LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
LinkBack Search this Thread
Old 05-26-2010, 10:18 AM   #1
Phaethar
Member
 
Registered: Oct 2003
Location: MN
Distribution: CentOS, Fedora
Posts: 180

Rep: Reputation: 30
Apache, reverse proxy, and SSL


Hey all,

I'm having some trouble getting Apache up and running as a reverse proxy for a site using SSL. Ideally, this Apache system will function as a web application firewall running mod_security, but first I need to get Apache running right. The system is running CentOS 5.5 and Apache 2.2.

Trouble is, the web server on the back end, which is running Windows Web Server 2008 (IIS 7) requires SSL. I have been able to get Apache set up and running so that it works fine on port 80, but any secure traffic on port 443 just won't work.

So first, here's the relevant portion of the Apache config:
Code:
<VirtualHost 192.168.108.212:80>
 ServerName www.server.com

 ErrorLog logs/test_error_log
 CustomLog logs/test_access_log common

 ProxyPass / http://192.168.108.152/
 ProxyPassReverse / http://192.168.108.152/

</VirtualHost>

<VirtualHost 192.168.108.212:443>
 ServerName www.server.com

 ErrorLog logs/test_error_log
 CustomLog logs/test_access_log common

 SSLProxyEngine On
 SSLProxyMachineCertificateFile /etc/httpd/conf/server.pem

 ProxyPass / https://192.168.108.152/
 ProxyPassReverse / https://192.168.108.152/

</VirtualHost>
The server.pem was created following some steps I found online and was set up using the same certificate that's on the web server. It is formatted as so:

Code:
-----BEGIN CERTIFICATE-----
*****
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
*****
-----END RSA PRIVATE KEY-----
So, after all is said and done, Apache starts up just fine. Any unsecured requests on port 80 work just fine. Trying to use https results in an ssl_error_rx_record_too_long error in Firefox. The Apache logs show a 404 error, with the request being for /x16/x03/x01. I believe that means it's requesting SSL access on a non-ssl port, which doesn't make any sense to me, considering that I obviously do have something up on to listen on that port.

Any suggestions on what else I can possibly try?

Last edited by Phaethar; 05-26-2010 at 10:56 AM.
 
Old 05-26-2010, 04:21 PM   #2
mpapet
Member
 
Registered: Nov 2003
Location: Los Angeles
Distribution: debian
Posts: 452

Rep: Reputation: 46
1. Why proxy a windows box? That's what firewalls are for. Don't forget tcp/ip filtering in windows. This works well.

2. SSL, by design, should fail in your scenario. It's called a "man in the middle attack."

3. Why not use Pound with an SSL frontend to a non-encrypted backend? It's not ideal, but you'll have something like what you posted.

Last edited by mpapet; 05-26-2010 at 04:24 PM.
 
Old 05-27-2010, 07:14 AM   #3
Phaethar
Member
 
Registered: Oct 2003
Location: MN
Distribution: CentOS, Fedora
Posts: 180

Original Poster
Rep: Reputation: 30
Thanks for the suggestions.. I'll try to address your points.

1. We have firewall(s) in place. The point of this box would be to scan the actual content, which is where mod_security would come into play.

2. This is what I'm looking to fix. Our production WAF is working in this scenario right now (SSL to the WAF, still encrypted on the back end). This Apache system was being tested in case we ever needed a temporary backup.

3. Unfortunately, the back end needs to be encrypted as well. Compliance and all that.

As an update, I did get it working for the most part yesterday using SSL to the Apache system, as well as on the back end. Unfortunately, as soon as mod_security is enabled, it starts mangling almost every page. Random content is missing, etc. After moving around for a little bit, it just starts giving 403 errors for everything until I put mod_security back into pass mode. Of course, nothing is actually logged.
 
Old 05-27-2010, 07:33 AM   #4
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 18 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Hello,

Have a look at Squid or Nginx for reverse proxy. They pretty complete. If you want to go with Squid then remember you'll have to compile from source in order to be able to serve SSL sites. If installed using package then you don't have SSL (https) support. I have Squid set up here as reverse proxy serving multiple domains over https and it works like a charm.

Kind regards,

Eric
 
Old 05-27-2010, 12:09 PM   #5
mpapet
Member
 
Registered: Nov 2003
Location: Los Angeles
Distribution: debian
Posts: 452

Rep: Reputation: 46
Quote:
Originally Posted by Phaethar View Post
Unfortunately, as soon as mod_security is enabled, it starts mangling almost every page. Random content is missing, etc. After moving around for a little bit, it just starts giving 403 errors for everything until I put mod_security back into pass mode. Of course, nothing is actually logged.
Are you examining the decrypted packets before re-encrypting to the final destination?

Maybe I'm not clear on how the ssl proxy works. Can you provide a link for more information?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache2 SSL Reverse Proxy doublejoon Linux - Networking 4 08-04-2011 09:29 AM
SSL reverse proxy sci3ntist Linux - Server 10 12-27-2009 01:12 AM
squid reverse proxy configuration with ssl gogga Linux - Server 0 09-12-2008 08:29 AM
Squid 2.5 Reverse Proxy with SSL jonfa Linux - Networking 1 04-29-2008 04:17 PM
Squid reverse proxy with SSL jonfa Linux - Networking 1 02-05-2007 07:07 PM


All times are GMT -5. The time now is 12:03 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration