[Cialug] Apache - SSL Proxy - Name Based VirtualHost Problem
Matthew Nuzum
newz at bearfruit.org
Fri Oct 19 16:14:43 CDT 2007
Claus:
Something you can do (sometimes) with these cases is to ensure your
proxy server can resolve the hostnames the way you want them to. Then,
instead of proxying to localhost:port proxy to correct.host.name:port.
So since you're dealing with localhost, you could set up /etc/hosts file to
127.0.0.1 localhost correct.host.name
Also, you can create dummy network interfaces and bind your apache
processes to these interfaces instead of alternate ports. I've done
this and it works fine.
Just a note, we're not 100% satisfied with apache's proxying
capability and are switching to squid. Its just not keeping up with
our traffic load.
Also, can I suggest looking into fastcgi type solutions? It may be a
simpler configuration for what you're trying to do.
On 10/19/07, Claus <cniesen at gmx.net> wrote:
> I'm virtualizing the Apache servers, so each server is chrooted to their
> directory and PHP scripts from one server can't access the other
> servers. So, on the server I'm running one main Apache instance that
> listens to the publicly accessible port 80. The other Apache instances
> listen to local host only on their respective port (eg. 8010, 8020). To
> do this, and it does work, I use the following directives for the main
> (proxy) Apache instance:
>
> <Directory proxy:http://localhost:8010/>
> Order deny,allow
> Allow from all
> </Directory>
> <VirtualHost *:80>
> ServerName host1.example.com
> ProxyPass / http://localhost:8010/
> ProxyPassReverse / http://localhost:8010/
> </VirtualHost>
>
> <Directory proxy:http://localhost:8020/>
> Order deny,allow
> Allow from all
> </Directory>
> <VirtualHost *:80>
> ServerName host2.example.com
> ProxyPass / http://localhost:8020/
> ProxyPassReverse / http://localhost:8020/
> </VirtualHost>
>
>
> The next step was to add an SSL host, which successfully worked by
> adding these directives:
>
> <Directory proxy:http://localhost:8030/>
> SSLRequireSSL
> Order deny,allow
> Allow from all
> </Directory>
> <VirtualHost *:80>
> ServerName sslhost3.example.com
> RewriteEngine on
> RewriteRule ^/(.*) https://sslhost3.example.com/$1 [L,R]
> </VirtualHost>
> <VirtualHost *:443>
> SSLEngine on
> ServerName sslhost3.example.com
> ProxyPass / http://localhost:8030/
> ProxyPassReverse / http://localhost:8030/
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
> +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /etc/ssl/example.com.crt
> SSLCertificateKeyFile /etc/ssl/private/example.com.key
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive
> ssl-unclean-shutdown downgrade-1.0 force-response-1.0
> </VirtualHost>
>
>
> Now I want to add another SSL host. I know that each SSL host needs to
> have their unique IP and port pair. This is due to the fact that SSL
> encryption needs to happen before the hostname is disclosed to the
> server. That's why name based virtual hosting doesn't work.
> However, with proxy I thought I could do the following:
>
> 1. Main Proxy Server
> Accepts connection on port 80 and 443. Forwards proxies port 80 as
> usual but forwards port 443 to second proxy server in clear text.
>
> 2. Second Proxy Server
> Now that the incoming traffic is not encrypted the name based
> VirtualHost directive should work.
>
> So I invisioned the directives to be:
>
> <VirtualHost *:80>
> ServerName sslhost3.example.com
> RewriteEngine on
> RewriteRule ^/(.*) https://sslhost3.example.com/$1 [L,R]
> </VirtualHost>
> <VirtualHost *:80>
> ServerName sslhost4.example.com
> RewriteEngine on
> RewriteRule ^/(.*) https://sslhost4.example.com/$1 [L,R]
> </VirtualHost>
>
> # Main Proxy Server
> <Directory proxy:http://localhost:44344/>
> SSLRequireSSL
> Order deny,allow
> Allow from all
> </Directory>
> <VirtualHost *:443>
> SSLEngine on
> ServerName sslhost3.example.com
> ServerAlias sslhost4.example.com
> ProxyPass / http://localhost:44344/
> ProxyPassReverse / http://localhost:44344/
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
> +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /etc/ssl/example.com.crt
> SSLCertificateKeyFile /etc/ssl/private/example.com.key
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive
> ssl-unclean-shutdown downgrade-1.0 force-response-1.0
> </VirtualHost>
>
> # Second Proxy Server
> <Directory proxy:http://localhost:8030/>
> Order deny,allow
> Allow from all
> </Directory>
> <VirtualHost *:44344>
> SSLEngine on
> ServerName sslhost3.example.com
> ProxyPass / http://localhost:8030/
> ProxyPassReverse / http://localhost:8030/
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
> +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /etc/ssl/example.com.crt
> SSLCertificateKeyFile /etc/ssl/private/example.com.key
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive
> ssl-unclean-shutdown downgrade-1.0 force-response-1.0
> </VirtualHost>
>
> <Directory proxy:http://localhost:8040/>
> Order deny,allow
> Allow from all
> </Directory>
> <VirtualHost *:44344>
> SSLEngine on
> ServerName sslhost4.example.com
> ProxyPass / http://localhost:8040/
> ProxyPassReverse / http://localhost:8040/
> SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
> +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /etc/ssl/example.com.crt
> SSLCertificateKeyFile /etc/ssl/private/example.com.key
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive
> ssl-unclean-shutdown downgrade-1.0 force-response-1.0
> </VirtualHost>
>
> So far I haven't gotten this to work. Whatever I do it seems to pick
> the first VirtualHost listed, seemingly ignoring the ServerName. At the
> point of processing the port 44344 request no encryption should hinder
> the name based VirtualHost resolution, right? Is there anything I'm
> overlooking?
>
> Claus
>
> PS: I'm aware about mismatch between the SSL certificate and the domain
> names. At this point I'm not concerned about it.
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
--
Matthew Nuzum
newz2000 on freenode
More information about the Cialug
mailing list