trying to proxy SSL requests to another port to hide port # in URL

mtlhd · 07-01-2010, 12:46 PM

Hey all,
Got a toughie.
At least it is for me.
server:
LAMP - debian, apache2, mysql, php5

a bit info on my network:
There is a another service here that already uses port 443 already. It made my website time out, hence the move to another port. PLus, i dont want the 2 services sharing the port.

What I am trying to do is forward 443 requests to another port where the SSL service is running so I can hide my port number in the URL.

Is there a way to make this happen?

Here is my sites available conf file:

Code:

NameVirtualHost *:80
NameVirtualHost *:443
NameVirtualHost *:####
DirectoryIndex index.htm index.html index.php

<VirtualHost *:80>
	ServerName www.mysite.com
	ServerAlias mysite.com
	ServerAdmin webmaster@mysite.com
	DocumentRoot /home/me/www/mysite
	<Directory />
		Options FollowSymLinks -Indexes
		AllowOverride None
		Order deny,allow
		allow from all
	</Directory>
	ErrorLog /var/log/apache2/error.log
	CustomLog /home/me/www/mysite/logs/access.log combined
	RewriteEngine On
	RewriteCond %{HTTP_HOST} ^(mysite.com|misite.com|www.misite.com) [NC]
	RewriteRule ^(.*)$ http://www.mysite.com$1 [R=301,L]
</VirtualHost>

<VirtualHost _default_:443>
	ServerName www.mysite.com
	ServerAlias mysite.com
	ServerAdmin webmaster@mysite.com
	SSLProxyEngine on
        RewriteEngine on
	ProxyPass / https://www.mysite.com:####/
	ProxyPassReverse / https://www.mysite.com:####/
</VirtualHost>

<VirtualHost _default_:####>
	ServerName www.mysite.com:####
        ServerAlias mysite.com
	ServerAdmin webmaster@mysite.com
	DocumentRoot /home/me/www/mysite
	<Directory />
		Options FollowSymLinks -Indexes
		AllowOverride None
		Order Allow,Deny
		Allow from all
	</Directory>
	ErrorLog /var/log/apache2/ssl-error.log
	CustomLog /home/me/www/mysite/logs/access.log combined
	SSLEngine on
	SSLCertificateFile /etc/apache2/ssl.crt/mysite.com.crt
	SSLCertificateKeyFile /etc/apache2/ssl.key/mysite.com.key
</VirtualHost>

zirias · 07-02-2010, 12:30 AM

No. Just used mod_gnutls instead of mod_ssl for https, it supports Server Name Indication in SSL handshake, most browsers support it too, so you will get name-based virtual hosts with SSL

mtlhd · 07-02-2010, 08:12 AM

Quote:

Originally Posted by zirias

No. Just used mod_gnutls instead of mod_ssl for https, it supports Server Name Indication in SSL handshake, most browsers support it too, so you will get name-based virtual hosts with SSL

Thank you for the idea, looking into it now!

mtlhd · 07-06-2010, 10:30 AM

GnuTLS: Failed to Import Private Key - ASN1 parser: Error in DER parsing.

here is my conf file:

Code:

#Mod_GNUTLS currently enabled
	GnuTLSEnable on
	GnuTLSCertificateFile /etc/apache2/ssl.crt/mysite.crt
	GnuTLSKeyFile /etc/apache2/ssl.key/mysite.key
	GnuTLSPriorities NORMAL

I'm not understanding the issue. This is a cert that was bought from a service.

Thanks in advance.

zirias · 07-06-2010, 10:38 AM

Hmm, I only use files in PEM format and have no such issues -- maybe you could try converting your key from DER to PEM format using the openssl commandline utility?

mtlhd · 07-06-2010, 01:33 PM

Code:

OpenSSL> x509 -in mysite.crt -inform DER -out mysite_p.crt -outform PEM
unable to load certificate
482:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
482:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
error in x509

That was the result, but when I just checked the crt, it reported back fine.

zirias · 07-06-2010, 01:39 PM

Hmm, but when OpenSSL /as well as/ GnuTLS have problems reading the file, there must be something broken in the file. So the same file actually DID work with mod_ssl? This is kind of surprising because mod_ssl uses OpenSSL, so OpenSSL should be capable of reading it....

mtlhd · 07-06-2010, 02:11 PM

Quote:

Originally Posted by zirias

Hmm, but when OpenSSL /as well as/ GnuTLS have problems reading the file, there must be something broken in the file. So the same file actually DID work with mod_ssl? This is kind of surprising because mod_ssl uses OpenSSL, so OpenSSL should be capable of reading it....

Thank you for all your help thus far.

Yea, I was thinking the same thing. mod_ssl worked fine, even on another port, I just simply can not show the port on the URL and can't use 443 because something already sits on it.

I am not lucky

mtlhd · 07-06-2010, 03:24 PM

Quote:

Originally Posted by zirias

Hmm, but when OpenSSL /as well as/ GnuTLS have problems reading the file, there must be something broken in the file. So the same file actually DID work with mod_ssl? This is kind of surprising because mod_ssl uses OpenSSL, so OpenSSL should be capable of reading it....

Is it possible the cert i bought is the problem???, I figured they were standard for either mod.

zirias · 07-06-2010, 10:13 PM

Wait, now I remember I once had problems with a bought cert with a GnuTLS build of exim (mailserver) while the OpenSSL build worked perfectly. In the end, I found out the cert was encoded in some PKCS format (PKCS12? I'm not sure any more) and while OpenSSL auto-detected that, GnuTLS assumed plain DER and failed. Could be the same thing for your cert. If this is the case, just "unpack" the PKCS with the OpenSSL commandline to get a plain PEM format cert and key.

mtlhd · 07-07-2010, 02:05 PM

Quote:

Originally Posted by zirias

Wait, now I remember I once had problems with a bought cert with a GnuTLS build of exim (mailserver) while the OpenSSL build worked perfectly. In the end, I found out the cert was encoded in some PKCS format (PKCS12? I'm not sure any more) and while OpenSSL auto-detected that, GnuTLS assumed plain DER and failed. Could be the same thing for your cert. If this is the case, just "unpack" the PKCS with the OpenSSL commandline to get a plain PEM format cert and key.

Well, I was able to use OpenSSL to convert the crt file to a pem file, but I still got the same error that GnuTLS could not import the key file followed by '(-69) ASN1 parser: Error in DER parsing.'

Don't know what else to do.

uhurusurfa · 10-19-2010, 01:17 PM

I have received the same error in the past when a certificate file already exists that it is trying to create. Deleting the old one got rid of the error.