You almost certainly want to do SSL termination at the Apache level if
you are running a Racket server behind Apache. This means that Apache
will serve as a reverse proxy to your Racket web server, and all
communications between Apache and the Racket process will be ordinary
HTTP. When an HTTPS request reaches Apache, it will use the certificate
that it knows about to perform SSL negotiation, then it will forward the
decrypted HTTP request to your Racket server over ordinary HTTP. It will
subsequently encrypt the response it receives, then send it back to the
client. This means your Racket server doesn’t need to worry about SSL
(probably a good thing, since Apache/nginx are better at that).

To do this, you can set up an Apache VirtualHost on port 443 with
SSLEngine On and references to the locations of the relevant certificate
files. Configure both hosts (either the main host and the virtual host,
or just use two virtual hosts) to serve as a reverse proxy to the same
Racket process over HTTP using mod_proxy.

Alternatively, you can run your server behind some sort of cloud
provider’s load balancer, which will implement SSL termination for you,
and you won’t have to worry about any of this. Of course, then you have
to deal with your cloud provider of choice. YMMV.

> On Sep 26, 2017, at 3:24 PM, Matthew Butterick <> wrote:
> The docs for "How do I use Apache with the Racket Web Server?"
> demonstrate how to set up proxying between Apache and the Racket web
> server within an .htaccess file. [1]
> That technique works. But only with ordinary HTTP. AFAICT it does not
> work for HTTPS.
> What's the best way to make this work over HTTPS?
> Here's the wrinkle I can't figure out: I have Let's Encrypt certs
> applied to the main server. I can feed these to the Racket web server,
> which will start up, but then the certs won't work on 'localhost'
> references.
> You could say: well why not put the Racket web server at the top
> level. OK, but then it's no longer behind Apache.
> I suppose I could put up a whole separate server, call it
> "", and run the Racket web server at the top level. Then
> get new Let's Encrypt certs for that server. Then proxy between the
> original and this one. Maybe that would work, though it seems like
> overkill.
> [1] 

You received this message because you are subscribed to the Google Groups 
"Racket Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
For more options, visit

Reply via email to