[Cialug] Apache - SSL Proxy - Name Based VirtualHost Problem

Claus cniesen at gmx.net
Fri Oct 19 17:02:16 CDT 2007 

Correct Barry

Why Apache 1.3.x:
=================
Because I'm weird.  Hey I use OpenBSD that should already have given it 
away.  OpenBSD isn't switching to Apache 2.x because of licensing issues 
so instead they keep their branch of httpd up to date in regards of 
security issues.  In general I found that using the tools that come with 
OpenBSD or are available as packages is the better way than to force 
something on top of it.  With that in mind I'll probably start looking 
at squid.  I heard a lot of people mentioning and using it on the 
OpenBSD mailing list but so far I haven't realized that I'd have a use 
for it as well.

Squid:
======
As said, not having touches squid at all I would appreciate slight 
insight if possible.  The main one being: is squid capable of handling 
the SSL tunnel, meaning the outside would connects to it via SSL and 
squid forwards the request to multiple host without SSL encryption? 
That's exactly what I wanted to do in the first place with Apache.
Which are the key squid directives that I should look at.  Oh yeah, if 
you are really ambitious some samples that do something that I want do 
do are always appreciated.
... and yes Squid, with version 2.6 is pretty much up to date on OpenBSD. ;)

Hosts cheat:
============
When I got Chris' explanation I thought as well that I could create an 
entry in the /etc/hosts file.  I even started working on that but 
noticed quickly that it won't work because of the SSL.  The "Main Proxy 
Server" already screws it up and there ProxyPass goes to one IP/address.

Correction to my example:
========================
Nobody noticed but the "Second Proxy Server" should not have any SSL 
directives.  It's a copy paste error that I made.  In my tests I did not 
have these.

   Claus

On 10/19/2007 4:55 PM, Barry Von Ahsen wrote:
> apache2 isn't available in the openbsd ports (afaik).  Theo was even 
> madder than debian about the whole patent protection clause
> 
> I'm sure you can compile from an apache tarball, but you'd probably lose 
> many of the things that you're using openbsd for
> 
> -barry
> 
> 
> 
> 
> David Champion wrote:
>> Other than not being a default, do you have any reasons for not going to
>> Apache 2.x? It's been "stable" for years. Most of the arguments against
>> have been pretty well debunked. In my experience, 2.x works just fine,
>> runs faster than 1.3.x, and it has some nice features like the one you
>> mention below that aren't in the 1.3.x tree.
>>
>> -dc
>>
>> Claus wrote:
>>> Great suggestion Chris.  It sounds like you identified the problem.  The
>>> ProxyPass directive takes the new specified server domain name and uses
>>> it in the host header.  Unfortunately I'm using Apache 1.3.29 and the
>>> ProxyPreserveHost directive isn't part of Apache until 2.0.31. It's the
>>> default with the OpenBSD default install and so far I have tried to stay
>>> with that. :(
>>>
>>> Rethinking the whole issue I probably just use the RewriteRule of port
>>> 80 and let the clients connect directly to port 8030 of the final Apache
>>> server.
>>>
>>> Advantages:
>>>  - each domain can have their individual certificate
>>>
>>> Disadvantages:
>>>  - need to update firewall rules
>>>  - client can't easily use https:// address.
>>>
>>> I really thought the proxy would be a neat solution.  Does anybody use
>>> proxy in such a way?  Should I continue considering it and if so are
>>> there other (asides Apache 2.0) that I should consider?
>>>
>>>   Claus
>>>
>>> On 10/19/2007 3:27 PM, chris wrote:
>>> On quick glance I'd say you're loosing your host header.  Try adding in
>>> a "ProxyPreserveHost On" in the Main Proxy and in the Second Proxy as
>>> well.
>>>
>>> The default vhost is always the first defined vhost, so in named based
>>> hosting if nothing matches, you get the the first one apache found when
>>> parsing the config.
>>>
>>> BTW, what you are doing we call real privilege separation.  Rici Lake
>>> recently wrote a nice howto on it here:
>>> http://wiki.apache.org/httpd/DifferentUserIDsUsingReverseProxy
>>>
>>> You might find some useful stuff in it.
>>>
>>> cheers!
>>>
>>> chris at ia.gov
>>>
>>>
>>> Claus wrote:
>>>>>> I'm virtualizing the Apache servers, so each server is chrooted to 
>>>>>> their
>>>>>> directory and PHP scripts from one server can't access the other
>>>>>> servers.  So, on the server I'm running one main Apache instance that
>>>>>> listens to the publicly accessible port 80.  The other Apache 
>>>>>> instances
>>>>>> listen to local host only on their respective port (eg. 8010, 
>>>>>> 8020).  To
>>>>>> do this, and it does work, I use the following directives for the 
>>>>>> main
>>>>>> (proxy) Apache instance:
>>>>>>
>>>>>> <Directory proxy:http://localhost:8010/>
>>>>>>   Order deny,allow
>>>>>>   Allow from all
>>>>>> </Directory>
>>>>>> <VirtualHost *:80>
>>>>>>   ServerName host1.example.com
>>>>>>   ProxyPass / http://localhost:8010/
>>>>>>   ProxyPassReverse / http://localhost:8010/
>>>>>> </VirtualHost>
>>>>>>
>>>>>> <Directory proxy:http://localhost:8020/>
>>>>>>   Order deny,allow
>>>>>>   Allow from all
>>>>>> </Directory>
>>>>>> <VirtualHost *:80>
>>>>>>   ServerName host2.example.com
>>>>>>   ProxyPass / http://localhost:8020/
>>>>>>   ProxyPassReverse / http://localhost:8020/
>>>>>> </VirtualHost>
>>>>>>
>>>>>>
>>>>>> The next step was to add an SSL host, which successfully worked by
>>>>>> adding these directives:
>>>>>>
>>>>>> <Directory proxy:http://localhost:8030/>
>>>>>>   SSLRequireSSL
>>>>>>   Order deny,allow
>>>>>>   Allow from all
>>>>>> </Directory>
>>>>>> <VirtualHost *:80>
>>>>>>   ServerName sslhost3.example.com
>>>>>>   RewriteEngine on
>>>>>>   RewriteRule ^/(.*) https://sslhost3.example.com/$1 [L,R]
>>>>>> </VirtualHost>
>>>>>> <VirtualHost *:443>
>>>>>>   SSLEngine on
>>>>>>   ServerName sslhost3.example.com
>>>>>>   ProxyPass / http://localhost:8030/
>>>>>>   ProxyPassReverse / http://localhost:8030/
>>>>>>   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
>>>>>>     +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>>>>>   SSLCertificateFile /etc/ssl/example.com.crt
>>>>>>   SSLCertificateKeyFile /etc/ssl/private/example.com.key
>>>>>>   SetEnvIf User-Agent ".*MSIE.*" nokeepalive
>>>>>>      ssl-unclean-shutdown downgrade-1.0 force-response-1.0
>>>>>> </VirtualHost>
>>>>>>
>>>>>>
>>>>>> Now I want to add another SSL host.  I know that each SSL host 
>>>>>> needs to
>>>>>> have their unique IP and port pair.  This is due to the fact that SSL
>>>>>> encryption needs to happen before the hostname is disclosed to the
>>>>>> server.  That's why name based virtual hosting doesn't work.
>>>>>> However, with proxy I thought I could do the following:
>>>>>>
>>>>>> 1. Main Proxy Server
>>>>>>   Accepts connection on port 80 and 443.  Forwards proxies port 80 as
>>>>>> usual but forwards port 443 to second proxy server in clear text.
>>>>>>
>>>>>> 2. Second Proxy Server
>>>>>>   Now that the incoming traffic is not encrypted the name based
>>>>>> VirtualHost directive should work.
>>>>>>
>>>>>> So I invisioned the directives to be:
>>>>>>
>>>>>> <VirtualHost *:80>
>>>>>>   ServerName sslhost3.example.com
>>>>>>   RewriteEngine on
>>>>>>   RewriteRule ^/(.*) https://sslhost3.example.com/$1 [L,R]
>>>>>> </VirtualHost>
>>>>>> <VirtualHost *:80>
>>>>>>   ServerName sslhost4.example.com
>>>>>>   RewriteEngine on
>>>>>>   RewriteRule ^/(.*) https://sslhost4.example.com/$1 [L,R]
>>>>>> </VirtualHost>
>>>>>>
>>>>>> # Main Proxy Server
>>>>>> <Directory proxy:http://localhost:44344/>
>>>>>>   SSLRequireSSL
>>>>>>   Order deny,allow
>>>>>>   Allow from all
>>>>>> </Directory>
>>>>>> <VirtualHost *:443>
>>>>>>   SSLEngine on
>>>>>>   ServerName sslhost3.example.com
>>>>>>   ServerAlias sslhost4.example.com
>>>>>>   ProxyPass / http://localhost:44344/
>>>>>>   ProxyPassReverse / http://localhost:44344/
>>>>>>   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
>>>>>>     +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>>>>>   SSLCertificateFile /etc/ssl/example.com.crt
>>>>>>   SSLCertificateKeyFile /etc/ssl/private/example.com.key
>>>>>>   SetEnvIf User-Agent ".*MSIE.*" nokeepalive
>>>>>>      ssl-unclean-shutdown downgrade-1.0 force-response-1.0
>>>>>> </VirtualHost>
>>>>>>
>>>>>> # Second Proxy Server
>>>>>> <Directory proxy:http://localhost:8030/>
>>>>>>   Order deny,allow
>>>>>>   Allow from all
>>>>>> </Directory>
>>>>>> <VirtualHost *:44344>
>>>>>>   SSLEngine on
>>>>>>   ServerName sslhost3.example.com
>>>>>>   ProxyPass / http://localhost:8030/
>>>>>>   ProxyPassReverse / http://localhost:8030/
>>>>>>   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
>>>>>>     +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>>>>>   SSLCertificateFile /etc/ssl/example.com.crt
>>>>>>   SSLCertificateKeyFile /etc/ssl/private/example.com.key
>>>>>>   SetEnvIf User-Agent ".*MSIE.*" nokeepalive
>>>>>>      ssl-unclean-shutdown downgrade-1.0 force-response-1.0
>>>>>> </VirtualHost>
>>>>>>
>>>>>> <Directory proxy:http://localhost:8040/>
>>>>>>   Order deny,allow
>>>>>>   Allow from all
>>>>>> </Directory>
>>>>>> <VirtualHost *:44344>
>>>>>>   SSLEngine on
>>>>>>   ServerName sslhost4.example.com
>>>>>>   ProxyPass / http://localhost:8040/
>>>>>>   ProxyPassReverse / http://localhost:8040/
>>>>>>   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
>>>>>>     +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>>>>>   SSLCertificateFile /etc/ssl/example.com.crt
>>>>>>   SSLCertificateKeyFile /etc/ssl/private/example.com.key
>>>>>>   SetEnvIf User-Agent ".*MSIE.*" nokeepalive
>>>>>>      ssl-unclean-shutdown downgrade-1.0 force-response-1.0
>>>>>> </VirtualHost>
>>>>>>
>>>>>> So far I haven't gotten this to work.  Whatever I do it seems to pick
>>>>>> the first VirtualHost listed, seemingly ignoring the ServerName.  
>>>>>> At the
>>>>>> point of processing the port 44344 request no encryption should 
>>>>>> hinder
>>>>>> the name based VirtualHost resolution, right?  Is there anything I'm
>>>>>> overlooking?
>>>>>>
>>>>>>   Claus
>>>>>>
>>>>>> PS:  I'm aware about mismatch between the SSL certificate and the 
>>>>>> domain
>>>>>> names.  At this point I'm not concerned about it.
>>>>>> _______________________________________________
>>>>>> Cialug mailing list
>>>>>> Cialug at cialug.org
>>>>>> http://cialug.org/mailman/listinfo/cialug
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/listinfo/cialug
>>
>>> _______________________________________________
>>> Cialug mailing list
>>> Cialug at cialug.org
>>> http://cialug.org/mailman/listinfo/cialug
>>
>>
>>
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/listinfo/cialug
> 
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>

More information about the Cialug mailing list