Yep, I did that and port 80 works like a dream.
When you say:
>Then, set up a virtual server on port 443 with the same proxy stuff.
>You reference the certificate file there.
this is the bit that bothers me.
Here's my virtual host:
<VirtualHost revproxy:443>
ServerName slrsdct1.internal.standardlife.com
ErrorLog /oem/apache-mod_ssl/logs/error_log
ProxyPass / https://webserver/
ProxyPassReverse / https://webserver/
SSLEngine On
SSLCipherSuite ALL
SSLCertificateFile /oem/apache-mod_ssl/conf/ssl/revproxy.crt
SSLVerifyDepth 3
SSLCertificateKeyFile /oem/apache-mod_ssl/conf/ssl/revproxy.key
</VirtualHost>
I can make an SSL connection to this virtual host; the browser indicates
that encryption is in use.
The certificate/key that the reverse proxy is using is specified by the
SSLCertificateFile and SSLCertificateKeyFile directives.
The reverse proxy should now make an SSL connection to webserver (this is
running IBM HTTPServer, IBM's packaged Apache). webserver has it's own
self-signed certificate. I can make SSL connections to webserver with a
browser satisfactorily, but the browser alerts me that it doesn't trust the
certificate (because it's self-signed) and I have to click through.
I imagine that revproxy doesn't trust the certificate either, which is
causing the problem. Perhaps it's something else, but I am pretty sure I
need to tell revproxy about webserver's certificate within httpd.conf. I
can't find a suitable directive in the docs.
BTW this is Apache/1.3.24 with mod_ssl-2.8.8-1.3.24 on AIX 4.3.3
I have also been trying to do this with another proprietary product that
I'm not going to mention; it doesn't work (the supplier is working on a
fix) and I really don't like the software. I would love to prove that
Apache and mod_ssl are up to the job.
Many thanks in advance!
Michael
<philip@givingcapital
.com> To: <[EMAIL PROTECTED]>
Sent by: cc:
<owner-modssl-users@m Subject: RE: Reverse proxying of
SSL traffic
odssl.org>
24/06/2002 15:56
Please respond to
modssl-users
Set up two virtual servers for the same IP, one on port 80 (with just
simple
proxy rules). Confirm this works.
Then, set up a virtual server on port 443 with the same proxy stuff. You
reference the certificate file there.
Phil
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> [EMAIL PROTECTED]
> Sent: Monday, June 24, 2002 7:54 AM
> To: [EMAIL PROTECTED]
> Subject: Reverse proxying of SSL traffic
>
>
> Hi list,
>
> I have a requirement to set up a reverse proxy (web
> accelerator) which will
> accept incoming HTTP and HTTPS connections (using our
> Verisign credentials
> on the proxy) and proxy those requests to other web servers.
>
> The catch is I need the connection between the proxy and the
> web server to
> be HTTPS if and only if the incoming connection to the proxy
> is HTTPS. I
> will be using self-signed certificates on the web servers.
>
> Apache+mod_ssl looks like it can do this with
> ProxyPass/ProxyPassReverse
> but where do I reference the self signed certificate of the
> web server in
> httpd.conf?
>
> At the moment I get the following error in my browser when I
> try to use the
> reverse proxy:
>
> Proxy Error
> The proxy server received an invalid response from an upstream server.
>
>
> The proxy server could not handle the request GET /.
>
>
> Reason: SSL proxy connect failed
> (slrsdct1.internal.standardlife.com:443):
> peer 172.31.100.31:443: decryption failed or bad record mac
>
>
> Thanks in advance.
>
> Michael Pacey
>
>
>
> For more information on Standard Life, visit our website
> http://www.standardlife.com/
>
> The Standard Life Assurance Company, Standard Life House, 30
> Lothian Road,
> Edinburgh EH1 2DH, is registered in Scotland (No. SZ4) and
> regulated by the
> Financial Services Authority. Tel: 0131 225 2552 - calls may
> be recorded or
> monitored. This confidential e-mail is for the addressee
> only. If received
> in error, do not retain/copy/disclose it without our consent
> and please
> return it to us. We virus scan and monitor all e-mails but are not
> responsible for any damage caused by a virus or alteration by
> a third party
> after it is sent.
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
For more information on Standard Life, visit our website
http://www.standardlife.com/
The Standard Life Assurance Company, Standard Life House, 30 Lothian Road,
Edinburgh EH1 2DH, is registered in Scotland (No. SZ4) and regulated by the
Financial Services Authority. Tel: 0131 225 2552 - calls may be recorded or
monitored. This confidential e-mail is for the addressee only. If received
in error, do not retain/copy/disclose it without our consent and please
return it to us. We virus scan and monitor all e-mails but are not
responsible for any damage caused by a virus or alteration by a third party
after it is sent.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
