TLS handling with reverse proxy

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS handling with reverse proxy

Tom Browder
I have a successful non-apache reverse proxy server working behind a non-tls public-facing apache server. What do I have to do to use TLS with Let's Encrypt certs managed certificates?

I have "normal"  managed TLS servers working fine, but the reverse proxy TLS settings are a mystery to me.  

Thanks.

Best regards,

-Tom

Reply | Threaded
Open this post in threaded view
|

Re: TLS handling with reverse proxy

Tom Browder
On Sun, Aug 30, 2020 at 06:58 Tom Browder <[hidden email]> wrote:
I have a successful non-apache reverse proxy server working behind a non-tls public-facing apache server. What do I have to do to use TLS with Let's Encrypt certs managed certificates?

I'll be showing the virtual host macro I'm using to get this to work, but it will have to be a bit later today when I can get to my real computer.

-Tom


Reply | Threaded
Open this post in threaded view
|

Re: TLS handling with reverse proxy

Yuma Technical Inc.
I may be using the setup you describe.  I have Webmin to manage services (independent of Apache) and access it over https (using a (browser-trusted) certificate I made).
Webmin could be accessed with either the :<port> ending or a subdomain (via reverse-proxing).  But now I can only access via :<port> , so something is not working properly.

Anyway my extra config file contained:

<IfModule mod_ssl.c>
SSLUseStapling On
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
<VirtualHost _default_:${APACHE_SSL_PORT}>
SSLEngine on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
SSLProxyEngine On
ProxyRequests Off
ProxyPreserveHost Off
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
<IfDefine APACHE_LOG_DIR>
ServerAdmin ${APACHE_ADM_EMAIL}
ServerName webmin.${APACHE_SVR_NAME}
ErrorLog ${APACHE_LOG_DIR}/error.ssl.log
CustomLog ${APACHE_LOG_DIR}/access.ssl.log combined
SSLCertificateFile ${APACHE_SSL_CRT}
SSLCertificateKeyFile ${APACHE_SSL_KEY}
SSLCertificateChainFile ${APACHE_SSL_CHAIN}
ProxyPass / <a href="https://${apache_svr_name}:${webmin_port}" class="">https://${APACHE_SVR_NAME}:${WEBMIN_PORT}
ProxyPassReverse / <a href="https://${apache_svr_name}:${webmin_port}" class="">https://${APACHE_SVR_NAME}:${WEBMIN_PORT}
</IfDefine>
</VirtualHost>
</IfModule>


On Aug 30, 2020, at 8:58 AM, Tom Browder <[hidden email]> wrote:

On Sun, Aug 30, 2020 at 06:58 Tom Browder <[hidden email]> wrote:
I have a successful non-apache reverse proxy server working behind a non-tls public-facing apache server. What do I have to do to use TLS with Let's Encrypt certs managed certificates?

I'll be showing the virtual host macro I'm using to get this to work, but it will have to be a bit later today when I can get to my real computer.

-Tom



Reply | Threaded
Open this post in threaded view
|

Re: TLS handling with reverse proxy

Tom Browder
On Sun, Aug 30, 2020 at 10:37 Yuma Technical Inc. <[hidden email]> wrote:
I may be using the setup you describe.  I have Webmin to manage services
...

Thanks, that helps. My data flow is a bit different, but every little piece of a working solution is a step in the right direction!

Best regards:

-Tom
Reply | Threaded
Open this post in threaded view
|

Re: TLS handling with reverse proxy

Tom Browder
On Sun, Aug 30, 2020 at 11:12 Tom Browder <[hidden email]> wrote:
On Sun, Aug 30, 2020 at 10:37 Yuma Technical Inc. <[hidden email]> wrote:
I may be using the setup you describe.  I have Webmin to manage services
...

Can you tell me how the _default_  works with SNI virtual hosts?

-Tom
Reply | Threaded
Open this post in threaded view
|

Re: TLS handling with reverse proxy

Tom Browder


On Mon, Aug 31, 2020 at 07:10 Tom Browder <[hidden email]> wrote:
On Sun, Aug 30, 2020 at 11:12 Tom Browder <[hidden email]> wrote:
On Sun, Aug 30, 2020 at 10:37 Yuma Technical Inc. <[hidden email]> wrote:
I may be using the setup you describe.  I have Webmin to manage services
...

Can you tell me how the _default_  works with SNI virtual hosts?

I should have been clearer. I'm using an Apache macro  so where you have "_default_...." I have ${DOMAIN} ${TLD} ${PORT}.

Then, for the proxy pass I use https://localdomain:${PORT}.

So I'm trying to see how it all maps to/from front to back.

All works great without TLS, but TLS so far is a show stopper.

-Tom


Reply | Threaded
Open this post in threaded view
|

Re: TLS handling with reverse proxy

Yuma Technical Inc.
Hi

Don’t forget the “:” between host and port.  If you want, even *:* will allow any server on any port…
So I guess ${DOMAIN}.${TLD}:${PORT}


On Aug 31, 2020, at 8:19 AM, Tom Browder <[hidden email]> wrote:



On Mon, Aug 31, 2020 at 07:10 Tom Browder <[hidden email]> wrote:
On Sun, Aug 30, 2020 at 11:12 Tom Browder <[hidden email]> wrote:
On Sun, Aug 30, 2020 at 10:37 Yuma Technical Inc. <[hidden email]> wrote:
I may be using the setup you describe.  I have Webmin to manage services
...

Can you tell me how the _default_  works with SNI virtual hosts?

I should have been clearer. I'm using an Apache macro  so where you have "_default_...." I have ${DOMAIN} ${TLD} ${PORT}.

Then, for the proxy pass I use <a href="https://localdomain:${port}" class="">https://localdomain:${PORT}.

So I'm trying to see how it all maps to/from front to back.

All works great without TLS, but TLS so far is a show stopper.

-Tom



Reply | Threaded
Open this post in threaded view
|

Re: TLS handling with reverse proxy

Tom Browder
On Mon, Aug 31, 2020 at 14:18 Yuma Technical Inc. <[hidden email]> wrote:
Don’t forget the “:” between host and port.  If you want, even *
So I guess ${DOMAIN}.${TLD}:${PORT}

That is part of the macro definition. The vhost details come after that and its format is correct as you showed it.

I think I'm getting to the proxy pass point okay. My logs don't show any errors but I can't see that my backend server is reading the frontend data properly.

Can you show any code from the backend server? How does it listen or respond to the proxypass data?

Thanks,

Best regards,

-Tom
Reply | Threaded
Open this post in threaded view
|

Re: TLS handling with reverse proxy

Yuma Technical Inc.
Hi

In my case, I use Webmin.  It is written in perl and the HTTP server is Miniserv.  One can set the listen port number, whether to use HTTPS, and many other parameters, in a INI file.  So I do have any code to show you for this.  If you ask for a specific file, I can show that, otherwise I’m at a loss...

On Aug 31, 2020, at 7:50 PM, Tom Browder <[hidden email]> wrote:

On Mon, Aug 31, 2020 at 14:18 Yuma Technical Inc. <[hidden email]> wrote:
Don’t forget the “:” between host and port.  If you want, even *
So I guess ${DOMAIN}.${TLD}:${PORT}

That is part of the macro definition. The vhost details come after that and its format is correct as you showed it.

I think I'm getting to the proxy pass point okay. My logs don't show any errors but I can't see that my backend server is reading the frontend data properly.

Can you show any code from the backend server? How does it listen or respond to the proxypass data?

Thanks,

Best regards,

-Tom