Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

configure secure SSL Apache reverse proxy

Tags:

proxy

https

ssl

apache

I'm trying to establish a reverse proxy setup with apache that securely supports SSL all the way through:

Client   <-->   Proxy @ somehostname.com   <-->   Server @ 123.45.67.89

Note that my proxy server has a hostname, but the remote server does not. The SSL setup between clients and the proxy works fine with a letsencrypt setup. However, I am struggling to secure the connection between the proxy and the remote server.

Because the remote server doesn't have a hostname, and letsencrypt doesn't issue certificates for IPs only, my idea was to generate a self-signed certificate and copy the certificate over to the proxy for it to only trust that one. Unfortunately I don't know how.

If I just disable these certificate checks, the connection works, as the proxy just trusts every certificate:

SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off

While encryption will work fine, to my understanding authenticity is compromised and I am subject to MitM attacks during the handshake. This is not ideal.

Instead, I've instructed Apache to trust my self-signed certificate with

SSLProxyCACertificateFile /path/to/cert.pem

and then tried to enforce a valid certificate with

SSLProxyVerify require

but despite me explicitly listing the certificate, and the documentation of SSLProxyCACertificateFile saying "These are used for Remote Server Authentication", it seems to not trust it.

Is there a way to make sure the connection between the proxy and remote server is safe, for example by enforcing Apache to always connect to the proxy using that specific certificate?

like image 779
Felk Avatar asked Mar 23 '17 16:03

Felk

1 Answers

Turns out adding certificates via SSLProxyCACertificateFile does not skip name checks, which makes total sense. So in order for custom certificates to work, they still need to be issued to the correct name, or in my case, the IP. After I made a new certificate issued to that IP, my configuration works now. Here are the relevant parts:

<VirtualHost *:443>
    ServerName somehostname.com
    SSLProxyEngine On
    SSLProxyVerify require
    SSLProxyCACertificateFile /path/to/custom_cert.pem
    SSLProxyCheckPeerCN on  # or omit, default is on
    SSLProxyCheckPeerName on  # same
    ProxyPass / https://123.45.67.89/
    ProxyPassReverse / https://123.45.67.89/
</VirtualHost>
like image 57
Felk Avatar answered Sep 28 '22 15:09

Felk
Sign in to Comment

Related questions

Why I'm unable to COPY my files into docker container?
Apache multiple sites, one works, other doesn't
Apache Velocity: Is there a standard way of verifying the correctness of a template from the command line?
.htaccess if/else depending on {SERVER_NAME}?
How to let Apache send 500 in case of PHP error?
How do I convert a PHP query string into a slash-based URL?
Apache Tika and document metadata
Reverse proxy with mod_proxy, preserve original request URL
Generic mod_rewrite referrer check
SSL: Can I use the same SSL Certificate both for Web and Mail services on the same server?
REQUEST_URI unexpectedly contains FQDN
Redirect Addresses to localhost by Pattern on Mac OS X
Apache HTTP Proxy Based on Hostname
Django WSGI Apache VirtualHost, returning a 404 Error
XsendFile with apache and django
Make URL alias in Wordpress (or .htaccess)
apache requests very slow after using ProxyPass
GCS Fuse storage mount issue with apache web server as document root
How to make Apache forbid a file only if it exists?
How to issue and customize .htaccess for Laravel?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!