SSL proxy

I have several web servers currently that all have the same IP, but
different host names, and I have an apache that uses mod_proxy to direct
requests to the correct internal server to process the request.

I would like to use my apache proxy server to provide SSL encryption and
decryption, and not have to have each individual server do that.

Is that possible?

I have worked with virtual host configuration, and I have tried to set up
the ssl stuff so that this will work, but so far I have not been successful.

I have tried to search for this, but the closest I have come is proxy to an
ssl server. I want to have the proxy server do the ssl stuff for me.

Can anyone provide instructions or links?

Thanks.


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

nrssl@thepinc.com a =E9crit :
> I have several web servers currently that all have the same IP, but
> different host names, and I have an apache that uses mod_proxy to direc=
t
> requests to the correct internal server to process the request.
>
> I would like to use my apache proxy server to provide SSL encryption an=
d
> decryption, and not have to have each individual server do that.
>
> Is that possible?
> =20
Apparently, understanding what you want to do, it's possible.

It might depend on Apache / modssl versions

One of the best way is doing encrypted HTTPS between client and proxy=20
and clear HTTP between proxy and real server.
You can also do encrypted HTTPS between proxy and real server, just=20
adding some Apache configuration
..
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

------=_Part_1643_11818968.1215761439822
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

How is it possible? By definition SSL does not allow different host names o=
n
the same IP:PORT.
Or is there something I'm missing?




> ---------- Forwarded message ----------
> From: Gilles Cuesta (Gmail)
> Date: Thu, Jul 10, 2008 at 10:38 PM
> Subject: Re: SSL proxy
> To: modssl-users@modssl.org
>
>
> nrssl@thepinc.com a =E9crit :
>
>> I have several web servers currently that all have the same IP, but
>> different host names, and I have an apache that uses mod_proxy to direct
>> requests to the correct internal server to process the request.
>>
>> I would like to use my apache proxy server to provide SSL encryption and
>> decryption, and not have to have each individual server do that.
>>
>> Is that possible?
>>
>>
> Apparently, understanding what you want to do, it's possible.
>
> It might depend on Apache / modssl versions
>
> One of the best way is doing encrypted HTTPS between client and proxy and
> clear HTTP between proxy and real server.
> You can also do encrypted HTTPS between proxy and real server, just addin=
g
> some Apache configuration
>
> .
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
>

------=_Part_1643_11818968.1215761439822
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">

---------- Forwarded message ----------
From:=
Gilles Cuesta (Gmail) < lto:gilles.cuesta@gmail.com" target=3D"_blank">gilles.cuesta@gmail.com&=
gt;

Date: Thu, Jul 10, 2008 at 10:38 PM
Subject: Re: SSL proxy
To: f=3D"mailto:modssl-users@modssl.org" target=3D"_blank">modssl-users@modssl.=
org


n=
rssl@thepinc.com a =E9crit :=20

pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">I have several web s=
ervers currently that all have the same IP, but
different host names, an=
d I have an apache that uses mod_proxy to direct

requests to the correct internal server to process the request.

I wo=
uld like to use my apache proxy server to provide SSL encryption and
dec=
ryption, and not have to have each individual server do that.

Is tha=
t possible?

 

Apparently, understanding what you want to do,=
it's possible.

It might depend on Apache / modssl versions
<=
br>One of the best way is doing encrypted HTTPS between client and proxy an=
d clear HTTP between proxy and real server.

You can also do encrypted HTTPS between proxy and real server, just adding =
some Apache configuration=20

.
____________________________________________________________ _=
_________
Apache Interface to OpenSSL (mod_ssl)       &nb=
sp;           arget=3D"_blank">www.modssl.org
User Support Mailing List   &nb=
sp;                   =3D"mailto:modssl-users@modssl.org" target=3D"_blank">modssl-users@modssl.o=
rg

Automated List Manager               &nb=
sp;             dssl.org" target=3D"_blank">majordomo@modssl.org

<=
br>

Re: SSL proxy

nrssl@thepinc.com schrieb:
> I have several web servers currently that all have the same IP, but
> different host names, and I have an apache that uses mod_proxy to direct
> requests to the correct internal server to process the request.
>
> I would like to use my apache proxy server to provide SSL encryption and
> decryption, and not have to have each individual server do that.
>
> Is that possible?
>
> I have worked with virtual host configuration, and I have tried to set up
> the ssl stuff so that this will work, but so far I have not been successful.
>
> I have tried to search for this, but the closest I have come is proxy to an
> ssl server. I want to have the proxy server do the ssl stuff for me.

Hi,

you can not use SSL with virtual hosting, see
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47

You'll have to get a dedicated ip for every single ssl host. You could
play around with one ssl proxy on your single ip with a common name
and do some rewriting according to an url praefix matching the secure
parts of your backend virtual hosts; decide yourself if this config
work is worth it.

Regards

Eckard
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig8322AB6A12A6E359CC37AD8F
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Eckard Wille a =E9crit :
> nrssl@thepinc.com schrieb:
>> I have several web servers currently that all have the same IP, but
>> different host names, and I have an apache that uses mod_proxy to dire=
ct
>> requests to the correct internal server to process the request.
>>
>> I would like to use my apache proxy server to provide SSL encryption a=
nd
>> decryption, and not have to have each individual server do that.
>>
>> Is that possible?
>>
>> I have worked with virtual host configuration, and I have tried to=20
>> set up
>> the ssl stuff so that this will work, but so far I have not been=20
>> successful.
>>
>> I have tried to search for this, but the closest I have come is proxy =

>> to an
>> ssl server. I want to have the proxy server do the ssl stuff for me.
>
> Hi,
>
> you can not use SSL with virtual hosting, see=20
> http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
>
> You'll have to get a dedicated ip for every single ssl host. You could =

> play around with one ssl proxy on your single ip with a common name=20
> and do some rewriting according to an url praefix matching the secure=20
> parts of your backend virtual hosts; decide yourself if this config=20
> work is worth it.
I thought that using wildcard or multi-cn certificates will work ?
In this case, only one certificate is needeed for a range of Vhost

--=20
Gilles CUESTA - Logiciels Libres
69139920



--------------enig8322AB6A12A6E359CC37AD8F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIdxOR545quQSHen8RAs2UAKDTpfXdP7oojVv2cN2NJ8mOLhajTgCe J0ID
Z09jBS0mqyjDumkRoPmHoBc=
=TFva
-----END PGP SIGNATURE-----

--------------enig8322AB6A12A6E359CC37AD8F--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

Cuesta Gilles schrieb:
> I thought that using wildcard or multi-cn certificates will work ?

No.

> In this case, only one certificate is needeed for a range of Vhost

If you only have one ip this won't make things better because virtual
hosting is still not possible. Wildcard certs do not enable vHosting
because the ssl handshake still takes place before the http host
header can be evaluated. They were offered by CAs to make it easier
for admins so they wouldn't have to fiddle around with dozens of certs
and their validity management in a masshosting environment or for
subdomains.

Eckard
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig3FD21A20A2BD020081B2FC37
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable

Eckard Wille a =E9crit :
> Cuesta Gilles schrieb:
>> I thought that using wildcard or multi-cn certificates will work ?
>
> No.
>
>> In this case, only one certificate is needeed for a range of Vhost
>
> If you only have one ip this won't make things better because virtual=20
> hosting is still not possible. Wildcard certs do not enable vHosting=20
> because the ssl handshake still takes place before the http host=20
> header can be evaluated. They were offered by CAs to make it easier=20
> for admins so they wouldn't have to fiddle around with dozens of certs =

> and their validity management in a masshosting environment or for=20
> subdomains.
>

So what about this ?
"*MULTIPLE CN (SAN) SERVER CERTIFICATES*

This type of certificate (also called /Subject Alternative Name/ (SAN) ) =

enables to secure not only one website but a large number of sites (a=20
list of sites) hosted on a shared infrastructure (server with multiple=20
names, reverse proxy). Ideal to secure multiple brands of a corporation. =

One certificate per hardware is required."

http://www.tbs-certificats.com/index.html.en

--=20
Gilles CUESTA - Logiciels Libres
69139920



--------------enig3FD21A20A2BD020081B2FC37
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIdzmS545quQSHen8RAha4AKCVFSOS7NlxqUKMdHC9uI+Df3tlZACg kPyQ
W/Q8R0u54ICG9FsBnrO/JPY=
=/rrm
-----END PGP SIGNATURE-----

--------------enig3FD21A20A2BD020081B2FC37--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

Cuesta Gilles schrieb:
> "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
>
> This type of certificate (also called /Subject Alternative Name/ (SAN) )
> enables to secure not only one website but a large number of sites (a
> list of sites) hosted on a shared infrastructure (server with multiple
> names, reverse proxy). Ideal to secure multiple brands of a corporation.
> One certificate per hardware is required."

This only means that one host can have several names by configuring
ServerName and ServerAlias, but does not enable virtual hosting.

Eckard
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

Eckard Wille schrieb:
> Cuesta Gilles schrieb:
>> "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
>>
>> This type of certificate (also called /Subject Alternative Name/ (SAN)
>> ) enables to secure not only one website but a large number of sites
>> (a list of sites) hosted on a shared infrastructure (server with
>> multiple names, reverse proxy). Ideal to secure multiple brands of a
>> corporation. One certificate per hardware is required."
>
> This only means that one host can have several names by configuring
> ServerName and ServerAlias, but does not enable virtual hosting.

Hi Cuesta,

with some tricks you could achive your goal by using the preconditions
of mod_rewrite rules. If your ssl proxy has one single host entry with
such a multi-named cert, it may be possible to rewrite via proxy after
a look at the host header:

RewriteEngine on
RewriteCond %{HTTP_HOST} www.vhost1.com
RewriteRule ^/(.*) www.internal.http.vhost1.com/$1 [P]

RewriteCond %{HTTP_HOST} www.vhost2.com
RewriteRule ^/(.*) www.internal.http.vhost2.com/$1 [P]

If this works for you depends also on the backend webapps, for example
if they are capable of running behind a reverse proxy with a different
http schema (HTTP<->HTTPS, servername references in html, internal
redirects...).

Good luck

Eckard
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL proxy

It seem like you might be confusing "shared infrastructure" with
"single ip". As others have said, you need a distinct address for each
SSL-enabled httpd or proxy, although they can reside on the same hardware.

A good example of this is the typical configuration for larger server
farms. You find multiple High Availability load balancers in the DMZ for
both http and https using something like ha/keepalived for linux. These
proxy the incoming request back into private address space. The SSL
proxies terminate the SSL connection and broker the request on behalf of
the user and everything goes to the private address space in plain http.
This allows each of the _real_ webservers to achieve better
performance since the SSL overhead is not present.

While you can use Apache as an SSL-terminating proxy, I find I get
better performance, lower memory utilization and easier configuration
using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have
multiple public IP addresses floating between several hosts and pound
binds https to those addresses.

Hope that adds a bit of additional clarity,
Dave

Cuesta Gilles sent forth:
> So what about this ?
> "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
>
> This type of certificate (also called /Subject Alternative Name/ (SAN) )
> enables to secure not only one website but a large number of sites (a
> list of sites) hosted on a shared infrastructure (server with multiple
> names, reverse proxy). Ideal to secure multiple brands of a corporation.
> One certificate per hardware is required."
>
> http://www.tbs-certificats.com/index.html.en
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!

--NextPart_Webmail_9m3u9jl4l_22034_1216059012_0
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

stop stop sending me=20
this bs , i have no idea who are you !!!!
stop !!!!!!!!!!!!!!!
-------------- Original message from Dave Paris : ---=
-----------=20


> It seem like you might be confusing "shared infrastructure" with=20
> "single ip". As others have said, you need a distinct address for each=20
> SSL-enabled httpd or proxy, although they can reside on the same hardwa=
re.=20
>=20
> A good example of this is the typical configuration for larger server=20
> farms. You find multiple High Availability load balancers in the DMZ fo=
r=20
> both http and https using something like ha/keepalived for linux. These=
=20
> proxy the incoming request back into private address space. The SSL=20
> proxies terminate the SSL connection and broker the request on behalf o=
f=20
> the user and everything goes to the private address space in plain http=
..=20
> This allows each of the _real_ webservers to achieve better=20
> performance since the SSL overhead is not present.=20
>=20
> While you can use Apache as an SSL-terminating proxy, I find I get=20
> better performance, lower memory utilization and easier configuration=20
> using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have=20
> multiple public IP addresses floating between several hosts and pound=20
> binds https to those addresses.=20
>=20
> Hope that adds a bit of additional clarity,=20
> Dave=20
>=20
> Cuesta Gilles sent forth:=20
> > So what about this ?=20
> > "*MULTIPLE CN (SAN) SERVER CERTIFICATES*=20
> >=20
> > This type of certificate (also called /Subject Alternative Name/ (SAN=
) )=20
> > enables to secure not only one website but a large number of sites (a=
=20
> > list of sites) hosted on a shared infrastructure (server with multipl=
e=20
> > names, reverse proxy). Ideal to secure multiple brands of a corporati=
on.=20
> > One certificate per hardware is required."=20
> >=20
> > http://www.tbs-certificats.com/index.html.en=20
> >=20
> ____________________________________________________________ __________=20
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org=20
> User Support Mailing List modssl-users@modssl.org=20
> Automated List Manager majordomo@modssl.org=20

--NextPart_Webmail_9m3u9jl4l_22034_1216059012_0
Content-Type: multipart/related; boundary="NextPart_Webmail_9m3u9jl4l_22034_1216059012_1"


--NextPart_Webmail_9m3u9jl4l_22034_1216059012_1
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable