Menu
For background information: (Question at bottom)
I'm trying to connect to a client, who has 8 servers, all of which have unique IP addresses. The client uses the same SSL certificate on all the servers (for this example, cert name == www.all_servers.com). The client only allows incoming requests over https.
I'm trying to create an apache proxy using mod_proxy that maps different URI mappings to different servers. For example:
https://PROXY_SERVER/SERVER1/{REQUEST} This would send {REQUEST} to server1
https://PROXY_SERVER/SERVER2/{REQUEST} would send {REQUEST} to server2. So far, pretty simple.
In Apache 2.2, this could be achieved by using the IP addresses like so:
SSLProxyEngine On ProxyPass /server1 https://1.1.1.1/ ProxyPassReverse /server1 https://1.1.1.1/ ProxyPass /server2 https://1.1.1.2/ ProxyPassReverse /server2 https://1.1.1.2/ This was due to Apache 2.2 not checking if the certificate matched (1.1.1.1 != www.all_servers.com)
However, in Apache 2.4, I'm now getting certificate issues (rightly so). (This exact code works on an apache 2.2 box)
[Thu Oct 10 12:01:48.571246 2013] [proxy:error] [pid 13282:tid 140475667224320] (502)Unknown error 502: [client 192.168.1.1:48967] AH01084: pass request body failed to 1.1.1.1:443 (1.1.1.1) [Thu Oct 10 12:01:48.571341 2013] [proxy:error] [pid 13282:tid 140475667224320] [client 192.168.1.1:48967] AH00898: Error during SSL Handshake with remote server returned by /server1/asd [Thu Oct 10 12:01:48.571354 2013] [proxy_http:error] [pid 13282:tid 140475667224320] [client 192.168.1.1:48967] AH01097: pass request body failed to 1.1.1.1:443 (1.1.1.1) from 192.168.1.1 () I can't use /etc/hosts, as one server would work, using:
1.1.1.1 www.all_servers.com SSLProxyEngine On ProxyPass /server1 https://www.all_servers.com/ ProxyPassReverse /server1 https://www.all_servers.com/ But many servers wouldn't
So, to the actual question:
Is there a way to force mod_proxy to ignore miss-matching certificates. Or, is there a better way to do this.
Thanks for any help with this!
819
The user talks to Apache, then Apache talks to the balanced machines. That's the point of a proxy, it ensures clients do not talk to servers directly. So from the balanced server perspective, Apache is the client. Only way I can see doing that is to use a layer 4 network load balancer which does not do SSL offloading. i.e. not Apache
Note: this is a possible major security risk, when you put this in production, because you’ll basically disable all certification checks, which makes you vulnerable to a man in the middle attack. In this example we demonstrates how to ignore SSL/TLS Certificate errors in Apache HttpClient 4.5.
Transforming the comment into an answer since it solved the OP's question. The user talks to Apache, then Apache talks to the balanced machines. That's the point of a proxy, it ensures clients do not talk to servers directly. So from the balanced server perspective, Apache is the client.
We need to set up a secure certificate on an Apache reverse proxy. We've been advised that we need to use a virtual host directive. I've looked these up in the O'Reilly book bit can't find any examples that pick up https specifically.
You can set the SSLProxy* options on your Apache server (which is a client as far as the reverse proxy connections are concerned).
This was done with SSLProxyCheckPeerCN (off by default in 2.2, but on by default in 2.4), but I'm not sure how this is going to work with IP addresses (since having IP addresses in the CN is not standard). There's a new option in Apache Httpd 2.4 for checking SANs (SSLProxyCheckPeerName), but I'm not sure how it behaves for IP addresses either.
Having IP addresses in DNS SAN extensions or in the CN is not standard compliant with HTTPS:
If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.
[...]
In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.
115
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
