Any cookbook recipes for: Apache+Letsencrypt+ReverseProxy

2020-10-23 Thread Tom Browder
I have a working Apache httpd server (2.4.43 with OpenSSL 1.1.1g) with
multiple virtual hosts using SNI on one IPv4, and I would like to have a
working reverse proxy behind one or more of those hosts.

I am happy to share the configuration for one of my hosts if I could get
help in adding HA Proxy into the https flow I currently have. I do have the
luxury of having available a separate physical server suitable for
experimentation with nothing being served from it at the moment, but it has
the same environment setup as the working one and any changes would not
interfere with my active sites.

I will post any successful configuration on my Github repository at <


Best regards,


Re: HAProxy and Apache reverse proxy with TLS passthrough

2020-09-03 Thread Tom Browder
On Thu, Sep 3, 2020 at 15:40 Илья Шипицин  wrote:

> seems, you are talking about SNI routing. i.e. L7 routing based on server
> name extension sent in SSL Client Helo.
> will the following work for you ?

It looks like it has a good chance.

Thank you very much

Best regards,


HAProxy and Apache reverse proxy with TLS passthrough

2020-09-02 Thread Tom Browder
I'm trying to cobble together the following https data flow:

<== public internet ==>

A. a single IPv4  Apache server with multiple virtual hosts
 identified by SNI

1. for each virtual host with its unique domain:

a.  use Apache's managed domain capability to get
 and keep current a Letsencrypt TLS cert
b.  have a reverse proxy to a backend TLS server (with
 passthrough TLS) identified by a unique port number
 on the local host

<== reverse proxy ==>

2. for each unique backend server

a.  respond to public domain https requests
b.  serve both static and dynamic content  back
to the public client


1. Each virtual host is defined in a single Apache macro.
2. I have Apache running apparently successfully up to the
ProxyPass and ProxyReverse point but cannot get a
valid connection.
3. I can get the scenario to work in a non-TLS environment.
4. The solutions I've seen with Nginx and Caddy require
 wildcard certs or unique IPs, neither of which will
 work for me in my current understanding of Apache.


1. Is this TLS scenario theoretically possible?
2. If so, can HAProxy help make it happen?
3. What are my options for the backend server?
 I have seen very little discussion of that
 except in vague terms of a "dynamic
 server" (for which I plan to use a Raku
 language server called Cro).

Thanks for any help.

Best regards,