M" <am...@gmail.com> wrote:
> >
> >
> > Hello,
> >
> > thanks to the comments of Igor, I was able to overcome the HTTPS
> redirection
> > to the initial page of the right backend server, with one modification:
> >
> > Igor's recipe included advice on how to set up the correct VirtualHost
> blocks
> > using the wildcard *.example.com key/cert pair. This worked. He also
> suggested
> > to use the following redirection method:
> >
> >
> > <VirtualHost *:80>
> > ServerName apachefrontend.example.com
> > ServerAlias appserver1.example.com appserver2.example.com
> > RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
> > </VirtualHost>
> >
> > This did not work, when trying to reach the server, the request is
> > being redirected to https://%25{http_host}/..
> >
> > Instead, I have achieved the goal with the help of RewriteEngine:
> >
> > <VirtualHost *:80>
> > RewriteEngine On
> > RewriteCond %{HTTPS} off
> > RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
> > </VirtualHost>
> >
> >
> > This change, together with the correct VirtualHost blocks had brought
> > me finally to the front page of the backend servers via HTTPS. However,
> when
> > trying to navigate inside them, I am being forwarded to:
> >
> > http://appserverX.backend/Something
> >
> > instead of
> >
> > https://apachefrontend.example.com/Something
> >
>
> That is correct. Now I suggest we stop here and you tell us what exactly
> you want to achieve. You need reverse proxy for multiple backend servers
> (domains) running different apps or you just need frontend load balancer
> for backend servers running same apps? Or you are just testing some
> scenarios and learning apache?
>
> > and the site becomes unusable. I assume that to conclude the rev. proxy
> > configuration task I have to add further rewrite rules. Could someone
> > comment on this? The current (working) httpd.conf is quoted below.
> >
> > Thanks ahead!
> >
> > Andy.
> >
> >
> > ....
> > # Proxy-related load pack
> > LoadModule headers_module modules/mod_headers.so
> > LoadFile /usr/lib64/libxml2.so
> > LoadModule proxy_module modules/mod_proxy.so
> > LoadModule proxy_http_module modules/mod_proxy_http.so
> > LoadModule proxy_html_module modules/mod_proxy_html.so
> > LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
> > LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
> > #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
> > #LoadModule proxy_connect_module modules/mod_proxy_connect.so
> >
> > # General SSL options transferred from ssl.conf for better viewing
> > Listen 443
> > SSLPassPhraseDialog builtin
> > SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
> > SSLSessionCacheTimeout 300
> > SSLMutex default
> > SSLRandomSeed startup file:/dev/urandom 256
> > SSLRandomSeed connect builtin
> > SSLCryptoDevice builtin
> >
> > NameVirtualHost *:80
> > NameVirtualHost *:443
> >
> > # Decide which virtual host to address and enforce usage of port 443 on
> the right proxy host
> > <VirtualHost *:80>
> > RewriteEngine On
> > RewriteCond %{HTTPS} off
> > RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
> > </VirtualHost>
> >
> >
> > # Our "Mother host", apachefrontend.example.com, is still available for
> hosting of some web site
> > <VirtualHost *:443>
> > ServerName apachefrontend.example.com
> >
> > ErrorLog logs/ssl_error_log
> > TransferLog logs/ssl_access_log
> > LogLevel warn
> > SSLEngine on
> > SSLProtocol all -SSLv2 -SSLv3
> > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> > SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> > SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> > <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> > SSLOptions +StdEnvVars
> > </Files>
> > <Directory "/var/www/cgi-bin">
> > SSLOptions +StdEnvVars
> > </Directory>
> > SetEnvIf User-Agent ".*MSIE.*" \
> > nokeepalive ssl-unclean-shutdown \
> > downgrade-1.0 force-response-1.0
> > CustomLog logs/ssl_request_log \
> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> > </VirtualHost>
> >
> >
> > # Appserver 1
> >
> > <VirtualHost *:443>
> > ServerName appserver1.example.com
> > ErrorLog logs/ssl_error_log
> > TransferLog logs/ssl_access_log
> > LogLevel warn
> > SSLEngine on
> > SSLProtocol all -SSLv2 -SSLv3
> > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> > SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> > SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> >
> > ProxyRequests Off
> > ProxyPass / http://appserver1.backend/
> > ProxyPassReverse / http://appserver1.backend/
> >
> > </VirtualHost>
> >
> >
> > # Appserver 2
> >
> > <VirtualHost *:443>
> > ServerName appserver2.example.com
> > ErrorLog logs/ssl_error_log
> > TransferLog logs/ssl_access_log
> > LogLevel warn
> > SSLEngine on
> > SSLProtocol all -SSLv2 -SSLv3
> > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> > SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> > SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> >
> > ProxyRequests Off
> > ProxyPass / http://appserver2.backend/
> > ProxyPassReverse / http://appserver2.backend/
> >
> > </VirtualHost>
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On Mon, Mar 9, 2015 at 10:55 AM, Igor Cicimov <ic...@gmail.com>
> wrote:
> >>
> >>
> >> On 09/03/2015 8:01 PM, "A M" <am...@gmail.com> wrote:
> >> >
> >> >
> >> > Hello Jeff,
> >> >
> >> > this is what happens:
> >> >
> >> > [root@www httpd]# service httpd start
> >> > Starting httpd: [Mon Mar 09 09:51:53 2015] [warn] module
> headers_module is already loaded, skipping
> >> > [Mon Mar 09 09:51:53 2015] [warn] module proxy_html_module is already
> loaded, skipping
> >> > [Mon Mar 09 09:51:53 2015] [warn] module ssl_module is already
> loaded, skipping
> >> > [Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on
> port 443, the first has precedence
> >> > [Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on
> port 443, the first has precedence
> >> > [FAILED]
> >> >
> >>
> >> First looks like you have same configuration included twice somewhere.
> >>
> >> > And then there is only one line in the error log:
> >> >
> >> > [Mon Mar 09 09:51:53 2015] [error] Server should be SSL-aware but has
> no certificate configured [Hint: SSLCertificateFile] ((null):0)
> >> >
> >> > "apachectl configtest" gives me the same infos as "apachectl -S".
> >> >
> >> > Following the last advice of Igor, I assume that I'll have to
> generate two other certificates,
> >> > one for appserver1.example.com, and another - for
> appserver2.example.com, and then
> >>
> >> Or use the same certificate if you were clever enough to generate a
> wild card one ie *.example.com since you need to front multiple
> subdomains of the same domain ;-)
> >>
> >> > add a reference to them in the VirtualHost *443 definition for these
> two aliased servers.
> >>
> >> Correct, also please refer to the ssl vhost section on the apache web
> site so you fully understand the subject. It's also recommended you make
> your self familiar with SNI.
> >>
> >> > Will try it later in the day..
> >> >
> >> > Greetings - Andy.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > On Mon, Mar 9, 2015 at 5:22 AM, jeffmonte101 . <
> jeffmonte101@gmail.com> wrote:
> >> >>
> >> >> Andy,
> >> >>
> >> >> What do you see in error logs and proxy logs when you try to bring
> up the web server?
> >> >>
> >> >>
> >> >>
> >> >> On Sun, Mar 8, 2015 at 5:11 PM, A M <am...@gmail.com> wrote:
> >> >>>
> >> >>>
> >> >>> Hello Igor, and many thanks for your comment!
> >> >>>
> >> >>> I have followed your advice, but now the server refuses to start at
> all.
> >> >>>
> >> >>> So now I have in httpd.conf:
> >> >>>
> >> >>> ------------------------------------------------
> >> >>> NameVirtualHost *:80
> >> >>>
> >> >>> <VirtualHost *:80>
> >> >>> ServerName apachefrontend.example.com
> >> >>> ServerAlias appserver1.example.com appserver2.example.com
> >> >>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
> >> >>> </VirtualHost>
> >> >>>
> >> >>> <VirtualHost *:443>
> >> >>> ServerName appserver1.example.com
> >> >>> ProxyRequests Off
> >> >>> ProxyPass / http://appserver1.backend
> >> >>> ProxyPassReverse / http://appserver1.backend
> >> >>> </VirtualHost>
> >> >>>
> >> >>> <VirtualHost *:443>
> >> >>> ServerName appserver2.example.com
> >> >>> ProxyRequests Off
> >> >>> ProxyPass / http://appserver2.backend
> >> >>> ProxyPassReverse / http://appserver2.backend
> >> >>> </VirtualHost>
> >> >>>
> >> >>>
> ------------------------------------------------------------------------
> >> >>>
> >> >>> And these uncommented lines in ssl.conf:
> >> >>>
> >> >>>
> -----------------------------------------------------------------------
> >> >>>
> >> >>> LoadModule ssl_module modules/mod_ssl.so
> >> >>> Listen 443
> >> >>> SSLPassPhraseDialog builtin
> >> >>> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
> >> >>> SSLSessionCacheTimeout 300
> >> >>> SSLMutex default
> >> >>> SSLRandomSeed startup file:/dev/urandom 256
> >> >>> SSLRandomSeed connect builtin
> >> >>> SSLCryptoDevice builtin
> >> >>>
> >> >>> <VirtualHost _default_:443>
> >> >>> ServerName apachefrontend.example.com:443
> >> >>>
> >> >>> ErrorLog logs/ssl_error_log
> >> >>> TransferLog logs/ssl_access_log
> >> >>> LogLevel warn
> >> >>>
> >> >>> SSLEngine on
> >> >>> SSLProtocol all -SSLv2 -SSLv3
> >> >>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> >> >>> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> >> >>> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> >> >>>
> >> >>> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> >> >>> SSLOptions +StdEnvVars
> >> >>> </Files>
> >> >>>
> >> >>> <Directory "/var/www/cgi-bin">
> >> >>> SSLOptions +StdEnvVars
> >> >>> </Directory>
> >> >>>
> >> >>> SetEnvIf User-Agent ".*MSIE.*" \
> >> >>> nokeepalive ssl-unclean-shutdown \
> >> >>> downgrade-1.0 force-response-1.0
> >> >>>
> >> >>> CustomLog logs/ssl_request_log \
> >> >>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> >> >>>
> >> >>> </VirtualHost>
> >> >>>
> >> >>>
> -----------------------------------------------------------------------------------
> >> >>>
> >> >>> [root@www conf]# apachectl -S
> >> >>>
> >> >>> [Sun Mar 08 12:28:37 2015] [warn] module headers_module is already
> loaded, skipping
> >> >>> [Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is
> already loaded, skipping
> >> >>> [Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already
> loaded, skipping
> >> >>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on
> port 443, the first has precedence
> >> >>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on
> port 443, the first has precedence
> >> >>> VirtualHost configuration:
> >> >>> wildcard NameVirtualHosts and _default_ servers:
> >> >>> _default_:8443 apachefrontend.example.com
> (/etc/httpd/conf.d/nss.conf:84)
> >> >>> _default_:443 apachefrontend.example.com
> (/etc/httpd/conf.d/ssl.conf:74)
> >> >>> *:443 appserver1.backend
> (/etc/httpd/conf/httpd.conf:1034)
> >> >>> *:443 appserver2.backend
> (/etc/httpd/conf/httpd.conf:1041)
> >> >>> *:80 is a NameVirtualHost
> >> >>> default server apachefrontend.example.com
> (/etc/httpd/conf/httpd.conf:1028)
> >> >>> port 80 namevhost apachefrontend.example.com
> (/etc/httpd/conf/httpd.conf:1028)
> >> >>> alias appserver1.example.com
> >> >>> alias appserver2.example.com
> >> >>> Syntax OK
> >> >>>
> >> >>> .. and the server refuses to start at all..
> >> >>>
> >> >>> Playing with NameVirtualHost: *.443 and/or specifying explicitly
> server names
> >> >>> with ServerName does not help me tp get rid of the overlap on 443.
> At most, I
> >> >>> am receiving the missing SSL support errors for the backend servers
> (and I
> >> >>> cannot add SSL support for them, they have to remain plain HTTP)..
> >> >>>
> >> >>> If you have any further ideas on what to try, please let me know.
> >> >>>
> >> >>> Thanks again and best regards - Andy.
> >> >>>
> >> >>>
> >> >>>
> >> >>> On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <ic...@gmail.com>
> wrote:
> >> >>>>
> >> >>>>
> >> >>>> On 08/03/2015 10:01 AM, "A M" <am...@gmail.com> wrote:
> >> >>>> >
> >> >>>> >
> >> >>>> > Hello experts,
> >> >>>> >
> >> >>>> > I am trying to set up a classical frontend HTTPS Apache Reverse
> Proxy
> >> >>>> > for a couple of plain backend HTTP servers sitting on a backend
> private
> >> >>>> > network. The plaform is Centos 6, the Apache rpm is
> httpd-2.2.15-39.el6.centos.
> >> >>>> >
> >> >>>> > I first created three DNS entries, all pointing to the same
> public IP:
> >> >>>> >
> >> >>>> > apachefrontend.example.com
> >> >>>> > appserver1.example.com
> >> >>>> > appserver2.example.com
> >> >>>> >
> >> >>>> > I then generated the SSL cert and key for the frontend host and
> verified that
> >> >>>> > SSL config was correct (all settings and key/cert were defined
> inside the file
> >> >>>> > /etc/httpd/conf.d/ssl.conf). The URL "
> https://apachefrontend.example.com"
> >> >>>> > replied OK.
> >> >>>> >
> >> >>>> > I have then set up a forced redirection to port 443 on the mother
> >> >>>> > server and defined two virtual hosts, in this manner:
> >> >>>> >
> >> >>>> > ..
> >> >>>> > NameVirtualHost *:80
> >> >>>> >
> >> >>>>
> >> >>>> First change this:
> >> >>>>
> >> >>>> > <VirtualHost *:80>
> >> >>>> > ServerName apachefrontend.example.com
> >> >>>> > RedirectMatch ^/(.*)
> https://apachefrontend.example.com/$1
> >> >>>> > </VirtualHost>
> >> >>>> >
> >> >>>>
> >> >>>> to:
> >> >>>>
> >> >>>> <VirtualHost *:80>
> >> >>>> ServerName apachefrontend.example.com
> >> >>>> ServerAlias appserver1.example.com appserver2.example.com
> >> >>>>
> >> >>>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
> >> >>>> </VirtualHost>
> >> >>>>
> >> >>>> Then get rid of these two:
> >> >>>>
> >> >>>> > <VirtualHost *:80>
> >> >>>> > ServerName appserver1.example.com
> >> >>>> > ProxyRequests Off
> >> >>>> > ProxyPass / http://appserver1.backend/
> >> >>>> > ProxyPassReverse / http://appserver1.backend/
> >> >>>> > </VirtualHost>
> >> >>>> >
> >> >>>> > <VirtualHost *:80>
> >> >>>> > ServerName appserver2.example.com
> >> >>>> > ProxyRequests Off
> >> >>>> > ProxyPass / http://appserver2.backend/
> >> >>>> > ProxyPassReverse / http://appserver2.backend/
> >> >>>> > </VirtualHost>
> >> >>>> > ..
> >> >>>>
> >> >>>> More specific convert them to ssl vhosts:
> >> >>>>
> >> >>>> <VirtualHost *:443>
> >> >>>> ServerName appserver1.example.com
> >> >>>> ProxyRequests Off
> >> >>>> ProxyPass / http://appserver1.backend/
> >> >>>> ProxyPassReverse / http://appserver1.backend/
> >> >>>> </VirtualHost>
> >> >>>>
> >> >>>> <VirtualHost *:443>
> >> >>>> ServerName appserver2.example.com
> >> >>>> ProxyRequests Off
> >> >>>> ProxyPass / http://appserver2.backend/
> >> >>>> ProxyPassReverse / http://appserver2.backend/
> >> >>>> </VirtualHost>
> >> >>>>
> >> >>>> which will effectively do what you want which is terminate ssl on
> the frontend.
> >> >>>>
> >> >>>> > Now,
> >> >>>> >
> >> >>>> > - If I go to "http://apachefrontend.example.com", I am
> >> >>>> > correctly ending up at "https://apachefrontend.example.com";
> >> >>>> >
> >> >>>> > - If I go to "http://appserver1[2].example.com", I arrive to
> >> >>>> > the backend servers allright, but only via the port 80.
> >> >>>> >
> >> >>>> > This behaviour is apparently correct, but so far I have not found
> >> >>>> > the right configuration options needed to enforce the secure
> >> >>>> > connection to the backend servers via the reverse proxy (I may
> >> >>>> > not enable SSL on the backend servers as they are running some
> >> >>>> > privately managed applications and cannot be tweaked).
> >> >>>> >
> >> >>>> > Could someone kindly post an example of working configuration
> >> >>>> > of the same type?
> >> >>>> >
> >> >>>> > Thanks ahead for any advice!
> >> >>>> >
> >> >>>> > Andy.
> >> >>>> >
> >> >>>> >
> >> >>>> >
> >> >>>
> >> >>>
> >> >>
> >> >
> >
> >
>
Re: [users@httpd] Example Apache reverse proxy configuration for
HTTPS frontend and several HTTP backends
Posted by Igor Cicimov <ic...@gmail.com>.
On 10/03/2015 4:13 AM, "A M" <am...@gmail.com> wrote:
>
>
> Hello,
>
> thanks to the comments of Igor, I was able to overcome the HTTPS
redirection
> to the initial page of the right backend server, with one modification:
>
> Igor's recipe included advice on how to set up the correct VirtualHost
blocks
> using the wildcard *.example.com key/cert pair. This worked. He also
suggested
> to use the following redirection method:
>
>
> <VirtualHost *:80>
> ServerName apachefrontend.example.com
> ServerAlias appserver1.example.com appserver2.example.com
> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
> </VirtualHost>
>
> This did not work, when trying to reach the server, the request is
> being redirected to https://%25{http_host}/..
>
> Instead, I have achieved the goal with the help of RewriteEngine:
>
> <VirtualHost *:80>
> RewriteEngine On
> RewriteCond %{HTTPS} off
> RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
> </VirtualHost>
>
>
> This change, together with the correct VirtualHost blocks had brought
> me finally to the front page of the backend servers via HTTPS. However,
when
> trying to navigate inside them, I am being forwarded to:
>
> http://appserverX.backend/Something
>
> instead of
>
> https://apachefrontend.example.com/Something
>
That is correct. Now I suggest we stop here and you tell us what exactly
you want to achieve. You need reverse proxy for multiple backend servers
(domains) running different apps or you just need frontend load balancer
for backend servers running same apps? Or you are just testing some
scenarios and learning apache?
> and the site becomes unusable. I assume that to conclude the rev. proxy
> configuration task I have to add further rewrite rules. Could someone
> comment on this? The current (working) httpd.conf is quoted below.
>
> Thanks ahead!
>
> Andy.
>
>
> ....
> # Proxy-related load pack
> LoadModule headers_module modules/mod_headers.so
> LoadFile /usr/lib64/libxml2.so
> LoadModule proxy_module modules/mod_proxy.so
> LoadModule proxy_http_module modules/mod_proxy_http.so
> LoadModule proxy_html_module modules/mod_proxy_html.so
> LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
> LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
> #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
> #LoadModule proxy_connect_module modules/mod_proxy_connect.so
>
> # General SSL options transferred from ssl.conf for better viewing
> Listen 443
> SSLPassPhraseDialog builtin
> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
> SSLSessionCacheTimeout 300
> SSLMutex default
> SSLRandomSeed startup file:/dev/urandom 256
> SSLRandomSeed connect builtin
> SSLCryptoDevice builtin
>
> NameVirtualHost *:80
> NameVirtualHost *:443
>
> # Decide which virtual host to address and enforce usage of port 443 on
the right proxy host
> <VirtualHost *:80>
> RewriteEngine On
> RewriteCond %{HTTPS} off
> RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
> </VirtualHost>
>
>
> # Our "Mother host", apachefrontend.example.com, is still available for
hosting of some web site
> <VirtualHost *:443>
> ServerName apachefrontend.example.com
>
> ErrorLog logs/ssl_error_log
> TransferLog logs/ssl_access_log
> LogLevel warn
> SSLEngine on
> SSLProtocol all -SSLv2 -SSLv3
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> SSLOptions +StdEnvVars
> </Files>
> <Directory "/var/www/cgi-bin">
> SSLOptions +StdEnvVars
> </Directory>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> CustomLog logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> </VirtualHost>
>
>
> # Appserver 1
>
> <VirtualHost *:443>
> ServerName appserver1.example.com
> ErrorLog logs/ssl_error_log
> TransferLog logs/ssl_access_log
> LogLevel warn
> SSLEngine on
> SSLProtocol all -SSLv2 -SSLv3
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
>
> ProxyRequests Off
> ProxyPass / http://appserver1.backend/
> ProxyPassReverse / http://appserver1.backend/
>
> </VirtualHost>
>
>
> # Appserver 2
>
> <VirtualHost *:443>
> ServerName appserver2.example.com
> ErrorLog logs/ssl_error_log
> TransferLog logs/ssl_access_log
> LogLevel warn
> SSLEngine on
> SSLProtocol all -SSLv2 -SSLv3
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
>
> ProxyRequests Off
> ProxyPass / http://appserver2.backend/
> ProxyPassReverse / http://appserver2.backend/
>
> </VirtualHost>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Mon, Mar 9, 2015 at 10:55 AM, Igor Cicimov <ic...@gmail.com> wrote:
>>
>>
>> On 09/03/2015 8:01 PM, "A M" <am...@gmail.com> wrote:
>> >
>> >
>> > Hello Jeff,
>> >
>> > this is what happens:
>> >
>> > [root@www httpd]# service httpd start
>> > Starting httpd: [Mon Mar 09 09:51:53 2015] [warn] module
headers_module is already loaded, skipping
>> > [Mon Mar 09 09:51:53 2015] [warn] module proxy_html_module is already
loaded, skipping
>> > [Mon Mar 09 09:51:53 2015] [warn] module ssl_module is already loaded,
skipping
>> > [Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on
port 443, the first has precedence
>> > [Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on
port 443, the first has precedence
>> > [FAILED]
>> >
>>
>> First looks like you have same configuration included twice somewhere.
>>
>> > And then there is only one line in the error log:
>> >
>> > [Mon Mar 09 09:51:53 2015] [error] Server should be SSL-aware but has
no certificate configured [Hint: SSLCertificateFile] ((null):0)
>> >
>> > "apachectl configtest" gives me the same infos as "apachectl -S".
>> >
>> > Following the last advice of Igor, I assume that I'll have to generate
two other certificates,
>> > one for appserver1.example.com, and another - for
appserver2.example.com, and then
>>
>> Or use the same certificate if you were clever enough to generate a wild
card one ie *.example.com since you need to front multiple subdomains of
the same domain ;-)
>>
>> > add a reference to them in the VirtualHost *443 definition for these
two aliased servers.
>>
>> Correct, also please refer to the ssl vhost section on the apache web
site so you fully understand the subject. It's also recommended you make
your self familiar with SNI.
>>
>> > Will try it later in the day..
>> >
>> > Greetings - Andy.
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Mon, Mar 9, 2015 at 5:22 AM, jeffmonte101 . <je...@gmail.com>
wrote:
>> >>
>> >> Andy,
>> >>
>> >> What do you see in error logs and proxy logs when you try to bring up
the web server?
>> >>
>> >>
>> >>
>> >> On Sun, Mar 8, 2015 at 5:11 PM, A M <am...@gmail.com> wrote:
>> >>>
>> >>>
>> >>> Hello Igor, and many thanks for your comment!
>> >>>
>> >>> I have followed your advice, but now the server refuses to start at
all.
>> >>>
>> >>> So now I have in httpd.conf:
>> >>>
>> >>> ------------------------------------------------
>> >>> NameVirtualHost *:80
>> >>>
>> >>> <VirtualHost *:80>
>> >>> ServerName apachefrontend.example.com
>> >>> ServerAlias appserver1.example.com appserver2.example.com
>> >>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
>> >>> </VirtualHost>
>> >>>
>> >>> <VirtualHost *:443>
>> >>> ServerName appserver1.example.com
>> >>> ProxyRequests Off
>> >>> ProxyPass / http://appserver1.backend
>> >>> ProxyPassReverse / http://appserver1.backend
>> >>> </VirtualHost>
>> >>>
>> >>> <VirtualHost *:443>
>> >>> ServerName appserver2.example.com
>> >>> ProxyRequests Off
>> >>> ProxyPass / http://appserver2.backend
>> >>> ProxyPassReverse / http://appserver2.backend
>> >>> </VirtualHost>
>> >>>
>> >>>
------------------------------------------------------------------------
>> >>>
>> >>> And these uncommented lines in ssl.conf:
>> >>>
>> >>>
-----------------------------------------------------------------------
>> >>>
>> >>> LoadModule ssl_module modules/mod_ssl.so
>> >>> Listen 443
>> >>> SSLPassPhraseDialog builtin
>> >>> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
>> >>> SSLSessionCacheTimeout 300
>> >>> SSLMutex default
>> >>> SSLRandomSeed startup file:/dev/urandom 256
>> >>> SSLRandomSeed connect builtin
>> >>> SSLCryptoDevice builtin
>> >>>
>> >>> <VirtualHost _default_:443>
>> >>> ServerName apachefrontend.example.com:443
>> >>>
>> >>> ErrorLog logs/ssl_error_log
>> >>> TransferLog logs/ssl_access_log
>> >>> LogLevel warn
>> >>>
>> >>> SSLEngine on
>> >>> SSLProtocol all -SSLv2 -SSLv3
>> >>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>> >>> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
>> >>> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
>> >>>
>> >>> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>> >>> SSLOptions +StdEnvVars
>> >>> </Files>
>> >>>
>> >>> <Directory "/var/www/cgi-bin">
>> >>> SSLOptions +StdEnvVars
>> >>> </Directory>
>> >>>
>> >>> SetEnvIf User-Agent ".*MSIE.*" \
>> >>> nokeepalive ssl-unclean-shutdown \
>> >>> downgrade-1.0 force-response-1.0
>> >>>
>> >>> CustomLog logs/ssl_request_log \
>> >>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>> >>>
>> >>> </VirtualHost>
>> >>>
>> >>>
-----------------------------------------------------------------------------------
>> >>>
>> >>> [root@www conf]# apachectl -S
>> >>>
>> >>> [Sun Mar 08 12:28:37 2015] [warn] module headers_module is already
loaded, skipping
>> >>> [Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is
already loaded, skipping
>> >>> [Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already
loaded, skipping
>> >>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on
port 443, the first has precedence
>> >>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on
port 443, the first has precedence
>> >>> VirtualHost configuration:
>> >>> wildcard NameVirtualHosts and _default_ servers:
>> >>> _default_:8443 apachefrontend.example.com
(/etc/httpd/conf.d/nss.conf:84)
>> >>> _default_:443 apachefrontend.example.com
(/etc/httpd/conf.d/ssl.conf:74)
>> >>> *:443 appserver1.backend
(/etc/httpd/conf/httpd.conf:1034)
>> >>> *:443 appserver2.backend
(/etc/httpd/conf/httpd.conf:1041)
>> >>> *:80 is a NameVirtualHost
>> >>> default server apachefrontend.example.com
(/etc/httpd/conf/httpd.conf:1028)
>> >>> port 80 namevhost apachefrontend.example.com
(/etc/httpd/conf/httpd.conf:1028)
>> >>> alias appserver1.example.com
>> >>> alias appserver2.example.com
>> >>> Syntax OK
>> >>>
>> >>> .. and the server refuses to start at all..
>> >>>
>> >>> Playing with NameVirtualHost: *.443 and/or specifying explicitly
server names
>> >>> with ServerName does not help me tp get rid of the overlap on 443.
At most, I
>> >>> am receiving the missing SSL support errors for the backend servers
(and I
>> >>> cannot add SSL support for them, they have to remain plain HTTP)..
>> >>>
>> >>> If you have any further ideas on what to try, please let me know.
>> >>>
>> >>> Thanks again and best regards - Andy.
>> >>>
>> >>>
>> >>>
>> >>> On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <ic...@gmail.com>
wrote:
>> >>>>
>> >>>>
>> >>>> On 08/03/2015 10:01 AM, "A M" <am...@gmail.com> wrote:
>> >>>> >
>> >>>> >
>> >>>> > Hello experts,
>> >>>> >
>> >>>> > I am trying to set up a classical frontend HTTPS Apache Reverse
Proxy
>> >>>> > for a couple of plain backend HTTP servers sitting on a backend
private
>> >>>> > network. The plaform is Centos 6, the Apache rpm is
httpd-2.2.15-39.el6.centos.
>> >>>> >
>> >>>> > I first created three DNS entries, all pointing to the same
public IP:
>> >>>> >
>> >>>> > apachefrontend.example.com
>> >>>> > appserver1.example.com
>> >>>> > appserver2.example.com
>> >>>> >
>> >>>> > I then generated the SSL cert and key for the frontend host and
verified that
>> >>>> > SSL config was correct (all settings and key/cert were defined
inside the file
>> >>>> > /etc/httpd/conf.d/ssl.conf). The URL "
https://apachefrontend.example.com"
>> >>>> > replied OK.
>> >>>> >
>> >>>> > I have then set up a forced redirection to port 443 on the mother
>> >>>> > server and defined two virtual hosts, in this manner:
>> >>>> >
>> >>>> > ..
>> >>>> > NameVirtualHost *:80
>> >>>> >
>> >>>>
>> >>>> First change this:
>> >>>>
>> >>>> > <VirtualHost *:80>
>> >>>> > ServerName apachefrontend.example.com
>> >>>> > RedirectMatch ^/(.*) https://apachefrontend.example.com/$1
>> >>>> > </VirtualHost>
>> >>>> >
>> >>>>
>> >>>> to:
>> >>>>
>> >>>> <VirtualHost *:80>
>> >>>> ServerName apachefrontend.example.com
>> >>>> ServerAlias appserver1.example.com appserver2.example.com
>> >>>>
>> >>>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
>> >>>> </VirtualHost>
>> >>>>
>> >>>> Then get rid of these two:
>> >>>>
>> >>>> > <VirtualHost *:80>
>> >>>> > ServerName appserver1.example.com
>> >>>> > ProxyRequests Off
>> >>>> > ProxyPass / http://appserver1.backend/
>> >>>> > ProxyPassReverse / http://appserver1.backend/
>> >>>> > </VirtualHost>
>> >>>> >
>> >>>> > <VirtualHost *:80>
>> >>>> > ServerName appserver2.example.com
>> >>>> > ProxyRequests Off
>> >>>> > ProxyPass / http://appserver2.backend/
>> >>>> > ProxyPassReverse / http://appserver2.backend/
>> >>>> > </VirtualHost>
>> >>>> > ..
>> >>>>
>> >>>> More specific convert them to ssl vhosts:
>> >>>>
>> >>>> <VirtualHost *:443>
>> >>>> ServerName appserver1.example.com
>> >>>> ProxyRequests Off
>> >>>> ProxyPass / http://appserver1.backend/
>> >>>> ProxyPassReverse / http://appserver1.backend/
>> >>>> </VirtualHost>
>> >>>>
>> >>>> <VirtualHost *:443>
>> >>>> ServerName appserver2.example.com
>> >>>> ProxyRequests Off
>> >>>> ProxyPass / http://appserver2.backend/
>> >>>> ProxyPassReverse / http://appserver2.backend/
>> >>>> </VirtualHost>
>> >>>>
>> >>>> which will effectively do what you want which is terminate ssl on
the frontend.
>> >>>>
>> >>>> > Now,
>> >>>> >
>> >>>> > - If I go to "http://apachefrontend.example.com", I am
>> >>>> > correctly ending up at "https://apachefrontend.example.com";
>> >>>> >
>> >>>> > - If I go to "http://appserver1[2].example.com", I arrive to
>> >>>> > the backend servers allright, but only via the port 80.
>> >>>> >
>> >>>> > This behaviour is apparently correct, but so far I have not found
>> >>>> > the right configuration options needed to enforce the secure
>> >>>> > connection to the backend servers via the reverse proxy (I may
>> >>>> > not enable SSL on the backend servers as they are running some
>> >>>> > privately managed applications and cannot be tweaked).
>> >>>> >
>> >>>> > Could someone kindly post an example of working configuration
>> >>>> > of the same type?
>> >>>> >
>> >>>> > Thanks ahead for any advice!
>> >>>> >
>> >>>> > Andy.
>> >>>> >
>> >>>> >
>> >>>> >
>> >>>
>> >>>
>> >>
>> >
>
>
Re: [users@httpd] Example Apache reverse proxy configuration for
HTTPS frontend and several HTTP backends
Posted by A M <am...@gmail.com>.
Hello,
thanks to the comments of Igor, I was able to overcome the HTTPS redirection
to the initial page of the right backend server, with one modification:
Igor's recipe included advice on how to set up the correct VirtualHost
blocks
using the wildcard *.example.com key/cert pair. This worked. He also
suggested
to use the following redirection method:
<VirtualHost *:80>
ServerName apachefrontend.example.com
ServerAlias appserver1.example.com appserver2.example.com
RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
</VirtualHost>
This did not work, when trying to reach the server, the request is
being redirected to https://%25{http_host}/..
Instead, I have achieved the goal with the help of RewriteEngine:
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
This change, together with the correct VirtualHost blocks had brought
me finally to the front page of the backend servers via HTTPS. However,
when
trying to navigate inside them, I am being forwarded to:
http://appserverX.backend/Something
instead of
https://apachefrontend.example.com/Something
and the site becomes unusable. I assume that to conclude the rev. proxy
configuration task I have to add further rewrite rules. Could someone
comment on this? The current (working) httpd.conf is quoted below.
Thanks ahead!
Andy.
....
# Proxy-related load pack
LoadModule headers_module modules/mod_headers.so
LoadFile /usr/lib64/libxml2.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
# General SSL options transferred from ssl.conf for better viewing
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
NameVirtualHost *:80
NameVirtualHost *:443
# Decide which virtual host to address and enforce usage of port 443 on the
right proxy host
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
# Our "Mother host", apachefrontend.example.com, is still available for
hosting of some web site
<VirtualHost *:443>
ServerName apachefrontend.example.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
# Appserver 1
<VirtualHost *:443>
ServerName appserver1.example.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
ProxyRequests Off
ProxyPass / http://appserver1.backend/
ProxyPassReverse / http://appserver1.backend/
</VirtualHost>
# Appserver 2
<VirtualHost *:443>
ServerName appserver2.example.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
ProxyRequests Off
ProxyPass / http://appserver2.backend/
ProxyPassReverse / http://appserver2.backend/
</VirtualHost>
On Mon, Mar 9, 2015 at 10:55 AM, Igor Cicimov <ic...@gmail.com> wrote:
>
> On 09/03/2015 8:01 PM, "A M" <am...@gmail.com> wrote:
> >
> >
> > Hello Jeff,
> >
> > this is what happens:
> >
> > [root@www httpd]# service httpd start
> > Starting httpd: [Mon Mar 09 09:51:53 2015] [warn] module headers_module
> is already loaded, skipping
> > [Mon Mar 09 09:51:53 2015] [warn] module proxy_html_module is already
> loaded, skipping
> > [Mon Mar 09 09:51:53 2015] [warn] module ssl_module is already loaded,
> skipping
> > [Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on port
> 443, the first has precedence
> > [Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on port
> 443, the first has precedence
> > [FAILED]
> >
>
> First looks like you have same configuration included twice somewhere.
>
> > And then there is only one line in the error log:
> >
> > [Mon Mar 09 09:51:53 2015] [error] Server should be SSL-aware but has no
> certificate configured [Hint: SSLCertificateFile] ((null):0)
> >
> > "apachectl configtest" gives me the same infos as "apachectl -S".
> >
> > Following the last advice of Igor, I assume that I'll have to generate
> two other certificates,
> > one for appserver1.example.com, and another - for appserver2.example.com,
> and then
>
> Or use the same certificate if you were clever enough to generate a wild
> card one ie *.example.com since you need to front multiple subdomains of
> the same domain ;-)
>
> > add a reference to them in the VirtualHost *443 definition for these two
> aliased servers.
>
> Correct, also please refer to the ssl vhost section on the apache web site
> so you fully understand the subject. It's also recommended you make your
> self familiar with SNI.
>
> > Will try it later in the day..
> >
> > Greetings - Andy.
> >
> >
> >
> >
> >
> >
> > On Mon, Mar 9, 2015 at 5:22 AM, jeffmonte101 . <je...@gmail.com>
> wrote:
> >>
> >> Andy,
> >>
> >> What do you see in error logs and proxy logs when you try to bring up
> the web server?
> >>
> >>
> >>
> >> On Sun, Mar 8, 2015 at 5:11 PM, A M <am...@gmail.com> wrote:
> >>>
> >>>
> >>> Hello Igor, and many thanks for your comment!
> >>>
> >>> I have followed your advice, but now the server refuses to start at
> all.
> >>>
> >>> So now I have in httpd.conf:
> >>>
> >>> ------------------------------------------------
> >>> NameVirtualHost *:80
> >>>
> >>> <VirtualHost *:80>
> >>> ServerName apachefrontend.example.com
> >>> ServerAlias appserver1.example.com appserver2.example.com
> >>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
> >>> </VirtualHost>
> >>>
> >>> <VirtualHost *:443>
> >>> ServerName appserver1.example.com
> >>> ProxyRequests Off
> >>> ProxyPass / http://appserver1.backend
> >>> ProxyPassReverse / http://appserver1.backend
> >>> </VirtualHost>
> >>>
> >>> <VirtualHost *:443>
> >>> ServerName appserver2.example.com
> >>> ProxyRequests Off
> >>> ProxyPass / http://appserver2.backend
> >>> ProxyPassReverse / http://appserver2.backend
> >>> </VirtualHost>
> >>>
> >>>
> ------------------------------------------------------------------------
> >>>
> >>> And these uncommented lines in ssl.conf:
> >>>
> >>> -----------------------------------------------------------------------
> >>>
> >>> LoadModule ssl_module modules/mod_ssl.so
> >>> Listen 443
> >>> SSLPassPhraseDialog builtin
> >>> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
> >>> SSLSessionCacheTimeout 300
> >>> SSLMutex default
> >>> SSLRandomSeed startup file:/dev/urandom 256
> >>> SSLRandomSeed connect builtin
> >>> SSLCryptoDevice builtin
> >>>
> >>> <VirtualHost _default_:443>
> >>> ServerName apachefrontend.example.com:443
> >>>
> >>> ErrorLog logs/ssl_error_log
> >>> TransferLog logs/ssl_access_log
> >>> LogLevel warn
> >>>
> >>> SSLEngine on
> >>> SSLProtocol all -SSLv2 -SSLv3
> >>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> >>> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> >>> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> >>>
> >>> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> >>> SSLOptions +StdEnvVars
> >>> </Files>
> >>>
> >>> <Directory "/var/www/cgi-bin">
> >>> SSLOptions +StdEnvVars
> >>> </Directory>
> >>>
> >>> SetEnvIf User-Agent ".*MSIE.*" \
> >>> nokeepalive ssl-unclean-shutdown \
> >>> downgrade-1.0 force-response-1.0
> >>>
> >>> CustomLog logs/ssl_request_log \
> >>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> >>>
> >>> </VirtualHost>
> >>>
> >>>
> -----------------------------------------------------------------------------------
> >>>
> >>> [root@www conf]# apachectl -S
> >>>
> >>> [Sun Mar 08 12:28:37 2015] [warn] module headers_module is already
> loaded, skipping
> >>> [Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is already
> loaded, skipping
> >>> [Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already loaded,
> skipping
> >>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on
> port 443, the first has precedence
> >>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on
> port 443, the first has precedence
> >>> VirtualHost configuration:
> >>> wildcard NameVirtualHosts and _default_ servers:
> >>> _default_:8443 apachefrontend.example.com
> (/etc/httpd/conf.d/nss.conf:84)
> >>> _default_:443 apachefrontend.example.com
> (/etc/httpd/conf.d/ssl.conf:74)
> >>> *:443 appserver1.backend
> (/etc/httpd/conf/httpd.conf:1034)
> >>> *:443 appserver2.backend
> (/etc/httpd/conf/httpd.conf:1041)
> >>> *:80 is a NameVirtualHost
> >>> default server apachefrontend.example.com
> (/etc/httpd/conf/httpd.conf:1028)
> >>> port 80 namevhost apachefrontend.example.com
> (/etc/httpd/conf/httpd.conf:1028)
> >>> alias appserver1.example.com
> >>> alias appserver2.example.com
> >>> Syntax OK
> >>>
> >>> .. and the server refuses to start at all..
> >>>
> >>> Playing with NameVirtualHost: *.443 and/or specifying explicitly
> server names
> >>> with ServerName does not help me tp get rid of the overlap on 443. At
> most, I
> >>> am receiving the missing SSL support errors for the backend servers
> (and I
> >>> cannot add SSL support for them, they have to remain plain HTTP)..
> >>>
> >>> If you have any further ideas on what to try, please let me know.
> >>>
> >>> Thanks again and best regards - Andy.
> >>>
> >>>
> >>>
> >>> On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <ic...@gmail.com>
> wrote:
> >>>>
> >>>>
> >>>> On 08/03/2015 10:01 AM, "A M" <am...@gmail.com> wrote:
> >>>> >
> >>>> >
> >>>> > Hello experts,
> >>>> >
> >>>> > I am trying to set up a classical frontend HTTPS Apache Reverse
> Proxy
> >>>> > for a couple of plain backend HTTP servers sitting on a backend
> private
> >>>> > network. The plaform is Centos 6, the Apache rpm is
> httpd-2.2.15-39.el6.centos.
> >>>> >
> >>>> > I first created three DNS entries, all pointing to the same public
> IP:
> >>>> >
> >>>> > apachefrontend.example.com
> >>>> > appserver1.example.com
> >>>> > appserver2.example.com
> >>>> >
> >>>> > I then generated the SSL cert and key for the frontend host and
> verified that
> >>>> > SSL config was correct (all settings and key/cert were defined
> inside the file
> >>>> > /etc/httpd/conf.d/ssl.conf). The URL "
> https://apachefrontend.example.com"
> >>>> > replied OK.
> >>>> >
> >>>> > I have then set up a forced redirection to port 443 on the mother
> >>>> > server and defined two virtual hosts, in this manner:
> >>>> >
> >>>> > ..
> >>>> > NameVirtualHost *:80
> >>>> >
> >>>>
> >>>> First change this:
> >>>>
> >>>> > <VirtualHost *:80>
> >>>> > ServerName apachefrontend.example.com
> >>>> > RedirectMatch ^/(.*) https://apachefrontend.example.com/$1
> >>>> > </VirtualHost>
> >>>> >
> >>>>
> >>>> to:
> >>>>
> >>>> <VirtualHost *:80>
> >>>> ServerName apachefrontend.example.com
> >>>> ServerAlias appserver1.example.com appserver2.example.com
> >>>>
> >>>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
> >>>> </VirtualHost>
> >>>>
> >>>> Then get rid of these two:
> >>>>
> >>>> > <VirtualHost *:80>
> >>>> > ServerName appserver1.example.com
> >>>> > ProxyRequests Off
> >>>> > ProxyPass / http://appserver1.backend/
> >>>> > ProxyPassReverse / http://appserver1.backend/
> >>>> > </VirtualHost>
> >>>> >
> >>>> > <VirtualHost *:80>
> >>>> > ServerName appserver2.example.com
> >>>> > ProxyRequests Off
> >>>> > ProxyPass / http://appserver2.backend/
> >>>> > ProxyPassReverse / http://appserver2.backend/
> >>>> > </VirtualHost>
> >>>> > ..
> >>>>
> >>>> More specific convert them to ssl vhosts:
> >>>>
> >>>> <VirtualHost *:443>
> >>>> ServerName appserver1.example.com
> >>>> ProxyRequests Off
> >>>> ProxyPass / http://appserver1.backend/
> >>>> ProxyPassReverse / http://appserver1.backend/
> >>>> </VirtualHost>
> >>>>
> >>>> <VirtualHost *:443>
> >>>> ServerName appserver2.example.com
> >>>> ProxyRequests Off
> >>>> ProxyPass / http://appserver2.backend/
> >>>> ProxyPassReverse / http://appserver2.backend/
> >>>> </VirtualHost>
> >>>>
> >>>> which will effectively do what you want which is terminate ssl on the
> frontend.
> >>>>
> >>>> > Now,
> >>>> >
> >>>> > - If I go to "http://apachefrontend.example.com", I am
> >>>> > correctly ending up at "https://apachefrontend.example.com";
> >>>> >
> >>>> > - If I go to "http://appserver1[2].example.com", I arrive to
> >>>> > the backend servers allright, but only via the port 80.
> >>>> >
> >>>> > This behaviour is apparently correct, but so far I have not found
> >>>> > the right configuration options needed to enforce the secure
> >>>> > connection to the backend servers via the reverse proxy (I may
> >>>> > not enable SSL on the backend servers as they are running some
> >>>> > privately managed applications and cannot be tweaked).
> >>>> >
> >>>> > Could someone kindly post an example of working configuration
> >>>> > of the same type?
> >>>> >
> >>>> > Thanks ahead for any advice!
> >>>> >
> >>>> > Andy.
> >>>> >
> >>>> >
> >>>> >
> >>>
> >>>
> >>
> >
>
Re: [users@httpd] Example Apache reverse proxy configuration for
HTTPS frontend and several HTTP backends
Posted by Igor Cicimov <ic...@gmail.com>.
On 09/03/2015 8:01 PM, "A M" <am...@gmail.com> wrote:
>
>
> Hello Jeff,
>
> this is what happens:
>
> [root@www httpd]# service httpd start
> Starting httpd: [Mon Mar 09 09:51:53 2015] [warn] module headers_module
is already loaded, skipping
> [Mon Mar 09 09:51:53 2015] [warn] module proxy_html_module is already
loaded, skipping
> [Mon Mar 09 09:51:53 2015] [warn] module ssl_module is already loaded,
skipping
> [Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on port
443, the first has precedence
> [Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on port
443, the first has precedence
> [FAILED]
>
First looks like you have same configuration included twice somewhere.
> And then there is only one line in the error log:
>
> [Mon Mar 09 09:51:53 2015] [error] Server should be SSL-aware but has no
certificate configured [Hint: SSLCertificateFile] ((null):0)
>
> "apachectl configtest" gives me the same infos as "apachectl -S".
>
> Following the last advice of Igor, I assume that I'll have to generate
two other certificates,
> one for appserver1.example.com, and another - for appserver2.example.com,
and then
Or use the same certificate if you were clever enough to generate a wild
card one ie *.example.com since you need to front multiple subdomains of
the same domain ;-)
> add a reference to them in the VirtualHost *443 definition for these two
aliased servers.
Correct, also please refer to the ssl vhost section on the apache web site
so you fully understand the subject. It's also recommended you make your
self familiar with SNI.
> Will try it later in the day..
>
> Greetings - Andy.
>
>
>
>
>
>
> On Mon, Mar 9, 2015 at 5:22 AM, jeffmonte101 . <je...@gmail.com>
wrote:
>>
>> Andy,
>>
>> What do you see in error logs and proxy logs when you try to bring up
the web server?
>>
>>
>>
>> On Sun, Mar 8, 2015 at 5:11 PM, A M <am...@gmail.com> wrote:
>>>
>>>
>>> Hello Igor, and many thanks for your comment!
>>>
>>> I have followed your advice, but now the server refuses to start at all.
>>>
>>> So now I have in httpd.conf:
>>>
>>> ------------------------------------------------
>>> NameVirtualHost *:80
>>>
>>> <VirtualHost *:80>
>>> ServerName apachefrontend.example.com
>>> ServerAlias appserver1.example.com appserver2.example.com
>>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
>>> </VirtualHost>
>>>
>>> <VirtualHost *:443>
>>> ServerName appserver1.example.com
>>> ProxyRequests Off
>>> ProxyPass / http://appserver1.backend
>>> ProxyPassReverse / http://appserver1.backend
>>> </VirtualHost>
>>>
>>> <VirtualHost *:443>
>>> ServerName appserver2.example.com
>>> ProxyRequests Off
>>> ProxyPass / http://appserver2.backend
>>> ProxyPassReverse / http://appserver2.backend
>>> </VirtualHost>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> And these uncommented lines in ssl.conf:
>>>
>>> -----------------------------------------------------------------------
>>>
>>> LoadModule ssl_module modules/mod_ssl.so
>>> Listen 443
>>> SSLPassPhraseDialog builtin
>>> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
>>> SSLSessionCacheTimeout 300
>>> SSLMutex default
>>> SSLRandomSeed startup file:/dev/urandom 256
>>> SSLRandomSeed connect builtin
>>> SSLCryptoDevice builtin
>>>
>>> <VirtualHost _default_:443>
>>> ServerName apachefrontend.example.com:443
>>>
>>> ErrorLog logs/ssl_error_log
>>> TransferLog logs/ssl_access_log
>>> LogLevel warn
>>>
>>> SSLEngine on
>>> SSLProtocol all -SSLv2 -SSLv3
>>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>>> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
>>> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
>>>
>>> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>>> SSLOptions +StdEnvVars
>>> </Files>
>>>
>>> <Directory "/var/www/cgi-bin">
>>> SSLOptions +StdEnvVars
>>> </Directory>
>>>
>>> SetEnvIf User-Agent ".*MSIE.*" \
>>> nokeepalive ssl-unclean-shutdown \
>>> downgrade-1.0 force-response-1.0
>>>
>>> CustomLog logs/ssl_request_log \
>>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>>>
>>> </VirtualHost>
>>>
>>>
-----------------------------------------------------------------------------------
>>>
>>> [root@www conf]# apachectl -S
>>>
>>> [Sun Mar 08 12:28:37 2015] [warn] module headers_module is already
loaded, skipping
>>> [Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is already
loaded, skipping
>>> [Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already loaded,
skipping
>>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port
443, the first has precedence
>>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port
443, the first has precedence
>>> VirtualHost configuration:
>>> wildcard NameVirtualHosts and _default_ servers:
>>> _default_:8443 apachefrontend.example.com
(/etc/httpd/conf.d/nss.conf:84)
>>> _default_:443 apachefrontend.example.com
(/etc/httpd/conf.d/ssl.conf:74)
>>> *:443 appserver1.backend
(/etc/httpd/conf/httpd.conf:1034)
>>> *:443 appserver2.backend
(/etc/httpd/conf/httpd.conf:1041)
>>> *:80 is a NameVirtualHost
>>> default server apachefrontend.example.com
(/etc/httpd/conf/httpd.conf:1028)
>>> port 80 namevhost apachefrontend.example.com
(/etc/httpd/conf/httpd.conf:1028)
>>> alias appserver1.example.com
>>> alias appserver2.example.com
>>> Syntax OK
>>>
>>> .. and the server refuses to start at all..
>>>
>>> Playing with NameVirtualHost: *.443 and/or specifying explicitly server
names
>>> with ServerName does not help me tp get rid of the overlap on 443. At
most, I
>>> am receiving the missing SSL support errors for the backend servers
(and I
>>> cannot add SSL support for them, they have to remain plain HTTP)..
>>>
>>> If you have any further ideas on what to try, please let me know.
>>>
>>> Thanks again and best regards - Andy.
>>>
>>>
>>>
>>> On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <ic...@gmail.com> wrote:
>>>>
>>>>
>>>> On 08/03/2015 10:01 AM, "A M" <am...@gmail.com> wrote:
>>>> >
>>>> >
>>>> > Hello experts,
>>>> >
>>>> > I am trying to set up a classical frontend HTTPS Apache Reverse
Proxy
>>>> > for a couple of plain backend HTTP servers sitting on a backend
private
>>>> > network. The plaform is Centos 6, the Apache rpm is
httpd-2.2.15-39.el6.centos.
>>>> >
>>>> > I first created three DNS entries, all pointing to the same public
IP:
>>>> >
>>>> > apachefrontend.example.com
>>>> > appserver1.example.com
>>>> > appserver2.example.com
>>>> >
>>>> > I then generated the SSL cert and key for the frontend host and
verified that
>>>> > SSL config was correct (all settings and key/cert were defined
inside the file
>>>> > /etc/httpd/conf.d/ssl.conf). The URL "
https://apachefrontend.example.com"
>>>> > replied OK.
>>>> >
>>>> > I have then set up a forced redirection to port 443 on the mother
>>>> > server and defined two virtual hosts, in this manner:
>>>> >
>>>> > ..
>>>> > NameVirtualHost *:80
>>>> >
>>>>
>>>> First change this:
>>>>
>>>> > <VirtualHost *:80>
>>>> > ServerName apachefrontend.example.com
>>>> > RedirectMatch ^/(.*) https://apachefrontend.example.com/$1
>>>> > </VirtualHost>
>>>> >
>>>>
>>>> to:
>>>>
>>>> <VirtualHost *:80>
>>>> ServerName apachefrontend.example.com
>>>> ServerAlias appserver1.example.com appserver2.example.com
>>>>
>>>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
>>>> </VirtualHost>
>>>>
>>>> Then get rid of these two:
>>>>
>>>> > <VirtualHost *:80>
>>>> > ServerName appserver1.example.com
>>>> > ProxyRequests Off
>>>> > ProxyPass / http://appserver1.backend/
>>>> > ProxyPassReverse / http://appserver1.backend/
>>>> > </VirtualHost>
>>>> >
>>>> > <VirtualHost *:80>
>>>> > ServerName appserver2.example.com
>>>> > ProxyRequests Off
>>>> > ProxyPass / http://appserver2.backend/
>>>> > ProxyPassReverse / http://appserver2.backend/
>>>> > </VirtualHost>
>>>> > ..
>>>>
>>>> More specific convert them to ssl vhosts:
>>>>
>>>> <VirtualHost *:443>
>>>> ServerName appserver1.example.com
>>>> ProxyRequests Off
>>>> ProxyPass / http://appserver1.backend/
>>>> ProxyPassReverse / http://appserver1.backend/
>>>> </VirtualHost>
>>>>
>>>> <VirtualHost *:443>
>>>> ServerName appserver2.example.com
>>>> ProxyRequests Off
>>>> ProxyPass / http://appserver2.backend/
>>>> ProxyPassReverse / http://appserver2.backend/
>>>> </VirtualHost>
>>>>
>>>> which will effectively do what you want which is terminate ssl on the
frontend.
>>>>
>>>> > Now,
>>>> >
>>>> > - If I go to "http://apachefrontend.example.com", I am
>>>> > correctly ending up at "https://apachefrontend.example.com";
>>>> >
>>>> > - If I go to "http://appserver1[2].example.com", I arrive to
>>>> > the backend servers allright, but only via the port 80.
>>>> >
>>>> > This behaviour is apparently correct, but so far I have not found
>>>> > the right configuration options needed to enforce the secure
>>>> > connection to the backend servers via the reverse proxy (I may
>>>> > not enable SSL on the backend servers as they are running some
>>>> > privately managed applications and cannot be tweaked).
>>>> >
>>>> > Could someone kindly post an example of working configuration
>>>> > of the same type?
>>>> >
>>>> > Thanks ahead for any advice!
>>>> >
>>>> > Andy.
>>>> >
>>>> >
>>>> >
>>>
>>>
>>
>
Re: [users@httpd] Example Apache reverse proxy configuration for
HTTPS frontend and several HTTP backends
Posted by A M <am...@gmail.com>.
Hello Jeff,
this is what happens:
[root@www httpd]# service httpd start
Starting httpd: [Mon Mar 09 09:51:53 2015] [warn] module headers_module is
already loaded, skipping
[Mon Mar 09 09:51:53 2015] [warn] module proxy_html_module is already
loaded, skipping
[Mon Mar 09 09:51:53 2015] [warn] module ssl_module is already loaded,
skipping
[Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on port
443, the first has precedence
[Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on port
443, the first has precedence
[FAILED]
And then there is only one line in the error log:
[Mon Mar 09 09:51:53 2015] [error] Server should be SSL-aware but has no
certificate configured [Hint: SSLCertificateFile] ((null):0)
"apachectl configtest" gives me the same infos as "apachectl -S".
Following the last advice of Igor, I assume that I'll have to generate two
other certificates,
one for appserver1.example.com, and another - for appserver2.example.com,
and then
add a reference to them in the VirtualHost *443 definition for these two
aliased servers.
Will try it later in the day..
Greetings - Andy.
On Mon, Mar 9, 2015 at 5:22 AM, jeffmonte101 . <je...@gmail.com>
wrote:
> Andy,
>
> What do you see in error logs and proxy logs when you try to bring up the
> web server?
>
>
>
> On Sun, Mar 8, 2015 at 5:11 PM, A M <am...@gmail.com> wrote:
>
>>
>> Hello Igor, and many thanks for your comment!
>>
>> I have followed your advice, but now the server refuses to start at all.
>>
>> So now I have in httpd.conf:
>>
>> ------------------------------------------------
>> NameVirtualHost *:80
>>
>> <VirtualHost *:80>
>> ServerName apachefrontend.example.com
>> ServerAlias appserver1.example.com appserver2.example.com
>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
>> </VirtualHost>
>>
>> <VirtualHost *:443>
>> ServerName appserver1.example.com
>> ProxyRequests Off
>> ProxyPass / http://appserver1.backend
>> ProxyPassReverse / http://appserver1.backend
>> </VirtualHost>
>>
>> <VirtualHost *:443>
>> ServerName appserver2.example.com
>> ProxyRequests Off
>> ProxyPass / http://appserver2.backend
>> ProxyPassReverse / http://appserver2.backend
>> </VirtualHost>
>>
>> ------------------------------------------------------------------------
>>
>> And these uncommented lines in ssl.conf:
>>
>> -----------------------------------------------------------------------
>>
>> LoadModule ssl_module modules/mod_ssl.so
>> Listen 443
>> SSLPassPhraseDialog builtin
>> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
>> SSLSessionCacheTimeout 300
>> SSLMutex default
>> SSLRandomSeed startup file:/dev/urandom 256
>> SSLRandomSeed connect builtin
>> SSLCryptoDevice builtin
>>
>> <VirtualHost _default_:443>
>> ServerName apachefrontend.example.com:443
>>
>> ErrorLog logs/ssl_error_log
>> TransferLog logs/ssl_access_log
>> LogLevel warn
>>
>> SSLEngine on
>> SSLProtocol all -SSLv2 -SSLv3
>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
>> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
>>
>> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>> SSLOptions +StdEnvVars
>> </Files>
>>
>> <Directory "/var/www/cgi-bin">
>> SSLOptions +StdEnvVars
>> </Directory>
>>
>> SetEnvIf User-Agent ".*MSIE.*" \
>> nokeepalive ssl-unclean-shutdown \
>> downgrade-1.0 force-response-1.0
>>
>> CustomLog logs/ssl_request_log \
>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>>
>> </VirtualHost>
>>
>>
>> -----------------------------------------------------------------------------------
>>
>> [root@www conf]# apachectl -S
>>
>> [Sun Mar 08 12:28:37 2015] [warn] module headers_module is already
>> loaded, skipping
>> [Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is already
>> loaded, skipping
>> [Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already loaded,
>> skipping
>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port
>> 443, the first has precedence
>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port
>> 443, the first has precedence
>> VirtualHost configuration:
>> wildcard NameVirtualHosts and _default_ servers:
>> _default_:8443 apachefrontend.example.com
>> (/etc/httpd/conf.d/nss.conf:84)
>> _default_:443 apachefrontend.example.com
>> (/etc/httpd/conf.d/ssl.conf:74)
>> *:443 appserver1.backend
>> (/etc/httpd/conf/httpd.conf:1034)
>> *:443 appserver2.backend
>> (/etc/httpd/conf/httpd.conf:1041)
>> *:80 is a NameVirtualHost
>> default server apachefrontend.example.com
>> (/etc/httpd/conf/httpd.conf:1028)
>> port 80 namevhost apachefrontend.example.com
>> (/etc/httpd/conf/httpd.conf:1028)
>> alias appserver1.example.com
>> alias appserver2.example.com
>> Syntax OK
>>
>> .. and the server refuses to start at all..
>>
>> Playing with NameVirtualHost: *.443 and/or specifying explicitly server
>> names
>> with ServerName does not help me tp get rid of the overlap on 443. At
>> most, I
>> am receiving the missing SSL support errors for the backend servers (and
>> I
>> cannot add SSL support for them, they have to remain plain HTTP)..
>>
>> If you have any further ideas on what to try, please let me know.
>>
>> Thanks again and best regards - Andy.
>>
>>
>>
>> On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <ic...@gmail.com> wrote:
>>
>>>
>>> On 08/03/2015 10:01 AM, "A M" <am...@gmail.com> wrote:
>>> >
>>> >
>>> > Hello experts,
>>> >
>>> > I am trying to set up a classical frontend HTTPS Apache Reverse Proxy
>>> > for a couple of plain backend HTTP servers sitting on a backend
>>> private
>>> > network. The plaform is Centos 6, the Apache rpm is
>>> httpd-2.2.15-39.el6.centos.
>>> >
>>> > I first created three DNS entries, all pointing to the same public IP:
>>> >
>>> > apachefrontend.example.com
>>> > appserver1.example.com
>>> > appserver2.example.com
>>> >
>>> > I then generated the SSL cert and key for the frontend host and
>>> verified that
>>> > SSL config was correct (all settings and key/cert were defined inside
>>> the file
>>> > /etc/httpd/conf.d/ssl.conf). The URL "
>>> https://apachefrontend.example.com"
>>> > replied OK.
>>> >
>>> > I have then set up a forced redirection to port 443 on the mother
>>> > server and defined two virtual hosts, in this manner:
>>> >
>>> > ..
>>> > NameVirtualHost *:80
>>> >
>>>
>>> First change this:
>>>
>>> > <VirtualHost *:80>
>>> > ServerName apachefrontend.example.com
>>> > RedirectMatch ^/(.*) https://apachefrontend.example.com/$1
>>> > </VirtualHost>
>>> >
>>>
>>> to:
>>>
>>> <VirtualHost *:80>
>>> ServerName apachefrontend.example.com
>>> ServerAlias appserver1.example.com appserver2.example.com
>>>
>>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
>>> </VirtualHost>
>>>
>>> Then get rid of these two:
>>>
>>> > <VirtualHost *:80>
>>> > ServerName appserver1.example.com
>>> > ProxyRequests Off
>>> > ProxyPass / http://appserver1.backend/
>>> > ProxyPassReverse / http://appserver1.backend/
>>> > </VirtualHost>
>>> >
>>> > <VirtualHost *:80>
>>> > ServerName appserver2.example.com
>>> > ProxyRequests Off
>>> > ProxyPass / http://appserver2.backend/
>>> > ProxyPassReverse / http://appserver2.backend/
>>> > </VirtualHost>
>>> > ..
>>>
>>> More specific convert them to ssl vhosts:
>>>
>>> <VirtualHost *:443>
>>> ServerName appserver1.example.com
>>> ProxyRequests Off
>>> ProxyPass / http://appserver1.backend/
>>> ProxyPassReverse / http://appserver1.backend/
>>> </VirtualHost>
>>>
>>> <VirtualHost *:443>
>>> ServerName appserver2.example.com
>>> ProxyRequests Off
>>> ProxyPass / http://appserver2.backend/
>>> ProxyPassReverse / http://appserver2.backend/
>>> </VirtualHost>
>>>
>>> which will effectively do what you want which is terminate ssl on the
>>> frontend.
>>>
>>> > Now,
>>> >
>>> > - If I go to "http://apachefrontend.example.com", I am
>>> > correctly ending up at "https://apachefrontend.example.com";
>>> >
>>> > - If I go to "http://appserver1[2].example.com", I arrive to
>>> > the backend servers allright, but only via the port 80.
>>> >
>>> > This behaviour is apparently correct, but so far I have not found
>>> > the right configuration options needed to enforce the secure
>>> > connection to the backend servers via the reverse proxy (I may
>>> > not enable SSL on the backend servers as they are running some
>>> > privately managed applications and cannot be tweaked).
>>> >
>>> > Could someone kindly post an example of working configuration
>>> > of the same type?
>>> >
>>> > Thanks ahead for any advice!
>>> >
>>> > Andy.
>>> >
>>> >
>>> >
>>>
>>
>>
>
Re: [users@httpd] Example Apache reverse proxy configuration for
HTTPS frontend and several HTTP backends
Posted by "jeffmonte101 ." <je...@gmail.com>.
Andy,
What do you see in error logs and proxy logs when you try to bring up the
web server?
On Sun, Mar 8, 2015 at 5:11 PM, A M <am...@gmail.com> wrote:
>
> Hello Igor, and many thanks for your comment!
>
> I have followed your advice, but now the server refuses to start at all.
>
> So now I have in httpd.conf:
>
> ------------------------------------------------
> NameVirtualHost *:80
>
> <VirtualHost *:80>
> ServerName apachefrontend.example.com
> ServerAlias appserver1.example.com appserver2.example.com
> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
> </VirtualHost>
>
> <VirtualHost *:443>
> ServerName appserver1.example.com
> ProxyRequests Off
> ProxyPass / http://appserver1.backend
> ProxyPassReverse / http://appserver1.backend
> </VirtualHost>
>
> <VirtualHost *:443>
> ServerName appserver2.example.com
> ProxyRequests Off
> ProxyPass / http://appserver2.backend
> ProxyPassReverse / http://appserver2.backend
> </VirtualHost>
>
> ------------------------------------------------------------------------
>
> And these uncommented lines in ssl.conf:
>
> -----------------------------------------------------------------------
>
> LoadModule ssl_module modules/mod_ssl.so
> Listen 443
> SSLPassPhraseDialog builtin
> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
> SSLSessionCacheTimeout 300
> SSLMutex default
> SSLRandomSeed startup file:/dev/urandom 256
> SSLRandomSeed connect builtin
> SSLCryptoDevice builtin
>
> <VirtualHost _default_:443>
> ServerName apachefrontend.example.com:443
>
> ErrorLog logs/ssl_error_log
> TransferLog logs/ssl_access_log
> LogLevel warn
>
> SSLEngine on
> SSLProtocol all -SSLv2 -SSLv3
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
>
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> SSLOptions +StdEnvVars
> </Files>
>
> <Directory "/var/www/cgi-bin">
> SSLOptions +StdEnvVars
> </Directory>
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> CustomLog logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> </VirtualHost>
>
>
> -----------------------------------------------------------------------------------
>
> [root@www conf]# apachectl -S
>
> [Sun Mar 08 12:28:37 2015] [warn] module headers_module is already loaded,
> skipping
> [Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is already
> loaded, skipping
> [Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already loaded,
> skipping
> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port
> 443, the first has precedence
> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port
> 443, the first has precedence
> VirtualHost configuration:
> wildcard NameVirtualHosts and _default_ servers:
> _default_:8443 apachefrontend.example.com
> (/etc/httpd/conf.d/nss.conf:84)
> _default_:443 apachefrontend.example.com
> (/etc/httpd/conf.d/ssl.conf:74)
> *:443 appserver1.backend (/etc/httpd/conf/httpd.conf:1034)
> *:443 appserver2.backend (/etc/httpd/conf/httpd.conf:1041)
> *:80 is a NameVirtualHost
> default server apachefrontend.example.com
> (/etc/httpd/conf/httpd.conf:1028)
> port 80 namevhost apachefrontend.example.com
> (/etc/httpd/conf/httpd.conf:1028)
> alias appserver1.example.com
> alias appserver2.example.com
> Syntax OK
>
> .. and the server refuses to start at all..
>
> Playing with NameVirtualHost: *.443 and/or specifying explicitly server
> names
> with ServerName does not help me tp get rid of the overlap on 443. At
> most, I
> am receiving the missing SSL support errors for the backend servers (and I
> cannot add SSL support for them, they have to remain plain HTTP)..
>
> If you have any further ideas on what to try, please let me know.
>
> Thanks again and best regards - Andy.
>
>
>
> On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <ic...@gmail.com> wrote:
>
>>
>> On 08/03/2015 10:01 AM, "A M" <am...@gmail.com> wrote:
>> >
>> >
>> > Hello experts,
>> >
>> > I am trying to set up a classical frontend HTTPS Apache Reverse Proxy
>> > for a couple of plain backend HTTP servers sitting on a backend private
>> > network. The plaform is Centos 6, the Apache rpm is
>> httpd-2.2.15-39.el6.centos.
>> >
>> > I first created three DNS entries, all pointing to the same public IP:
>> >
>> > apachefrontend.example.com
>> > appserver1.example.com
>> > appserver2.example.com
>> >
>> > I then generated the SSL cert and key for the frontend host and
>> verified that
>> > SSL config was correct (all settings and key/cert were defined inside
>> the file
>> > /etc/httpd/conf.d/ssl.conf). The URL "
>> https://apachefrontend.example.com"
>> > replied OK.
>> >
>> > I have then set up a forced redirection to port 443 on the mother
>> > server and defined two virtual hosts, in this manner:
>> >
>> > ..
>> > NameVirtualHost *:80
>> >
>>
>> First change this:
>>
>> > <VirtualHost *:80>
>> > ServerName apachefrontend.example.com
>> > RedirectMatch ^/(.*) https://apachefrontend.example.com/$1
>> > </VirtualHost>
>> >
>>
>> to:
>>
>> <VirtualHost *:80>
>> ServerName apachefrontend.example.com
>> ServerAlias appserver1.example.com appserver2.example.com
>>
>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
>> </VirtualHost>
>>
>> Then get rid of these two:
>>
>> > <VirtualHost *:80>
>> > ServerName appserver1.example.com
>> > ProxyRequests Off
>> > ProxyPass / http://appserver1.backend/
>> > ProxyPassReverse / http://appserver1.backend/
>> > </VirtualHost>
>> >
>> > <VirtualHost *:80>
>> > ServerName appserver2.example.com
>> > ProxyRequests Off
>> > ProxyPass / http://appserver2.backend/
>> > ProxyPassReverse / http://appserver2.backend/
>> > </VirtualHost>
>> > ..
>>
>> More specific convert them to ssl vhosts:
>>
>> <VirtualHost *:443>
>> ServerName appserver1.example.com
>> ProxyRequests Off
>> ProxyPass / http://appserver1.backend/
>> ProxyPassReverse / http://appserver1.backend/
>> </VirtualHost>
>>
>> <VirtualHost *:443>
>> ServerName appserver2.example.com
>> ProxyRequests Off
>> ProxyPass / http://appserver2.backend/
>> ProxyPassReverse / http://appserver2.backend/
>> </VirtualHost>
>>
>> which will effectively do what you want which is terminate ssl on the
>> frontend.
>>
>> > Now,
>> >
>> > - If I go to "http://apachefrontend.example.com", I am
>> > correctly ending up at "https://apachefrontend.example.com";
>> >
>> > - If I go to "http://appserver1[2].example.com", I arrive to
>> > the backend servers allright, but only via the port 80.
>> >
>> > This behaviour is apparently correct, but so far I have not found
>> > the right configuration options needed to enforce the secure
>> > connection to the backend servers via the reverse proxy (I may
>> > not enable SSL on the backend servers as they are running some
>> > privately managed applications and cannot be tweaked).
>> >
>> > Could someone kindly post an example of working configuration
>> > of the same type?
>> >
>> > Thanks ahead for any advice!
>> >
>> > Andy.
>> >
>> >
>> >
>>
>
>
Re: [users@httpd] Example Apache reverse proxy configuration for
HTTPS frontend and several HTTP backends
Posted by A M <am...@gmail.com>.
Hello Igor, and many thanks for your comment!
I have followed your advice, but now the server refuses to start at all.
So now I have in httpd.conf:
------------------------------------------------
NameVirtualHost *:80
<VirtualHost *:80>
ServerName apachefrontend.example.com
ServerAlias appserver1.example.com appserver2.example.com
RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
</VirtualHost>
<VirtualHost *:443>
ServerName appserver1.example.com
ProxyRequests Off
ProxyPass / http://appserver1.backend
ProxyPassReverse / http://appserver1.backend
</VirtualHost>
<VirtualHost *:443>
ServerName appserver2.example.com
ProxyRequests Off
ProxyPass / http://appserver2.backend
ProxyPassReverse / http://appserver2.backend
</VirtualHost>
------------------------------------------------------------------------
And these uncommented lines in ssl.conf:
-----------------------------------------------------------------------
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ServerName apachefrontend.example.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
-----------------------------------------------------------------------------------
[root@www conf]# apachectl -S
[Sun Mar 08 12:28:37 2015] [warn] module headers_module is already loaded,
skipping
[Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is already
loaded, skipping
[Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already loaded,
skipping
[Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port
443, the first has precedence
[Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on port
443, the first has precedence
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:8443 apachefrontend.example.com
(/etc/httpd/conf.d/nss.conf:84)
_default_:443 apachefrontend.example.com
(/etc/httpd/conf.d/ssl.conf:74)
*:443 appserver1.backend (/etc/httpd/conf/httpd.conf:1034)
*:443 appserver2.backend (/etc/httpd/conf/httpd.conf:1041)
*:80 is a NameVirtualHost
default server apachefrontend.example.com
(/etc/httpd/conf/httpd.conf:1028)
port 80 namevhost apachefrontend.example.com
(/etc/httpd/conf/httpd.conf:1028)
alias appserver1.example.com
alias appserver2.example.com
Syntax OK
.. and the server refuses to start at all..
Playing with NameVirtualHost: *.443 and/or specifying explicitly server
names
with ServerName does not help me tp get rid of the overlap on 443. At
most, I
am receiving the missing SSL support errors for the backend servers (and I
cannot add SSL support for them, they have to remain plain HTTP)..
If you have any further ideas on what to try, please let me know.
Thanks again and best regards - Andy.
On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <ic...@gmail.com> wrote:
>
> On 08/03/2015 10:01 AM, "A M" <am...@gmail.com> wrote:
> >
> >
> > Hello experts,
> >
> > I am trying to set up a classical frontend HTTPS Apache Reverse Proxy
> > for a couple of plain backend HTTP servers sitting on a backend private
> > network. The plaform is Centos 6, the Apache rpm is
> httpd-2.2.15-39.el6.centos.
> >
> > I first created three DNS entries, all pointing to the same public IP:
> >
> > apachefrontend.example.com
> > appserver1.example.com
> > appserver2.example.com
> >
> > I then generated the SSL cert and key for the frontend host and verified
> that
> > SSL config was correct (all settings and key/cert were defined inside
> the file
> > /etc/httpd/conf.d/ssl.conf). The URL "https://apachefrontend.example.com
> "
> > replied OK.
> >
> > I have then set up a forced redirection to port 443 on the mother
> > server and defined two virtual hosts, in this manner:
> >
> > ..
> > NameVirtualHost *:80
> >
>
> First change this:
>
> > <VirtualHost *:80>
> > ServerName apachefrontend.example.com
> > RedirectMatch ^/(.*) https://apachefrontend.example.com/$1
> > </VirtualHost>
> >
>
> to:
>
> <VirtualHost *:80>
> ServerName apachefrontend.example.com
> ServerAlias appserver1.example.com appserver2.example.com
>
> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
> </VirtualHost>
>
> Then get rid of these two:
>
> > <VirtualHost *:80>
> > ServerName appserver1.example.com
> > ProxyRequests Off
> > ProxyPass / http://appserver1.backend/
> > ProxyPassReverse / http://appserver1.backend/
> > </VirtualHost>
> >
> > <VirtualHost *:80>
> > ServerName appserver2.example.com
> > ProxyRequests Off
> > ProxyPass / http://appserver2.backend/
> > ProxyPassReverse / http://appserver2.backend/
> > </VirtualHost>
> > ..
>
> More specific convert them to ssl vhosts:
>
> <VirtualHost *:443>
> ServerName appserver1.example.com
> ProxyRequests Off
> ProxyPass / http://appserver1.backend/
> ProxyPassReverse / http://appserver1.backend/
> </VirtualHost>
>
> <VirtualHost *:443>
> ServerName appserver2.example.com
> ProxyRequests Off
> ProxyPass / http://appserver2.backend/
> ProxyPassReverse / http://appserver2.backend/
> </VirtualHost>
>
> which will effectively do what you want which is terminate ssl on the
> frontend.
>
> > Now,
> >
> > - If I go to "http://apachefrontend.example.com", I am
> > correctly ending up at "https://apachefrontend.example.com";
> >
> > - If I go to "http://appserver1[2].example.com", I arrive to
> > the backend servers allright, but only via the port 80.
> >
> > This behaviour is apparently correct, but so far I have not found
> > the right configuration options needed to enforce the secure
> > connection to the backend servers via the reverse proxy (I may
> > not enable SSL on the backend servers as they are running some
> > privately managed applications and cannot be tweaked).
> >
> > Could someone kindly post an example of working configuration
> > of the same type?
> >
> > Thanks ahead for any advice!
> >
> > Andy.
> >
> >
> >
>
Re: [users@httpd] Example Apache reverse proxy configuration for
HTTPS frontend and several HTTP backends
Posted by Igor Cicimov <ic...@gmail.com>.
On 08/03/2015 10:01 AM, "A M" <am...@gmail.com> wrote:
>
>
> Hello experts,
>
> I am trying to set up a classical frontend HTTPS Apache Reverse Proxy
> for a couple of plain backend HTTP servers sitting on a backend private
> network. The plaform is Centos 6, the Apache rpm is
httpd-2.2.15-39.el6.centos.
>
> I first created three DNS entries, all pointing to the same public IP:
>
> apachefrontend.example.com
> appserver1.example.com
> appserver2.example.com
>
> I then generated the SSL cert and key for the frontend host and verified
that
> SSL config was correct (all settings and key/cert were defined inside the
file
> /etc/httpd/conf.d/ssl.conf). The URL "https://apachefrontend.example.com"
> replied OK.
>
> I have then set up a forced redirection to port 443 on the mother
> server and defined two virtual hosts, in this manner:
>
> ..
> NameVirtualHost *:80
>
First change this:
> <VirtualHost *:80>
> ServerName apachefrontend.example.com
> RedirectMatch ^/(.*) https://apachefrontend.example.com/$1
> </VirtualHost>
>
to:
<VirtualHost *:80>
ServerName apachefrontend.example.com
ServerAlias appserver1.example.com appserver2.example.com
RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
</VirtualHost>
Then get rid of these two:
> <VirtualHost *:80>
> ServerName appserver1.example.com
> ProxyRequests Off
> ProxyPass / http://appserver1.backend/
> ProxyPassReverse / http://appserver1.backend/
> </VirtualHost>
>
> <VirtualHost *:80>
> ServerName appserver2.example.com
> ProxyRequests Off
> ProxyPass / http://appserver2.backend/
> ProxyPassReverse / http://appserver2.backend/
> </VirtualHost>
> ..
More specific convert them to ssl vhosts:
<VirtualHost *:443>
ServerName appserver1.example.com
ProxyRequests Off
ProxyPass / http://appserver1.backend/
ProxyPassReverse / http://appserver1.backend/
</VirtualHost>
<VirtualHost *:443>
ServerName appserver2.example.com
ProxyRequests Off
ProxyPass / http://appserver2.backend/
ProxyPassReverse / http://appserver2.backend/
</VirtualHost>
which will effectively do what you want which is terminate ssl on the
frontend.
> Now,
>
> - If I go to "http://apachefrontend.example.com", I am
> correctly ending up at "https://apachefrontend.example.com";
>
> - If I go to "http://appserver1[2].example.com", I arrive to
> the backend servers allright, but only via the port 80.
>
> This behaviour is apparently correct, but so far I have not found
> the right configuration options needed to enforce the secure
> connection to the backend servers via the reverse proxy (I may
> not enable SSL on the backend servers as they are running some
> privately managed applications and cannot be tweaked).
>
> Could someone kindly post an example of working configuration
> of the same type?
>
> Thanks ahead for any advice!
>
> Andy.
>
>
>