Enabling multiple https webservers through one firewall via apache reverse proxy

Cerephim · 09-11-2017, 08:08 PM

I've read so many differing configurations that my head is swimming!

Here's the situation:
I have a smoothwall firewall (3.0) and have a single machine set up in the DMZ (orange).
There are multiple other servers set up behind the firewall (green).

What I want to do is this:
Enable two completely different domains with completely different certificates (one self signed, one purchased and verified) running on that single box in the dmz to be accessed through the single public IP running on the firewall via apache reverse proxy. Oh, and I'd like the reverse proxy to be running on that single server in the DMZ too.

The questions I have are these:

Is this even possible?
Do I comment out the _default_:443 virtualhost stanza in /etc/httpd/conf.d/ssl.conf (running CentOS)
Do I create a virtualhost stanza for each of the two different domains?
Where to stick the statements that cause reverse proxying to happen.

Any requests for more info will be honored.

Any help is *sincerely* appreciated!

Timothy Miller · 09-11-2017, 08:12 PM

Quote:

Originally Posted by Cerephim

Is this even possible?

Yes, I've got one proxy that's got over 100 sites behind it, although only 2 or 3 domains.

Quote:

Originally Posted by Cerephim

Do I comment out the _default_:443 virtualhost stanza in /etc/httpd/conf.d/ssl.conf (running CentOS)

You can, or you can modify it to use...whatever works for you

Quote:

Originally Posted by Cerephim

Do I create a virtualhost stanza for each of the two different domains?

Most definitely, yes you will need different virtualhosts due to needing to supply different certificates.

Quote:

Originally Posted by Cerephim

Where to stick the statements that cause reverse proxying to happen.

Any help is *sincerely* appreciated!

I always throw them at the bottom of the particular stanza, right above the </VirtualHost>

Also, I *PREFER* (making sure to point out that this isn't the correct way, just how I like to do it) that I create a different *.conf file for EACH domain. I find it just makes it easier to find what I want to change when updating/changing (admittedly, this is because I have a RP that has 60+ proxies for each large domain and has 2 large domains)

Cerephim · 09-12-2017, 11:17 AM

Can ya help an https reverse proxy infant out by posting the relevant snippets of code from the config file?

Thanks!

Timothy Miller · 09-14-2017, 05:45 PM

Quote:

Originally Posted by Cerephim

Can ya help an https reverse proxy infant out by posting the relevant snippets of code from the config file?

Thanks!

Which snippets do you need? Like the actual ProxyPass lines?

Cerephim · 09-14-2017, 09:02 PM

The virtualhost stanzas, appropriately redacted, of course. One stanza each from two differing domains would be wonderful!

Timothy Miller · 09-14-2017, 09:39 PM

Oh, ok, should be able to do that if I don't forget again...

Cerephim · 09-15-2017, 08:23 AM

Thank you. I'll check every now and then, and if I don't see a reply, I'll give the thread a bump. Is that okay?

Timothy Miller · 09-15-2017, 10:13 AM

Here's an excerpt from my companies main reverse proxy:

Code:

<VirtualHost companies primary proxy:80>

ServerName urlofmycompaniesserver

############## ALASKA  ########################################

ProxyPass /akCurrent http://10.0.5.200:8080/akCurrent
ProxyPassReverse /akCurrent http://10.0.5.200:8080/akCurrent
ProxyPass /akProd http://10.0.5.200:8082/akProd
ProxyPassReverse /akProd http://10.0.5.200:8082/akProd
ProxyPass /akTest http://10.0.5.200:8084/akTest
ProxyPassReverse /akTest http://10.0.5.200:8084/akTest
ProxyPass /akPhchubCurrent http://10.0.5.200:8080/akPhchubCurrent
ProxyPassReverse /akPhchubCurrent http://10.0.5.200:8080/akPhchubCurrent
ProxyPass /akPhchubProd http://10.0.5.200:8082/akPhchubProd
ProxyPassReverse /akPhchubProd http://10.0.5.200:8082/akPhchubProd
ProxyPass /akPhchubTest http://10.0.5.200:8084/akPhchubTest
ProxyPassReverse /akPhchubTest http://10.0.5.200:8084/akPhchubTest

(billions of others)

</VirtaulHost>
<VirtualHost a different server:80>
ServerName a different url
ServerAlias another URL that is actually the same destination
Redirect Permanent / https://redirecting to https/
</VirtualHost>
<VirtualHost the previous server:443>
ProxyPreserveHost On
ServerName the same as last stanza
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/server.pem
SSLCertificateKeyFile /etc/pki/tls/private/key.pem
SSLCACertificateFile /etc/pki/tls/certs/gdbundle.crt
ProxyPass / http://10.0.5.161:3001/
ProxyPassReverse / http://10.0.5.161:3001/
</VirtualHost>

Cerephim · 10-04-2017, 06:03 AM

Thank you!

Cerephim · 10-24-2017, 10:43 AM

I'm guessing that how I set up the structure in /var/www has a profound effect on the way I would configure the reverse proxy lines.

Am I correct in assuming that in the line: "ProxyPass /akPhchubTest http://10.0.5.200:8084/akPhchubTest"
the /akPhchubTest is a reference to /var/www/html/akPhchubTest ?

Timothy Miller · 10-24-2017, 12:27 PM

Not for us, we have no actual sites hosted on this box, it's ONLY used as a proxy. All the sites that it references are on different servers, so it's actually referencing the other servers.