Proxying with SSL

Question

I have a Linux host running Apache and a Windows host running IIS. I have a domain that points to the Linux host and need to relay (proxy) requests for it to IIS; I thus have the following virtual host definition in Apache (which works just fine):

<VirtualHost 192.168.0.2:80>
    ServerName www.acme.com
    DocumentRoot /var/www/acme.com

    RewriteEngine On
    RewriteOptions Inherit
    RewriteRule ^/(.*) http://win.acme.com/$1 [P]
</VirtualHost>

now I want to add SSL support; the definition becomes:

<VirtualHost 192.168.0.2:443>
    ServerName www.acme.com
    DocumentRoot /var/www/acme.com
    GnuTLSEnable On
    GnuTLSPriorities NORMAL:%COMPAT
    GnuTLSCertificateFile /var/www/ssl/www.acme.com.crt
    GnuTLSKeyFile /var/www/ssl/www.acme.com.key

    RewriteEngine On
    RewriteOptions Inherit
    RewriteRule ^/(.*) https://win.acme.com/$1 [P]
</VirtualHost>

I have valid and trusted certificates on both web servers and if I visit https://win.acme.com all is well, however, when I visit https://www.acme.com I get a 500 Internal Server Error message. A peek at the error logs shows:

[Wed Jul 20 08:35:34 2011] [error] [client 76.168.166.70] SSL Proxy requested for www.wileybits.com:80 but not enabled [Hint: SSLProxyEngine] [Wed Jul 20 08:35:34 2011] [error] proxy: HTTPS: failed to enable ssl support for 74.166.186.70:443 (win.acme.com)

do notice that the proxy request seems to be for the wrong domain (wileybits)... the domain it shows is also hosted by my Apache server but I don't get why it shows up in the logs of acme.com (a reverse DNS lookup perhaps?)

in any case, what am I missing?

thanks in advance - ekkis

p.s. host names and addresses have been altered to protect the innocent :)

* update *

with:

RewriteRule ^/(.*) https://win.acme.com/$1 [R,L]

it seems to work fine, but of course, the Windows' hostname becomes visible, which is not acceptable in my scenario

I also tried (instead of mod_rewrite):

ProxyRequests Off
ProxyPass / https://win.acme.com/

but same error

why did I get a minus point for this? – ekkis Jul 24 '11 at 03:02 — ekkis, Jul 24 '11 at 03:02

score 86 · Accepted Answer · edited Oct 09 '14 at 21:34

86

figured it out... apparently I can do this:

SSLProxyEngine On
RequestHeader set Front-End-Https "On"
ProxyPass / https://win.acme.com/
ProxyPassReverse / https://win.acme.com/
CacheDisable *

and it works just fine!

[the solution came from mikeg's posting on 3cx.org]

edited Oct 09 '14 at 21:34

gene_wood

1,960
4
26
39

answered Jul 20 '11 at 17:27

ekkis

9,804
13
55
105

11

For those who find this later: my issue was not including `SSLProxyEngine on`. Note that it cannot be in an `.htaccess` file. – robbrit Apr 04 '13 at 18:00
2

You also need to `sudo a2enmod headers proxy ssl cache` and add SSLEngine on (else i got an error `[error] Oops, no RSA or DSA server certificate found for 'www.somedomain.com:0'?!`) and SSLCertificateFile/SSLCertificateKeyFile with same key & certificate – bumpmann Jun 01 '13 at 12:49
8

For others who look at this and may be confused: `Front-End-Https` is a [proprietary flag for Microsoft applications](http://en.wikipedia.org/wiki/List_of_HTTP_header_fields) and doesn't need to be set when proxying to other services. – Andrew Mao Nov 18 '13 at 21:04
I believe it is now CacheDisable / – Larry K May 20 '17 at 19:31

score 0 · Answer 2 · edited Dec 13 '17 at 00:41

0

Not sure the cause of this error, but you might want you try using Squid or Varnish to accomplish this. Previously, I've used Squid to proxy a secure Windows IIS instance without issue.

edited Dec 13 '17 at 00:41

Community

1
1

answered Jul 20 '11 at 17:08

Will Bonde

560
6
19

Proxying with SSL

2 Answers2

Linked