Hello,
thanks to the comments of Igor, I was able to overcome the HTTPS redirection
to the initial page of the right backend server, with one modification:
Igor's recipe included advice on how to set up the correct VirtualHost
blocks
using the wildcard *.example.com key/cert pair. This worked. He also
suggested
to use the following redirection method:
<VirtualHost *:80>
ServerName apachefrontend.example.com
ServerAlias appserver1.example.com appserver2.example.com
RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
</VirtualHost>
This did not work, when trying to reach the server, the request is
being redirected to https://%25{http_host}/..
Instead, I have achieved the goal with the help of RewriteEngine:
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
This change, together with the correct VirtualHost blocks had brought
me finally to the front page of the backend servers via HTTPS. However,
when
trying to navigate inside them, I am being forwarded to:
http://appserverX.backend/Something
instead of
https://apachefrontend.example.com/Something
and the site becomes unusable. I assume that to conclude the rev. proxy
configuration task I have to add further rewrite rules. Could someone
comment on this? The current (working) httpd.conf is quoted below.
Thanks ahead!
Andy.
....
# Proxy-related load pack
LoadModule headers_module modules/mod_headers.so
LoadFile /usr/lib64/libxml2.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
# General SSL options transferred from ssl.conf for better viewing
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
NameVirtualHost *:80
NameVirtualHost *:443
# Decide which virtual host to address and enforce usage of port 443 on the
right proxy host
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
# Our "Mother host", apachefrontend.example.com, is still available for
hosting of some web site
<VirtualHost *:443>
ServerName apachefrontend.example.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
# Appserver 1
<VirtualHost *:443>
ServerName appserver1.example.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
ProxyRequests Off
ProxyPass / http://appserver1.backend/
ProxyPassReverse / http://appserver1.backend/
</VirtualHost>
# Appserver 2
<VirtualHost *:443>
ServerName appserver2.example.com
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
ProxyRequests Off
ProxyPass / http://appserver2.backend/
ProxyPassReverse / http://appserver2.backend/
</VirtualHost>
On Mon, Mar 9, 2015 at 10:55 AM, Igor Cicimov <icici...@gmail.com> wrote:
>
> On 09/03/2015 8:01 PM, "A M" <amm.pr...@gmail.com> wrote:
> >
> >
> > Hello Jeff,
> >
> > this is what happens:
> >
> > [root@www httpd]# service httpd start
> > Starting httpd: [Mon Mar 09 09:51:53 2015] [warn] module headers_module
> is already loaded, skipping
> > [Mon Mar 09 09:51:53 2015] [warn] module proxy_html_module is already
> loaded, skipping
> > [Mon Mar 09 09:51:53 2015] [warn] module ssl_module is already loaded,
> skipping
> > [Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on port
> 443, the first has precedence
> > [Mon Mar 09 09:51:53 2015] [warn] _default_ VirtualHost overlap on port
> 443, the first has precedence
> > [FAILED]
> >
>
> First looks like you have same configuration included twice somewhere.
>
> > And then there is only one line in the error log:
> >
> > [Mon Mar 09 09:51:53 2015] [error] Server should be SSL-aware but has no
> certificate configured [Hint: SSLCertificateFile] ((null):0)
> >
> > "apachectl configtest" gives me the same infos as "apachectl -S".
> >
> > Following the last advice of Igor, I assume that I'll have to generate
> two other certificates,
> > one for appserver1.example.com, and another - for appserver2.example.com,
> and then
>
> Or use the same certificate if you were clever enough to generate a wild
> card one ie *.example.com since you need to front multiple subdomains of
> the same domain ;-)
>
> > add a reference to them in the VirtualHost *443 definition for these two
> aliased servers.
>
> Correct, also please refer to the ssl vhost section on the apache web site
> so you fully understand the subject. It's also recommended you make your
> self familiar with SNI.
>
> > Will try it later in the day..
> >
> > Greetings - Andy.
> >
> >
> >
> >
> >
> >
> > On Mon, Mar 9, 2015 at 5:22 AM, jeffmonte101 . <jeffmonte...@gmail.com>
> wrote:
> >>
> >> Andy,
> >>
> >> What do you see in error logs and proxy logs when you try to bring up
> the web server?
> >>
> >>
> >>
> >> On Sun, Mar 8, 2015 at 5:11 PM, A M <amm.pr...@gmail.com> wrote:
> >>>
> >>>
> >>> Hello Igor, and many thanks for your comment!
> >>>
> >>> I have followed your advice, but now the server refuses to start at
> all.
> >>>
> >>> So now I have in httpd.conf:
> >>>
> >>> ------------------------------------------------
> >>> NameVirtualHost *:80
> >>>
> >>> <VirtualHost *:80>
> >>> ServerName apachefrontend.example.com
> >>> ServerAlias appserver1.example.com appserver2.example.com
> >>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
> >>> </VirtualHost>
> >>>
> >>> <VirtualHost *:443>
> >>> ServerName appserver1.example.com
> >>> ProxyRequests Off
> >>> ProxyPass / http://appserver1.backend
> >>> ProxyPassReverse / http://appserver1.backend
> >>> </VirtualHost>
> >>>
> >>> <VirtualHost *:443>
> >>> ServerName appserver2.example.com
> >>> ProxyRequests Off
> >>> ProxyPass / http://appserver2.backend
> >>> ProxyPassReverse / http://appserver2.backend
> >>> </VirtualHost>
> >>>
> >>>
> ------------------------------------------------------------------------
> >>>
> >>> And these uncommented lines in ssl.conf:
> >>>
> >>> -----------------------------------------------------------------------
> >>>
> >>> LoadModule ssl_module modules/mod_ssl.so
> >>> Listen 443
> >>> SSLPassPhraseDialog builtin
> >>> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
> >>> SSLSessionCacheTimeout 300
> >>> SSLMutex default
> >>> SSLRandomSeed startup file:/dev/urandom 256
> >>> SSLRandomSeed connect builtin
> >>> SSLCryptoDevice builtin
> >>>
> >>> <VirtualHost _default_:443>
> >>> ServerName apachefrontend.example.com:443
> >>>
> >>> ErrorLog logs/ssl_error_log
> >>> TransferLog logs/ssl_access_log
> >>> LogLevel warn
> >>>
> >>> SSLEngine on
> >>> SSLProtocol all -SSLv2 -SSLv3
> >>> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> >>> SSLCertificateFile /etc/pki/tls/certs/localhost.crt
> >>> SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
> >>>
> >>> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> >>> SSLOptions +StdEnvVars
> >>> </Files>
> >>>
> >>> <Directory "/var/www/cgi-bin">
> >>> SSLOptions +StdEnvVars
> >>> </Directory>
> >>>
> >>> SetEnvIf User-Agent ".*MSIE.*" \
> >>> nokeepalive ssl-unclean-shutdown \
> >>> downgrade-1.0 force-response-1.0
> >>>
> >>> CustomLog logs/ssl_request_log \
> >>> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> >>>
> >>> </VirtualHost>
> >>>
> >>>
> -----------------------------------------------------------------------------------
> >>>
> >>> [root@www conf]# apachectl -S
> >>>
> >>> [Sun Mar 08 12:28:37 2015] [warn] module headers_module is already
> loaded, skipping
> >>> [Sun Mar 08 12:28:37 2015] [warn] module proxy_html_module is already
> loaded, skipping
> >>> [Sun Mar 08 12:28:37 2015] [warn] module ssl_module is already loaded,
> skipping
> >>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on
> port 443, the first has precedence
> >>> [Sun Mar 08 12:28:37 2015] [warn] _default_ VirtualHost overlap on
> port 443, the first has precedence
> >>> VirtualHost configuration:
> >>> wildcard NameVirtualHosts and _default_ servers:
> >>> _default_:8443 apachefrontend.example.com
> (/etc/httpd/conf.d/nss.conf:84)
> >>> _default_:443 apachefrontend.example.com
> (/etc/httpd/conf.d/ssl.conf:74)
> >>> *:443 appserver1.backend
> (/etc/httpd/conf/httpd.conf:1034)
> >>> *:443 appserver2.backend
> (/etc/httpd/conf/httpd.conf:1041)
> >>> *:80 is a NameVirtualHost
> >>> default server apachefrontend.example.com
> (/etc/httpd/conf/httpd.conf:1028)
> >>> port 80 namevhost apachefrontend.example.com
> (/etc/httpd/conf/httpd.conf:1028)
> >>> alias appserver1.example.com
> >>> alias appserver2.example.com
> >>> Syntax OK
> >>>
> >>> .. and the server refuses to start at all..
> >>>
> >>> Playing with NameVirtualHost: *.443 and/or specifying explicitly
> server names
> >>> with ServerName does not help me tp get rid of the overlap on 443. At
> most, I
> >>> am receiving the missing SSL support errors for the backend servers
> (and I
> >>> cannot add SSL support for them, they have to remain plain HTTP)..
> >>>
> >>> If you have any further ideas on what to try, please let me know.
> >>>
> >>> Thanks again and best regards - Andy.
> >>>
> >>>
> >>>
> >>> On Sun, Mar 8, 2015 at 2:05 AM, Igor Cicimov <icici...@gmail.com>
> wrote:
> >>>>
> >>>>
> >>>> On 08/03/2015 10:01 AM, "A M" <amm.pr...@gmail.com> wrote:
> >>>> >
> >>>> >
> >>>> > Hello experts,
> >>>> >
> >>>> > I am trying to set up a classical frontend HTTPS Apache Reverse
> Proxy
> >>>> > for a couple of plain backend HTTP servers sitting on a backend
> private
> >>>> > network. The plaform is Centos 6, the Apache rpm is
> httpd-2.2.15-39.el6.centos.
> >>>> >
> >>>> > I first created three DNS entries, all pointing to the same public
> IP:
> >>>> >
> >>>> > apachefrontend.example.com
> >>>> > appserver1.example.com
> >>>> > appserver2.example.com
> >>>> >
> >>>> > I then generated the SSL cert and key for the frontend host and
> verified that
> >>>> > SSL config was correct (all settings and key/cert were defined
> inside the file
> >>>> > /etc/httpd/conf.d/ssl.conf). The URL "
> https://apachefrontend.example.com";
> >>>> > replied OK.
> >>>> >
> >>>> > I have then set up a forced redirection to port 443 on the mother
> >>>> > server and defined two virtual hosts, in this manner:
> >>>> >
> >>>> > ..
> >>>> > NameVirtualHost *:80
> >>>> >
> >>>>
> >>>> First change this:
> >>>>
> >>>> > <VirtualHost *:80>
> >>>> > ServerName apachefrontend.example.com
> >>>> > RedirectMatch ^/(.*) https://apachefrontend.example.com/$1
> >>>> > </VirtualHost>
> >>>> >
> >>>>
> >>>> to:
> >>>>
> >>>> <VirtualHost *:80>
> >>>> ServerName apachefrontend.example.com
> >>>> ServerAlias appserver1.example.com appserver2.example.com
> >>>>
> >>>> RedirectMatch ^/(.*) https://%{HTTP_HOST}/$1
> >>>> </VirtualHost>
> >>>>
> >>>> Then get rid of these two:
> >>>>
> >>>> > <VirtualHost *:80>
> >>>> > ServerName appserver1.example.com
> >>>> > ProxyRequests Off
> >>>> > ProxyPass / http://appserver1.backend/
> >>>> > ProxyPassReverse / http://appserver1.backend/
> >>>> > </VirtualHost>
> >>>> >
> >>>> > <VirtualHost *:80>
> >>>> > ServerName appserver2.example.com
> >>>> > ProxyRequests Off
> >>>> > ProxyPass / http://appserver2.backend/
> >>>> > ProxyPassReverse / http://appserver2.backend/
> >>>> > </VirtualHost>
> >>>> > ..
> >>>>
> >>>> More specific convert them to ssl vhosts:
> >>>>
> >>>> <VirtualHost *:443>
> >>>> ServerName appserver1.example.com
> >>>> ProxyRequests Off
> >>>> ProxyPass / http://appserver1.backend/
> >>>> ProxyPassReverse / http://appserver1.backend/
> >>>> </VirtualHost>
> >>>>
> >>>> <VirtualHost *:443>
> >>>> ServerName appserver2.example.com
> >>>> ProxyRequests Off
> >>>> ProxyPass / http://appserver2.backend/
> >>>> ProxyPassReverse / http://appserver2.backend/
> >>>> </VirtualHost>
> >>>>
> >>>> which will effectively do what you want which is terminate ssl on the
> frontend.
> >>>>
> >>>> > Now,
> >>>> >
> >>>> > - If I go to "http://apachefrontend.example.com";, I am
> >>>> > correctly ending up at "https://apachefrontend.example.com";;
> >>>> >
> >>>> > - If I go to "http://appserver1[2].example.com";, I arrive to
> >>>> > the backend servers allright, but only via the port 80.
> >>>> >
> >>>> > This behaviour is apparently correct, but so far I have not found
> >>>> > the right configuration options needed to enforce the secure
> >>>> > connection to the backend servers via the reverse proxy (I may
> >>>> > not enable SSL on the backend servers as they are running some
> >>>> > privately managed applications and cannot be tweaked).
> >>>> >
> >>>> > Could someone kindly post an example of working configuration
> >>>> > of the same type?
> >>>> >
> >>>> > Thanks ahead for any advice!
> >>>> >
> >>>> > Andy.
> >>>> >
> >>>> >
> >>>> >
> >>>
> >>>
> >>
> >
>
