[contribteam] [Bug 10541] Suppress ProxyPass for ACME challenge

Sat, 17 Mar 2018 12:39:06 -0700 

https://bugs.contribs.org/show_bug.cgi?id=10541

Jean-Philippe Pialasse <[email protected]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[email protected]

--- Comment #1 from Jean-Philippe Pialasse <[email protected]> ---
(In reply to Colin Hogben from comment #0)
> I have a backend server which I want to serve requests for
> https://mysvc.mydomain.tld via the ProxyPass mechanism, but I want the SME
> Server to handle the letsencrypt certificates for this in addition to the
> primary domain (after all, external https connections are made to the SME
> server, so the certificate needs to be available to the initial SSL
> negotiation).
> 
> (I also want the reverse proxy connection from SME to backend server to be
> http only, but that's a separate issue.)

this is the usual way proxypass is done : http only between the servers.

because if you want ssl between the proxy and the final server you will need
the same certificate installed on the two servers to avoid errors

> 
> As things stand, a request for
> http://mysvc.mydomain.tld/.well-known/acme-challenge/$whatever gets
> forwarded to the backend server, which does not have the challenge machinery.
> 
> I believe I have fixed this locally by creating a custom template fragment
> /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/
> ProxyPassVirtualHosts/40ACME
> containing the lines:
> 
>     # letsencrypt challenge runs on front end server
>     ProxyPass /.well-known/acme-challenge/ !
> 
> Can this (without -custom of course) be added to the contrib?  I can't think
> of a use case where you would want to forward the challenge.

maybe if you want end to end ssl. but as you will need to propagate the sert
from one server to another, still your template could be usefull, I see a
better use to have the front server to still handle the cert and propagate it
that the opposite.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/

Reply via email to