3

Guess this is the only post ever where I start with: "My SSL connection works but I don't know why". I have a setup where the domain name and wildcard certificate lie on server A, and I want to use a subdomain of that domain to proxy requests to server B on another machine somewhere on the internet. Server B is currently only reachable via an IP, so I actually did not expect this to work, because SSL-certificates are based on domain names.

My setup is as follows (example):

  • Server A domain: www.production.io
  • Server A Subdomain: cus1.production.io
  • Server B IP: 65.23.523.12

Apache config for http of cus1.production.io:

RequestHeader set X-Forwarded-Proto "https"
ProxyPreserveHost On
Redirect / https://cus1.production.io/

Apache config for https of cus1.production.io:

ProxyPass / http://65.23.523.12/
ProxyPassReverse / http://65.23.523.12/

Calling cus1.production.io shows the application on 65.23.523.12 but with a secured connection (green lock) in the browser though the webserver on Server B does not offer https connections nor does it provide an SSL certificate.

Although the connection between a client and the "proxying" Server A is secure, the data transferred to the actual application is not. So this is actually a fraud.

Question: How do I make sure a secure connection will be applied between Server A and Server B?

Kekzpanda
  • 752
  • 6
  • 15

2 Answers2

3

It's not really "fraud", it's just that the SSL/TLS connection is ensured between the browser and Server A. The browser has nothing to do with Server B: Server A is the client to Server B.

If you can, set up SSL/TLS on Server B. Even if it's only accessible with an IP address, you could create your internal CA or a self-signed certificate. (That certificate should have this IP address in a SAN entry of IP address type.)

Then, you can use mod_ssl's SSLProxy* options to configure how Apache Httpd (on Server A) behaves as a client to server B (i.e. when it's a reverse proxy).

Typically, you'll need to set SSLProxyCACertificateFile (to point to your internal CA cert or that self-signed cert) and use SSLProxyCheckPeerName.

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • Yeah I just found this nice post https://stackoverflow.com/questions/42982154/configure-secure-ssl-apache-proxy that explains it as well. I will try that shortly. – Kekzpanda Mar 27 '18 at 14:59
1

In short, it's up to you to make sure.

What you've just described is a common way of configuring SSL setups, where you have one set of servers that handle the secure connection to the browser, then they proxy the requests to another server, often just with http. This is known as ssl termination.

Usually this connection is done within a secure network, the servers hosting the certificates can be accessed from the internet, but the servers they forward to are not, so they don't proxy back across the internet. However, there is nothing in theory to prevent this if your servers aren't configured properly.

arco444
  • 22,002
  • 12
  • 63
  • 67