SSL proxy

I have several web servers currently that all have the same IP, but
different host names, and I have an apache that uses mod_proxy to direct
requests to the correct internal server to process the request.

I would like to use my apache proxy server to provide SSL encryption and
decryption, and not have to have each individual server do that.

Is that possible?

I have worked with virtual host configuration, and I have tried to set up
the ssl stuff so that this will work, but so far I have not been successful.

I have tried to search for this, but the closest I have come is proxy to an
ssl server.  I want to have the proxy server do the ssl stuff for me.

Can anyone provide instructions or links?

Thanks.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Re: SSL proxy

nrssl <at> thepinc.com a écrit :
> I have several web servers currently that all have the same IP, but
> different host names, and I have an apache that uses mod_proxy to direct
> requests to the correct internal server to process the request.
>
> I would like to use my apache proxy server to provide SSL encryption and
> decryption, and not have to have each individual server do that.
>
> Is that possible?
>   
Apparently, understanding what you want to do, it's possible.

It might depend on Apache / modssl versions

One of the best way is doing encrypted HTTPS between client and proxy 
and clear HTTP between proxy and real server.
You can also do encrypted HTTPS between proxy and real server, just 
adding some Apache configuration
.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

(unknown)

Yes, that is exactly what I want to do.  Any pointers?

Thanks.

Gilles Cuesta Wrote:

One of the best way is doing encrypted HTTPS between client and proxy 
and clear HTTP between proxy and real server.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Re: SSL proxy

Re: SSL proxy

nrssl <at> thepinc.com schrieb:
> I have several web servers currently that all have the same IP, but
> different host names, and I have an apache that uses mod_proxy to direct
> requests to the correct internal server to process the request.
> 
> I would like to use my apache proxy server to provide SSL encryption and
> decryption, and not have to have each individual server do that.
> 
> Is that possible?
> 
> I have worked with virtual host configuration, and I have tried to set up
> the ssl stuff so that this will work, but so far I have not been successful.
> 
> I have tried to search for this, but the closest I have come is proxy to an
> ssl server.  I want to have the proxy server do the ssl stuff for me.

Hi,

you can not use SSL with virtual hosting, see 
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47

You'll have to get a dedicated ip for every single ssl host. You could 
play around with one ssl proxy on your single ip with a common name 
and do some rewriting according to an url praefix matching the secure 
parts of your backend virtual hosts; decide yourself if this config 
work is worth it.

Regards

Eckard
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Re: SSL proxy

Eckard Wille a écrit :
> nrssl <at> thepinc.com schrieb:
>> I have several web servers currently that all have the same IP, but
>> different host names, and I have an apache that uses mod_proxy to direct
>> requests to the correct internal server to process the request.
>>
>> I would like to use my apache proxy server to provide SSL encryption and
>> decryption, and not have to have each individual server do that.
>>
>> Is that possible?
>>
>> I have worked with virtual host configuration, and I have tried to 
>> set up
>> the ssl stuff so that this will work, but so far I have not been 
>> successful.
>>
>> I have tried to search for this, but the closest I have come is proxy 
>> to an
>> ssl server.  I want to have the proxy server do the ssl stuff for me.
>
> Hi,
>
> you can not use SSL with virtual hosting, see 
> http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
>
> You'll have to get a dedicated ip for every single ssl host. You could 
> play around with one ssl proxy on your single ip with a common name 
> and do some rewriting according to an url praefix matching the secure 
> parts of your backend virtual hosts; decide yourself if this config 
> work is worth it.
I thought that using wildcard or multi-cn certificates will work ?
In this case, only one certificate is needeed for a range of Vhost

--

-- 
Gilles CUESTA - Logiciels Libres
69139920

Re: SSL proxy

Cuesta Gilles schrieb:
> I thought that using wildcard or multi-cn certificates will work ?

No.

> In this case, only one certificate is needeed for a range of Vhost

If you only have one ip this won't make things better because virtual 
hosting is still not possible. Wildcard certs do not enable vHosting 
because the ssl handshake still takes place before the http host 
header can be evaluated. They were offered by CAs to make it easier 
for admins so they wouldn't have to fiddle around with dozens of certs 
and their validity management in a masshosting environment or for 
subdomains.

Eckard
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Re: SSL proxy

Eckard Wille a écrit :
> Cuesta Gilles schrieb:
>> I thought that using wildcard or multi-cn certificates will work ?
>
> No.
>
>> In this case, only one certificate is needeed for a range of Vhost
>
> If you only have one ip this won't make things better because virtual 
> hosting is still not possible. Wildcard certs do not enable vHosting 
> because the ssl handshake still takes place before the http host 
> header can be evaluated. They were offered by CAs to make it easier 
> for admins so they wouldn't have to fiddle around with dozens of certs 
> and their validity management in a masshosting environment or for 
> subdomains.
>

So what about this ?
"*MULTIPLE CN (SAN) SERVER CERTIFICATES*

This type of certificate (also called /Subject Alternative Name/ (SAN) ) 
enables to secure not only one website but a large number of sites (a 
list of sites) hosted on a shared infrastructure (server with multiple 
names, reverse proxy). Ideal to secure multiple brands of a corporation. 
One certificate per hardware is required."

http://www.tbs-certificats.com/index.html.en

--

-- 
Gilles CUESTA - Logiciels Libres
69139920

Re: SSL proxy

Cuesta Gilles schrieb:
> "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
> 
> This type of certificate (also called /Subject Alternative Name/ (SAN) ) 
> enables to secure not only one website but a large number of sites (a 
> list of sites) hosted on a shared infrastructure (server with multiple 
> names, reverse proxy). Ideal to secure multiple brands of a corporation. 
> One certificate per hardware is required."

This only means that one host can have several names by configuring 
ServerName and ServerAlias, but does not enable virtual hosting.

Eckard
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Re: SSL proxy

Eckard Wille schrieb:
> Cuesta Gilles schrieb:
>> "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
>>
>> This type of certificate (also called /Subject Alternative Name/ (SAN) 
>> ) enables to secure not only one website but a large number of sites 
>> (a list of sites) hosted on a shared infrastructure (server with 
>> multiple names, reverse proxy). Ideal to secure multiple brands of a 
>> corporation. One certificate per hardware is required."
> 
> This only means that one host can have several names by configuring 
> ServerName and ServerAlias, but does not enable virtual hosting.

Hi Cuesta,

with some tricks you could achive your goal by using the preconditions 
of mod_rewrite rules. If your ssl proxy has one single host entry with 
such a multi-named cert, it may be possible to rewrite via proxy after 
a look at the host header:

   RewriteEngine on
   RewriteCond %{HTTP_HOST} www.vhost1.com
   RewriteRule ^/(.*) www.internal.http.vhost1.com/$1 [P]

   RewriteCond %{HTTP_HOST} www.vhost2.com
   RewriteRule ^/(.*) www.internal.http.vhost2.com/$1 [P]

If this works for you depends also on the backend webapps, for example 
if they are capable of running behind a reverse proxy with a different 
http schema (HTTP<->HTTPS, servername references in html, internal 
redirects...).

Good luck

Eckard
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org