1

I have a Windows Server accesible through an public IP with some Apache Virtual Hosts configured to proxy pass to various internal servers with web applications and services (Apache acting as a reverse proxy). On one of the internal servers I want to configure HTTPS using letsencrypt.

I managed to get an working certificate and server configuration on the internal server, but the problem is my Reverse Proxy (Apache) not wanting to tunnel this HTTPS traffic.

Edit: I know it would be easier to configure the Reverse Proxy with the certificates but Let's Encrypt has no good automated options for Windows yet and manually changing the certificates every 60 days or so would be really tedious.

The Virtual Host configuration in Apache 2.4 (Windows) looks like this:

<VirtualHost *:443>
    ServerName somesubdomain.mydomain.com
    DocumentRoot "E:/Apache2/htdocs"
    DirectoryIndex index.html

    ProxyRequests Off
    <Proxy *>
       Order deny,allow
       Allow from all
    </Proxy>

   ProxyPreserveHost On 

   ProxyPass /  https://10.3.1.83/
   ProxyPassReverse /   https://10.3.1.83/
</VirtualHost>

On the 10.3.1.83 (Ubuntu/Nginx) using the certbot from letsencrypt, I generated valid certificates and configured Nginx to serve HTTPS plus the certificates.

When I access the Ubuntu/Nginx Server from inside the LAN, everything works as excpect. Using Chrome DevTools I can verify it servers the right LetsEncrypt Certificate.

Accessing the corresponding subdomain from the outside (Internet) it returns an Internal Server Error Page and in the logs Apache tells me the following: 

AH00961: HTTPS: failed to enable ssl support for 10.3.1.83:443 (10.3.1.83)

Edit: Finally I found some answers: Seems like SNI proxing is not implemented in Apache, only "SNI virtual hosting". One could use HAProxy or other projects though.

Apache HTTPS reverse proxy with SNI without key on the proxy https://serverfault.com/questions/614806/apache-mod-proxy-with-https-without-key-material-using-sni https://serverfault.com/questions/625362/can-a-reverse-proxy-use-sni-with-ssl-pass-through/625364

NicoEpp
  • 11
  • 5

1 Answers1

0

I think that you must encrypt the traffic from the reverse proxy to the client by setting up the encryption on the Proxy.

If anything, your internal webserver and proxy can also share a SSL communication, by setting up SSL on the interna NO (but edited).l server.

But you cannot have one certificate for them all (or that would mean that you use the same private key/public certificates on multiple servers...).

Why is that so? Because if the traffic is encrypted between client and back-end server, then the proxy would not be able to read the "Host" header and other useful headers of HTTP requests, and so would be unable to relay or even understand the requests...

Hence, unless you duplicate certificates, my answer is... NO. :-)

It's not that bad that your certificates are concentrated on your proxy... From a security's perspective it's a bit more risky (concentration of risk) but from an administrative point of view it's easier (concentration of efforts).

EDIT: the answer is NO if you want to reach a large audience including obsolete browsers or development libraries which I assumed (It is a YES in other cases, see conversation below).

Fabien
  • 4,862
  • 2
  • 19
  • 33
  • <>. It was my understanding that newer Apache's had SNI implemented which allowed something like this. – NicoEpp Jun 23 '17 at 13:41
  • SNI features (https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI) are extensions of the SSL protocol, if you aim for large audience you cannot count on that feature because a lot of older applications are not compatible yet. The URL I gave shows the compatible browsers, obviously it's too recent. (Eg: "Internet Explorer 7.0 or later (on Vista, not XP)") – Fabien Jun 23 '17 at 13:44
  • My application is only for users in a certain area. Additionally all the newer browsers have SNI implemented for years. How could I activate SNI in Apache? – NicoEpp Jun 23 '17 at 13:52
  • The link I provided gives you most of the setup/tests to perform. Maybe it's default-enabled on your side. Here is a quote: "How can you tell if your Apache build supports SNI? If you configure multiple name-based virtual hosts for an address where SSL is configured, and SNI isn't built into your Apache, then upon Apache startup a message like "You should not use name-based virtual hosts in conjunction with SSL!!" in the error log. If SNI is built in, then the error log will show "[warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support." – Fabien Jun 23 '17 at 13:55
  • Finally, searching for "apache SNI proxy" I found some usefull links. Seems like SNI proxing is not implemented in Apache, only "SNI virtual hosting". One could use HAProxy or other projects though. https://serverfault.com/questions/614806/apache-mod-proxy-with-https-without-key-material-using-sni https://stackoverflow.com/questions/24125954/apache-https-reverse-proxy-with-sni-without-key-on-the-proxy https://serverfault.com/questions/625362/can-a-reverse-proxy-use-sni-with-ssl-pass-through/625364 – NicoEpp Jun 23 '17 at 14:06
  • Update your OP to add those links and search results, everyone can benefit then in the future :-) – Fabien Jun 23 '17 at 14:07
  • Ok, will do it! Thanks! – NicoEpp Jun 23 '17 at 14:08
  • You're welcome! I guess my original answer was not that much useful to you after all ^_^ but I am glad you found progress – Fabien Jun 23 '17 at 14:13