Apache, reverse proxy, and SSL
Hey all,
I'm having some trouble getting Apache up and running as a reverse proxy for a site using SSL. Ideally, this Apache system will function as a web application firewall running mod_security, but first I need to get Apache running right. The system is running CentOS 5.5 and Apache 2.2. Trouble is, the web server on the back end, which is running Windows Web Server 2008 (IIS 7) requires SSL. I have been able to get Apache set up and running so that it works fine on port 80, but any secure traffic on port 443 just won't work. So first, here's the relevant portion of the Apache config: Code:
<VirtualHost 192.168.108.212:80> Code:
-----BEGIN CERTIFICATE----- Any suggestions on what else I can possibly try? |
1. Why proxy a windows box? That's what firewalls are for. Don't forget tcp/ip filtering in windows. This works well.
2. SSL, by design, should fail in your scenario. It's called a "man in the middle attack." 3. Why not use Pound with an SSL frontend to a non-encrypted backend? It's not ideal, but you'll have something like what you posted. |
Thanks for the suggestions.. I'll try to address your points.
1. We have firewall(s) in place. The point of this box would be to scan the actual content, which is where mod_security would come into play. 2. This is what I'm looking to fix. Our production WAF is working in this scenario right now (SSL to the WAF, still encrypted on the back end). This Apache system was being tested in case we ever needed a temporary backup. 3. Unfortunately, the back end needs to be encrypted as well. Compliance and all that. As an update, I did get it working for the most part yesterday using SSL to the Apache system, as well as on the back end. Unfortunately, as soon as mod_security is enabled, it starts mangling almost every page. Random content is missing, etc. After moving around for a little bit, it just starts giving 403 errors for everything until I put mod_security back into pass mode. Of course, nothing is actually logged. |
Hello,
Have a look at Squid or Nginx for reverse proxy. They pretty complete. If you want to go with Squid then remember you'll have to compile from source in order to be able to serve SSL sites. If installed using package then you don't have SSL (https) support. I have Squid set up here as reverse proxy serving multiple domains over https and it works like a charm. Kind regards, Eric |
Quote:
Maybe I'm not clear on how the ssl proxy works. Can you provide a link for more information? |
All times are GMT -5. The time now is 09:08 PM. |