Apache: How to use reverse secure proxy to chain secure apache servers – updated

By | May 26, 2017

On the site I host my services I have only one IP from the ISP and naturally a single 443 port to server https requests. If you have to host multiple sites behind that you can do it very easy with apache. You just have to define Virtual hosts for each different site.

Define a standard virtual host on the main site
In case of the blog the configuration looks like the following.

Define a redirect for http requests to blog.voina.org
In case any http requests I force https to the client by redirecting the traffic to https.

<virtualhost 192.168.2.21:80>
ServerName "blog.voina.org"
Redirect / https://blog.voina.fr
</virtualhost>

 

Define a secure virtual host for blog.voina.org
Notice the certificates and the select list of SSLChiperSuite. I am using certificates from a recognised certification authority and only the secure SSL ciphers.

<Virtualhost 192.168.2.21:443>
SSLEngine On
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /media/storage/www/certs/blog.voina.org.cert
SSLCertificateKeyFile /media/storage/www/certs/blog.voina.org.key
SSLCertificateChainFile /media/storage/www/certs/1_root_bundle.crt

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

ServerName "blog.voina.org"

DocumentRoot "/media/storage/www/html/owncloud/wordpress"

CustomLog   "/media/storage/www/log/home-blog-access.log" combined
ErrorLog    "/media/storage/www/log/home-blog-error.log"

<Directory "/media/storage/www/html/owncloud/wordpress">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Require all granted
    Satisfy Any
</Directory>

</Virtualhost>

 

The same way we can set up several other sites. On the same server I host also a owncloud instance under home.voina.org. I am going to skip that part of the configuration of the home.voina.org virtual host.
The next focus will be to show how we can chain requests from the main site to a second site.

Define a reverse proxy virtual host on the main site
The next site store.voina.org (a opencart instance) is going to be accessible through the main site but hosted on a second machine. The main site will act as a reverse proxy that hides the real machine where store.voina.org is actually hosted.

Define a redirect for http requests to blog.voina.org
In case any http requests I force https to the client by redirecting the traffic to https.

<virtualhost 192.168.2.21:80>
ServerName "store.voina.org"
Redirect / https://store.voina.org
</virtualhost>

 

Define a secure reverse proxy virtual host for store.voina.org
Notice the SSLProxy configurations:

SSLProxyEngine on
Activates the ssl proxy engine

SSLProxyCACertificateFile /media/storage/www/certs/store.voina.org.cert
Specifies the location of the remote site certificates. The certificates from the keystore are used for the ssl connection between the two sites.

#SSLProxyVerify none
This is commented. In case you use some self signed certificates this has to be activated. SSL certificate verification will be disabled.

#SSLProxyCheckPeerCN off
This is commented. This disables the peer CN check. This has to be activated in case the CN of your certificate does not match the remote server CN.

#SSLProxyCheckPeerName off
This is commented. This disables the peer name check. This has to be activated in case the server name from your certificate does not match the remote server name.

#SSLProxyCheckPeerExpire off
This is commented. This disables the peer certificate expiration check. This has to be activated in case your certificate is expired

ProxyPass / https://192.168.2.22:443/
ProxyPassReverse / https://192.168.2.22:443/
With this we specify to what remote site to reverse proxy all the requests and from what remote site to get the answer.

See bellow the definition of the reverse proxy Virtual Host

<virtualhost 192.168.2.21:443>
ServerName "store.voina.org"

# Activate SSL on the reverse proxy
SSLEngine On
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /media/storage/www/certs/store.voina.org.cert
SSLCertificateKeyFile /media/storage/www/certs/store.voina.org.key
SSLCertificateChainFile /media/storage/www/certs/1_root_bundle.crt

ProxyRequests Off
<Proxy *>
    Order deny,allow
    Allow from all
</Proxy>

SSLProxyEngine on
SSLProxyCACertificateFile /media/storage/www/certs/store.voina.org.cert
#SSLProxyVerify none
SSLProxyCheckPeerCN off
#SSLProxyCheckPeerName off
#SSLProxyCheckPeerExpire off

ProxyPass / https://192.168.2.22:443/
ProxyPassReverse / https://192.168.2.22:443/
<Location />
    Order allow,deny
    Allow from all
</Location>

CustomLog   "/media/storage/www/log/home-store-access.log" combined
ErrorLog    "/media/storage/www/log/home-store-error.log"

</virtualhost>

 

Define a standard virtual host on the second site
In case of the store.voina.org the configuration on the second site looks like the following. Notice that is a pretty standard configuration of a SSL site, there is no indication in the configuration that the site sits behind a reverse proxy.

<Virtualhost 192.168.2.22:443>

# Activate SSL
SSLEngine On
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

SSLProtocol all -SSLv2 -SSLv3
SSLCertificateFile /media/storage/www/certs/store.voina.org.cert
SSLCertificateKeyFile /media/storage/www/certs/store.voina.org.key
SSLCertificateChainFile /media/storage/www/certs/1_root_bundle.crt

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

ServerName "store.voina.org"

DocumentRoot "/media/storage/www/html/opencart/upload"

CustomLog   "/media/storage/www/log/opencart-access.log" combined
ErrorLog    "/media/storage/www/log/opencart-error.log"

<Directory "/media/storage/www/html/opencart/upload">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Require all granted
    Satisfy Any
</Directory>

 

Note that on both sites we have to define the “Activate SSL section”. As we know a https connection cannot be broken by the proxy. It means that we have to have the following:
1. https connection between the client and the proxy (so the proxy has to have a SSL section using the store.voina.org certificate)
2. https connection between the proxy and the store server (so the proxy has to have a SSL section using the store.voina.org certificate)

This way the client is able to certify that is connected to the store.voina.org and also the store is able to see that the client (the proxy in this case) is using a store.voina.org certificate also.

[paypal_donation_button]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.