[Cialug] Apache - SSL Proxy - Name Based VirtualHost Problem

Claus cniesen at gmx.net
Fri Oct 19 14:36:43 CDT 2007 

I'm virtualizing the Apache servers, so each server is chrooted to their 
directory and PHP scripts from one server can't access the other 
servers.  So, on the server I'm running one main Apache instance that 
listens to the publicly accessible port 80.  The other Apache instances 
listen to local host only on their respective port (eg. 8010, 8020).  To 
do this, and it does work, I use the following directives for the main 
(proxy) Apache instance:

<Directory proxy:http://localhost:8010/>
   Order deny,allow
   Allow from all
</Directory>
<VirtualHost *:80>
   ServerName host1.example.com
   ProxyPass / http://localhost:8010/
   ProxyPassReverse / http://localhost:8010/
</VirtualHost>

<Directory proxy:http://localhost:8020/>
   Order deny,allow
   Allow from all
</Directory>
<VirtualHost *:80>
   ServerName host2.example.com
   ProxyPass / http://localhost:8020/
   ProxyPassReverse / http://localhost:8020/
</VirtualHost>


The next step was to add an SSL host, which successfully worked by 
adding these directives:

<Directory proxy:http://localhost:8030/>
   SSLRequireSSL
   Order deny,allow
   Allow from all
</Directory>
<VirtualHost *:80>
   ServerName sslhost3.example.com
   RewriteEngine on
   RewriteRule ^/(.*) https://sslhost3.example.com/$1 [L,R]
</VirtualHost>
<VirtualHost *:443>
   SSLEngine on
   ServerName sslhost3.example.com
   ProxyPass / http://localhost:8030/
   ProxyPassReverse / http://localhost:8030/
   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
     +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
   SSLCertificateFile /etc/ssl/example.com.crt
   SSLCertificateKeyFile /etc/ssl/private/example.com.key
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive
      ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>


Now I want to add another SSL host.  I know that each SSL host needs to 
have their unique IP and port pair.  This is due to the fact that SSL 
encryption needs to happen before the hostname is disclosed to the 
server.  That's why name based virtual hosting doesn't work.
However, with proxy I thought I could do the following:

1. Main Proxy Server
   Accepts connection on port 80 and 443.  Forwards proxies port 80 as 
usual but forwards port 443 to second proxy server in clear text.

2. Second Proxy Server
   Now that the incoming traffic is not encrypted the name based 
VirtualHost directive should work.

So I invisioned the directives to be:

<VirtualHost *:80>
   ServerName sslhost3.example.com
   RewriteEngine on
   RewriteRule ^/(.*) https://sslhost3.example.com/$1 [L,R]
</VirtualHost>
<VirtualHost *:80>
   ServerName sslhost4.example.com
   RewriteEngine on
   RewriteRule ^/(.*) https://sslhost4.example.com/$1 [L,R]
</VirtualHost>

# Main Proxy Server
<Directory proxy:http://localhost:44344/>
   SSLRequireSSL
   Order deny,allow
   Allow from all
</Directory>
<VirtualHost *:443>
   SSLEngine on
   ServerName sslhost3.example.com
   ServerAlias sslhost4.example.com
   ProxyPass / http://localhost:44344/
   ProxyPassReverse / http://localhost:44344/
   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
     +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
   SSLCertificateFile /etc/ssl/example.com.crt
   SSLCertificateKeyFile /etc/ssl/private/example.com.key
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive
      ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>

# Second Proxy Server
<Directory proxy:http://localhost:8030/>
   Order deny,allow
   Allow from all
</Directory>
<VirtualHost *:44344>
   SSLEngine on
   ServerName sslhost3.example.com
   ProxyPass / http://localhost:8030/
   ProxyPassReverse / http://localhost:8030/
   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
     +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
   SSLCertificateFile /etc/ssl/example.com.crt
   SSLCertificateKeyFile /etc/ssl/private/example.com.key
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive
      ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>

<Directory proxy:http://localhost:8040/>
   Order deny,allow
   Allow from all
</Directory>
<VirtualHost *:44344>
   SSLEngine on
   ServerName sslhost4.example.com
   ProxyPass / http://localhost:8040/
   ProxyPassReverse / http://localhost:8040/
   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
     +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
   SSLCertificateFile /etc/ssl/example.com.crt
   SSLCertificateKeyFile /etc/ssl/private/example.com.key
   SetEnvIf User-Agent ".*MSIE.*" nokeepalive
      ssl-unclean-shutdown downgrade-1.0 force-response-1.0
</VirtualHost>

So far I haven't gotten this to work.  Whatever I do it seems to pick 
the first VirtualHost listed, seemingly ignoring the ServerName.  At the 
point of processing the port 44344 request no encryption should hinder 
the name based VirtualHost resolution, right?  Is there anything I'm 
overlooking?

   Claus

PS:  I'm aware about mismatch between the SSL certificate and the domain 
names.  At this point I'm not concerned about it.

More information about the Cialug mailing list