Issues with self-signed certificate behind an Apache reverse-proxy?

Question

I understand this topic was discussed in a couple of older posts, especially Will a self-signed certificate work behind an Apache reverse-proxy? posted by @Ryan

I am facing the same issue but unable to get around it. I have Apache 2.4.12 setup as reverse proxy in front of an Oracle HTTP server. I have valid certs on the proxy server but self signed certs on Oracle HTTP server. The goal is to do https all the way through, but whenever the browser gets to myhost.domain, it throws a cert warning(because of self signed certs). Having authentic certs on Oracle HTTP server is not an option and the users browsers are restricted and hence cannot ignore the self signed cert warning.

Here's my virtual host

---

LogLevel ERROR
ServerName  myhost.domain
ServerAlias  xxx.xxx.xxx.xx
DocumentRoot D:/xyz/pubdocs
SSLEngine      On
SSLProxyEngine On
SSLCertificateFile      certs/myserver.crt
SSLCertificateKeyFile   certs/myserver.key
SSLCertificateChainFile certs/myserver_chain.crt
SSLProxyCACertificateFile certs/my_self_signed.pem
SSLProxyVerify none
SSLProxyCheckPeerName off
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
SSLProtocol    -all +TLSv1
SSLProxyProtocol +SSLv3 +TLSv1 +TLSv1.1
#SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!NULL:RC4+RSA:+HIGH:+MEDIUM
ErrorLog "logs/abc-error.log"
CustomLog "logs/abc-access.log" cert

ProxyRequests Off  
# IE compatibility
Header set X-UA-Compatible "IE=EmulateIE8"
# Prevent page from being loaded within an IFrame (Cross-Frame Scripting protection)
Header always append X-Frame-Options SAMEORIGIN
# Prevent mime sniffing exploint ; disabled breaks PEM Popup image rendering
# Header set X-Content-Type-Options: nosniff
# Disable caching
Header set Cache-Control "no-cache, must-revalidate, private"
# Enable X-XSS-Protection
Header set X-XSS-Protection: "1; mode=block"
ProxyPass / https://myhost.domain/
ProxyPassReverse / https://myhost.domain/

---

It seems like using the following directives worked for many people, but doesnt seem to work for me

SSLProxyVerify none

SSLProxyCheckPeerName off

SSLProxyCheckPeerCN off

SSLProxyCheckPeerExpire off

Is there anything else i am missing.

Any help is appreciated.

Thanks, Raj

Answer 1

it has been a while, but we hit the same problem in the year 2022. Here is the setup and the problem:

Reverse proxy Apache 2.4 (Public facing) <---> Keycloak 17 (Internal, works only with https)

All of these are created as docker containers and since keycloak is designed to be only internally visible (behind the reverse proxy), we decided to go with a self-signed certificate. Keep in mind that the self-signed certificate is freshly created every time when the container is build.

Side note: Yes you can create self-signed certificates without a certificate authority (CA) file.

and of course we have all the SSL* Settings mentioned above in the apache config:

SSLProxyVerify none
SSLProxyCheckPeerName off
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off

It turns out that having the reverse proxy rule as:

ProxyPass "/auth/" "https://keycloak:8443"
ProxyPassReverse "/auth/" "http://keycloak:8443"
RewriteRule "^/auth$" "/auth/" [R,L]

does not work. The result is a 502 Bad Gateway error. This is because the Apache has a problem with the self-signed certificate of our keycloak. Apparently this is a bug within the proxy_http module.

OUR SOLUTION:

Using the proxy_http2 module works like a charm:

ProxyPass "/auth/" "h2://keycloak:8443"
ProxyPassReverse "/auth/" "h2://keycloak:8443"
RewriteRule "^/auth$" "/auth/" [R,L]

Note the difference: https:// vs h2://

of course for this to work you need to load the proxy_http2 module as well:

• the http(s)://something entries work with the proxy_http module
• the h2://something entries work with the proxy_http2 module