Reverse Proxy with Apache over https
I have an apache server running on ec2 that I want to proxy to mysite.com. I figured out how to compile apache and get it running. I also added "ProxyPass / http://mysite.com" which correctly redirects requests to my ec2 server to mysite.com. However, it does not pass on https connections. Any idea how I can do this?
I don't think I should need any certs on the apache server as it'll just be passing the request onward.
My httpd.conf looks like this:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule headers_module modules/mod_headers.so
ProxyPass / http://mysite.com/
Currently http://my-ec2-instance.amazonaws.com does redirect to http://mysite.com, but the https url doesn't redirect. I get an error that says:
Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.
I'd be happy if all http redirected to https or if https just worked on redirecting to https.
Anyone know how to make this work?
If you just want to redirect clients, it sounds to me as though you need to use mod_alias and the Redirect directive. This should be a lot simpler than a proxy. If you actually want to proxy the connection (i.e. the inital server my-ec2-instance.amazonaws.com to make the connection to mysite.com on behalf of the client) then in my experience you WILL need an SSL cert on on the proxy, otherwise you won't be able to encrypt between the client and proxy.
You could try something like:
The problem is that I really need to proxy instead of just redirect.
I have an app on https://mysite.appspot.com (hosted by Google) and I want to make it look like https://mysite.com. Google doesn't offer this in their app engine service so I'm trying to work around it so I can keep my traffic https.
Any idea how this can be done? I would have thought the proxy would just pass the encrypted traffic through, but perhaps I need to decrypt at the ec2 instance serving https://www.mysite.com and encrypt it separately for https://mysite.appspot.com?
I have done this before, although quite a long time ago now!
A proxy won't pass encrypted traffic through, or any traffic for that matter. This isn't the way a proxy works. A proxy accepts an incoming connection from a client and then makes a second connection to the destination on behalf of the client. This is why you will need an SSL cert on the proxy - to allow the HTTPS session to be set up between the client and the proxy server itself.
The only way I have ever got this to work was to configure squid to act as a reverse proxy listening on port 80 for HTTP connections and port 443 for HTTPS connections. There is a rough document on how to do this on the squid wiki here although you don't really need a wildcard certificate unless you're running this for multiple hostnames (which you're not in your example). Hopefully this will give you a fair idea how to do it with squid.
If you do go down this route, make sure you're not running an open proxy!
Thanks Steve! One final question - have I closed up the proxy ports (and any other security issues) correctly here? Below is a short write-up on how this worked.
One trick is that you need to compile squid yourself with the --enable-ssl option for the ssl to work. Hopefully this write-up can help the next person! :)
apt-get install devscripts build-essential
apt-get source squid3
apt-get build-dep squid3
nano debian/rules # or whatever editor you use
add the --enable-ssl line among the other --enable-blah- lines in the configure file
debuild -us -uc
dpkg -i your_built_package.deb
sudo squid3 restart
Configure squid.conf file:
Find it under /etc/squid3/squid.conf and add the following to the top of that file:
https_port 443 accel cert=/usr/newrprgate/CertAuth/testcert.cert key=/usr/newrprgate/CertAuth/testkey.pem defaultsite=mybackendsite.com
cache_peer https://mybackendsite.com parent 80 0 no-query originserver login=PASS name=pcs
acl pc_secure_site dstdomain mybackendsite.com
cache_peer_access pcs allow pc_secure_site
http_access allow pc_secure_site
# Basic parameters
# This line indicates the server we will be proxying for
http_port 80 accel defaultsite=mybackendsite.com
# And the IP Address for it - adjust the IP and port if necessary
cache_peer http://mybackendsite.com parent 80 0 no-query originserver login=PASS name=pc
acl all src 0.0.0.0/0.0.0.0
acl our_sites dstdomain mybackendsite.com
http_access allow our_sites
cache_peer_access pc allow our_sites
cache_peer_access pc deny all
From a quick look it appears that it should be secure - the acl should only allow access to the site you have specified so all should be good. You could probably verify this yourself by configuring an external machine to use your squid installation as it's proxy and see if you can get to any site other than that on your acl.
|All times are GMT -5. The time now is 12:27 PM.|