Apache, reverse proxy, and SSL
 

Hey all,

I'm having some trouble getting Apache up and running as a reverse proxy for a site using SSL. Ideally, this Apache system will function as a web application firewall running mod_security, but first I need to get Apache running right. The system is running CentOS 5.5 and Apache 2.2.

Trouble is, the web server on the back end, which is running Windows Web Server 2008 (IIS 7) requires SSL. I have been able to get Apache set up and running so that it works fine on port 80, but any secure traffic on port 443 just won't work.

So first, here's the relevant portion of the Apache config:
The server.pem was created following some steps I found online and was set up using the same certificate that's on the web server. It is formatted as so:

So, after all is said and done, Apache starts up just fine. Any unsecured requests on port 80 work just fine. Trying to use https results in an ssl_error_rx_record_too_long error in Firefox. The Apache logs show a 404 error, with the request being for /x16/x03/x01. I believe that means it's requesting SSL access on a non-ssl port, which doesn't make any sense to me, considering that I obviously do have something up on to listen on that port.

Any suggestions on what else I can possibly try?

1. Why proxy a windows box? That's what firewalls are for. Don't forget tcp/ip filtering in windows. This works well.

2. SSL, by design, should fail in your scenario. It's called a "man in the middle attack."

3. Why not use Pound with an SSL frontend to a non-encrypted backend? It's not ideal, but you'll have something like what you posted.

Thanks for the suggestions.. I'll try to address your points.

1. We have firewall(s) in place. The point of this box would be to scan the actual content, which is where mod_security would come into play.

2. This is what I'm looking to fix. Our production WAF is working in this scenario right now (SSL to the WAF, still encrypted on the back end). This Apache system was being tested in case we ever needed a temporary backup.

3. Unfortunately, the back end needs to be encrypted as well. Compliance and all that.

As an update, I did get it working for the most part yesterday using SSL to the Apache system, as well as on the back end. Unfortunately, as soon as mod_security is enabled, it starts mangling almost every page. Random content is missing, etc. After moving around for a little bit, it just starts giving 403 errors for everything until I put mod_security back into pass mode. Of course, nothing is actually logged.

Hello,

Have a look at Squid or Nginx for reverse proxy. They pretty complete. If you want to go with Squid then remember you'll have to compile from source in order to be able to serve SSL sites. If installed using package then you don't have SSL (https) support. I have Squid set up here as reverse proxy serving multiple domains over https and it works like a charm.

Kind regards,

Eric

Are you examining the decrypted packets before re-encrypting to the final destination?

Maybe I'm not clear on how the ssl proxy works. Can you provide a link for more information?