Reverse proxying of SSL traffic

Hi list,

I have a requirement to set up a reverse proxy (web accelerator) which will
accept incoming HTTP and HTTPS connections (using our Verisign credentials
on the proxy) and proxy those requests to other web servers.

The catch is I need the connection between the proxy and the web server to
be HTTPS if and only if the incoming connection to the proxy is HTTPS. I
will be using self-signed certificates on the web servers.

Apache+mod_ssl looks like it can do this with ProxyPass/ProxyPassReverse
but where do I reference the self signed certificate of the web server in
httpd.conf?

At the moment I get the following error in my browser when I try to use the
reverse proxy:

Proxy Error
The proxy server received an invalid response from an upstream server.


The proxy server could not handle the request GET /.


Reason: SSL proxy connect failed (slrsdct1.internal.standardlife.com:443):
peer 172.31.100.31:443: decryption failed or bad record mac


Thanks in advance.

Michael Pacey



For more information on Standard Life, visit our website
http://www.standardlife.com/

The Standard Life Assurance Company, Standard Life House, 30 Lothian Road,
Edinburgh EH1 2DH, is registered in Scotland (No. SZ4) and regulated by the
Financial Services Authority. Tel: 0131 225 2552 - calls may be recorded or
monitored. This confidential e-mail is for the addressee only. If received
in error, do not retain/copy/disclose it without our consent and please
return it to us. We virus scan and monitor all e-mails but are not
responsible for any damage caused by a virus or alteration by a third party
after it is sent.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Reverse proxying of SSL traffic

Set up two virtual servers for the same IP, one on port 80 (with just simple
proxy rules). Confirm this works.

Then, set up a virtual server on port 443 with the same proxy stuff. You
reference the certificate file there.

Phil

> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org]On Behalf Of
> michael_pacey@standardlife.com
> Sent: Monday, June 24, 2002 7:54 AM
> To: modssl-users@modssl.org
> Subject: Reverse proxying of SSL traffic
>
>
> Hi list,
>
> I have a requirement to set up a reverse proxy (web
> accelerator) which will
> accept incoming HTTP and HTTPS connections (using our
> Verisign credentials
> on the proxy) and proxy those requests to other web servers.
>
> The catch is I need the connection between the proxy and the
> web server to
> be HTTPS if and only if the incoming connection to the proxy
> is HTTPS. I
> will be using self-signed certificates on the web servers.
>
> Apache+mod_ssl looks like it can do this with
> ProxyPass/ProxyPassReverse
> but where do I reference the self signed certificate of the
> web server in
> httpd.conf?
>
> At the moment I get the following error in my browser when I
> try to use the
> reverse proxy:
>
> Proxy Error
> The proxy server received an invalid response from an upstream server.
>
>
> The proxy server could not handle the request GET /.
>
>
> Reason: SSL proxy connect failed
> (slrsdct1.internal.standardlife.com:443):
> peer 172.31.100.31:443: decryption failed or bad record mac
>
>
> Thanks in advance.
>
> Michael Pacey
>
>
>
> For more information on Standard Life, visit our website
> http://www.standardlife.com/
>
> The Standard Life Assurance Company, Standard Life House, 30
> Lothian Road,
> Edinburgh EH1 2DH, is registered in Scotland (No. SZ4) and
> regulated by the
> Financial Services Authority. Tel: 0131 225 2552 - calls may
> be recorded or
> monitored. This confidential e-mail is for the addressee
> only. If received
> in error, do not retain/copy/disclose it without our consent
> and please
> return it to us. We virus scan and monitor all e-mails but are not
> responsible for any damage caused by a virus or alteration by
> a third party
> after it is sent.
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Reverse proxying of SSL traffic

Yep, I did that and port 80 works like a dream.

When you say:

>Then, set up a virtual server on port 443 with the same proxy stuff.
>You reference the certificate file there.

this is the bit that bothers me.

Here's my virtual host:


ServerName slrsdct1.internal.standardlife.com
ErrorLog /oem/apache-mod_ssl/logs/error_log
ProxyPass / https://webserver/
ProxyPassReverse / https://webserver/
SSLEngine On
SSLCipherSuite ALL
SSLCertificateFile /oem/apache-mod_ssl/conf/ssl/revproxy.crt
SSLVerifyDepth 3
SSLCertificateKeyFile /oem/apache-mod_ssl/conf/ssl/revproxy.key


I can make an SSL connection to this virtual host; the browser indicates
that encryption is in use.
The certificate/key that the reverse proxy is using is specified by the
SSLCertificateFile and SSLCertificateKeyFile directives.

The reverse proxy should now make an SSL connection to webserver (this is
running IBM HTTPServer, IBM's packaged Apache). webserver has it's own
self-signed certificate. I can make SSL connections to webserver with a
browser satisfactorily, but the browser alerts me that it doesn't trust the
certificate (because it's self-signed) and I have to click through.

I imagine that revproxy doesn't trust the certificate either, which is
causing the problem. Perhaps it's something else, but I am pretty sure I
need to tell revproxy about webserver's certificate within httpd.conf. I
can't find a suitable directive in the docs.

BTW this is Apache/1.3.24 with mod_ssl-2.8.8-1.3.24 on AIX 4.3.3

I have also been trying to do this with another proprietary product that
I'm not going to mention; it doesn't work (the supplier is working on a
fix) and I really don't like the software. I would love to prove that
Apache and mod_ssl are up to the job.

Many thanks in advance!

Michael




.com> To:
Sent by: cc:
odssl.org>


24/06/2002 15:56
Please respond to
modssl-users





Set up two virtual servers for the same IP, one on port 80 (with just
simple
proxy rules). Confirm this works.

Then, set up a virtual server on port 443 with the same proxy stuff. You
reference the certificate file there.

Phil

> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org]On Behalf Of
> michael_pacey@standardlife.com
> Sent: Monday, June 24, 2002 7:54 AM
> To: modssl-users@modssl.org
> Subject: Reverse proxying of SSL traffic
>
>
> Hi list,
>
> I have a requirement to set up a reverse proxy (web
> accelerator) which will
> accept incoming HTTP and HTTPS connections (using our
> Verisign credentials
> on the proxy) and proxy those requests to other web servers.
>
> The catch is I need the connection between the proxy and the
> web server to
> be HTTPS if and only if the incoming connection to the proxy
> is HTTPS. I
> will be using self-signed certificates on the web servers.
>
> Apache+mod_ssl looks like it can do this with
> ProxyPass/ProxyPassReverse
> but where do I reference the self signed certificate of the
> web server in
> httpd.conf?
>
> At the moment I get the following error in my browser when I
> try to use the
> reverse proxy:
>
> Proxy Error
> The proxy server received an invalid response from an upstream server.
>
>
> The proxy server could not handle the request GET /.
>
>
> Reason: SSL proxy connect failed
> (slrsdct1.internal.standardlife.com:443):
> peer 172.31.100.31:443: decryption failed or bad record mac
>
>
> Thanks in advance.
>
> Michael Pacey
>
>
>
> For more information on Standard Life, visit our website
> http://www.standardlife.com/
>
> The Standard Life Assurance Company, Standard Life House, 30
> Lothian Road,
> Edinburgh EH1 2DH, is registered in Scotland (No. SZ4) and
> regulated by the
> Financial Services Authority. Tel: 0131 225 2552 - calls may
> be recorded or
> monitored. This confidential e-mail is for the addressee
> only. If received
> in error, do not retain/copy/disclose it without our consent
> and please
> return it to us. We virus scan and monitor all e-mails but are not
> responsible for any damage caused by a virus or alteration by
> a third party
> after it is sent.
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org






For more information on Standard Life, visit our website
http://www.standardlife.com/

The Standard Life Assurance Company, Standard Life House, 30 Lothian Road,
Edinburgh EH1 2DH, is registered in Scotland (No. SZ4) and regulated by the
Financial Services Authority. Tel: 0131 225 2552 - calls may be recorded or
monitored. This confidential e-mail is for the addressee only. If received
in error, do not retain/copy/disclose it without our consent and please
return it to us. We virus scan and monitor all e-mails but are not
responsible for any damage caused by a virus or alteration by a third party
after it is sent.


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Reverse proxying of SSL traffic

> The reverse proxy should now make an SSL connection to
> webserver (this is
> running IBM HTTPServer, IBM's packaged Apache). webserver has it's own
> self-signed certificate.

Out of the box, mod_proxy cannot negotiate secure connections, so it can't
connect to your backend server using https. (I don't know if anyone has
gotten this to work, though). This means that you should have the backend
proxy connect in the clear to your IBM server.

Usually this is done with the proxy in the DMZ and the other server behind
another firewall, so it is secure.

Phil



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Reverse proxying of SSL traffic

On Mon, 24 Jun 2002, Philip Ravenscroft wrote:

> > The reverse proxy should now make an SSL connection to
> > webserver (this is
> > running IBM HTTPServer, IBM's packaged Apache). webserver has it's own
> > self-signed certificate.
>
> Out of the box, mod_proxy cannot negotiate secure connections, so it can't
> connect to your backend server using https. (I don't know if anyone has
> gotten this to work, though). This means that you should have the backend
> proxy connect in the clear to your IBM server.

Normally, one uses mod_rwrite on the exposed server to communicate with an
internal reverse proxy or the actual content server. The content returned
by the internal server can be returned using mod_proxy.

Ralph Engelshall wrote a paper on mod_rewrite in the late Nineties that
has a lot of detail on the function and use of this module. Reading the
paper is time well spent.

Nothing up this sleave. ... Ooh! I don't know my own strength!
Bullwinkle J Moose

Merton Campbell Crockett


--
BEGIN: vcard
VERSION: 3.0
FN: Merton Campbell Crockett
ORG: General Dynamics Advanced Information Systems;
Intelligence Solutions
N: Crockett;Merton;Campbell
EMAIL;TYPE=internet: mcc@CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref: +1(805)497-5045
TEL;TYPE=pager,msg: +1(877)528-0049
TEL;TYPE=fax,work: +1(805)497-5050
TEL;TYPE=cell,voice,msg: +1(805)377-6762
END: vcard

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org