7

We want to use Apache as our reverse proxy to a collection of app servers. We plan to se a CA-signed SSL certificate on the Apache instance but wanted to use self-signed certificates on the app server instances (so that the Apache to app sever connection also was encrypted). We dont want to install a CA-signed SSL certificate on the app server instances if we dont have to.

Will Apache allow this configuration of having self-signed certificates on the app server instances?

BestPractices
  • 12,738
  • 29
  • 96
  • 140
  • Perhaps this'll help: [SSLProxyCheckPeerCN](http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslproxycheckpeercn)? – noodl Sep 17 '12 at 15:21

1 Answers1

5

If you have a large collection of app servers, it would probably make more sense to have your own internal CA, instead of having to manage each self-signed certificate one by one.

If you want to the connections between an Apache Httpd reverse proxy and its worker nodes to use HTTPS, you can configure the certificates trusted by Apache Httpd using the SSLProxy* directives of mod_ssl (as documented in the introduction of the mod_proxy documentation), in particular SSLProxyCACertificateFile.

You'll need to use mod_proxy_http for this, since AJP connections are not made over SSL/TLS.

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • 4
    This doesn't answer the question. Does Apache allow self-signed certs on proxied servers? Well, from a test setup I have it seems it just works. It would be nice if there was official confirmation of this though. In my test if I navigate my web browser around the proxy directly to the proxied server I'm prompted to accept the self-signed cert so I didn't expect this to work proxied via Apache, but it did. I was expecting I'd have to update the Apache keystore / truststore to include the self-signed cert, but I didn't even have to do that. – Ryan Jan 21 '14 at 20:21
  • 1
    @Ryan, why doesn't this answer the question? The `SSLProxy*` directives are those required, and it's documented. You're right I didn't mention `SSLProxyVerify` explicitly, which is unfortunately `none` by default (you'd want `require`), the default value of `SSLProxyCheckPeerCN` has also changed between Apache Httpd 2.2 and 2.4. – Bruno Jan 21 '14 at 20:30
  • The answer wasn't clear to me initially. After reading the mod_ssl and mod_proxy documentation your answer makes a lot more sense. The default values for SSLProxyVerify and CheckPeerCN also explain why it "just works" without me having to tell Apache to trust the self-signed cert. Looks like I'll need to figure out the SSLProxyCA* directives to get Apache to trust my self-signed cert – Ryan Jan 23 '14 at 18:03
  • Short answer yes: if you use the http_proxy2 module instead of the http_proxy module. Details can be found in my answer to a similar question here: https://stackoverflow.com/questions/37426547/issues-with-self-signed-certificate-behind-an-apache-reverse-proxy – Jonas Feb 25 '22 at 10:50