[Cialug] Apache - SSL Proxy - Name Based VirtualHost Problem

Dave J. Hala Jr. dave at 58ghz.net
Fri Oct 19 16:29:05 CDT 2007 

I've been  running 2.x here for two years without incident.


On Fri, 2007-10-19 at 16:17 -0500, David Champion wrote:
> Other than not being a default, do you have any reasons for not going to
> Apache 2.x? It's been "stable" for years. Most of the arguments against
> have been pretty well debunked. In my experience, 2.x works just fine,
> runs faster than 1.3.x, and it has some nice features like the one you
> mention below that aren't in the 1.3.x tree.
> 
> -dc
> 
> Claus wrote:
> > Great suggestion Chris.  It sounds like you identified the problem.  The
> > ProxyPass directive takes the new specified server domain name and uses
> > it in the host header.  Unfortunately I'm using Apache 1.3.29 and the
> > ProxyPreserveHost directive isn't part of Apache until 2.0.31. It's the
> > default with the OpenBSD default install and so far I have tried to stay
> > with that. :(
> > 
> > Rethinking the whole issue I probably just use the RewriteRule of port
> > 80 and let the clients connect directly to port 8030 of the final Apache
> > server.
> > 
> > Advantages:
> >  - each domain can have their individual certificate
> > 
> > Disadvantages:
> >  - need to update firewall rules
> >  - client can't easily use https:// address.
> > 
> > I really thought the proxy would be a neat solution.  Does anybody use
> > proxy in such a way?  Should I continue considering it and if so are
> > there other (asides Apache 2.0) that I should consider?
> > 
> >   Claus
> > 
> > On 10/19/2007 3:27 PM, chris wrote:
> > On quick glance I'd say you're loosing your host header.  Try adding in
> > a "ProxyPreserveHost On" in the Main Proxy and in the Second Proxy as
> > well.
> > 
> > The default vhost is always the first defined vhost, so in named based
> > hosting if nothing matches, you get the the first one apache found when
> > parsing the config.
> > 
> > BTW, what you are doing we call real privilege separation.  Rici Lake
> > recently wrote a nice howto on it here:
> > http://wiki.apache.org/httpd/DifferentUserIDsUsingReverseProxy
> > 
> > You might find some useful stuff in it.
> > 
> > cheers!
> > 
> > chris at ia.gov
> > 
> > 
> > Claus wrote:
> >>>> I'm virtualizing the Apache servers, so each server is chrooted to their
> >>>> directory and PHP scripts from one server can't access the other
> >>>> servers.  So, on the server I'm running one main Apache instance that
> >>>> listens to the publicly accessible port 80.  The other Apache instances
> >>>> listen to local host only on their respective port (eg. 8010, 8020).  To
> >>>> do this, and it does work, I use the following directives for the main
> >>>> (proxy) Apache instance:
> >>>>
> >>>> <Directory proxy:http://localhost:8010/>
> >>>>   Order deny,allow
> >>>>   Allow from all
> >>>> </Directory>
> >>>> <VirtualHost *:80>
> >>>>   ServerName host1.example.com
> >>>>   ProxyPass / http://localhost:8010/
> >>>>   ProxyPassReverse / http://localhost:8010/
> >>>> </VirtualHost>
> >>>>
> >>>> <Directory proxy:http://localhost:8020/>
> >>>>   Order deny,allow
> >>>>   Allow from all
> >>>> </Directory>
> >>>> <VirtualHost *:80>
> >>>>   ServerName host2.example.com
> >>>>   ProxyPass / http://localhost:8020/
> >>>>   ProxyPassReverse / http://localhost:8020/
> >>>> </VirtualHost>
> >>>>
> >>>>
> >>>> The next step was to add an SSL host, which successfully worked by
> >>>> adding these directives:
> >>>>
> >>>> <Directory proxy:http://localhost:8030/>
> >>>>   SSLRequireSSL
> >>>>   Order deny,allow
> >>>>   Allow from all
> >>>> </Directory>
> >>>> <VirtualHost *:80>
> >>>>   ServerName sslhost3.example.com
> >>>>   RewriteEngine on
> >>>>   RewriteRule ^/(.*) https://sslhost3.example.com/$1 [L,R]
> >>>> </VirtualHost>
> >>>> <VirtualHost *:443>
> >>>>   SSLEngine on
> >>>>   ServerName sslhost3.example.com
> >>>>   ProxyPass / http://localhost:8030/
> >>>>   ProxyPassReverse / http://localhost:8030/
> >>>>   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
> >>>>     +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >>>>   SSLCertificateFile /etc/ssl/example.com.crt
> >>>>   SSLCertificateKeyFile /etc/ssl/private/example.com.key
> >>>>   SetEnvIf User-Agent ".*MSIE.*" nokeepalive
> >>>>      ssl-unclean-shutdown downgrade-1.0 force-response-1.0
> >>>> </VirtualHost>
> >>>>
> >>>>
> >>>> Now I want to add another SSL host.  I know that each SSL host needs to
> >>>> have their unique IP and port pair.  This is due to the fact that SSL
> >>>> encryption needs to happen before the hostname is disclosed to the
> >>>> server.  That's why name based virtual hosting doesn't work.
> >>>> However, with proxy I thought I could do the following:
> >>>>
> >>>> 1. Main Proxy Server
> >>>>   Accepts connection on port 80 and 443.  Forwards proxies port 80 as
> >>>> usual but forwards port 443 to second proxy server in clear text.
> >>>>
> >>>> 2. Second Proxy Server
> >>>>   Now that the incoming traffic is not encrypted the name based
> >>>> VirtualHost directive should work.
> >>>>
> >>>> So I invisioned the directives to be:
> >>>>
> >>>> <VirtualHost *:80>
> >>>>   ServerName sslhost3.example.com
> >>>>   RewriteEngine on
> >>>>   RewriteRule ^/(.*) https://sslhost3.example.com/$1 [L,R]
> >>>> </VirtualHost>
> >>>> <VirtualHost *:80>
> >>>>   ServerName sslhost4.example.com
> >>>>   RewriteEngine on
> >>>>   RewriteRule ^/(.*) https://sslhost4.example.com/$1 [L,R]
> >>>> </VirtualHost>
> >>>>
> >>>> # Main Proxy Server
> >>>> <Directory proxy:http://localhost:44344/>
> >>>>   SSLRequireSSL
> >>>>   Order deny,allow
> >>>>   Allow from all
> >>>> </Directory>
> >>>> <VirtualHost *:443>
> >>>>   SSLEngine on
> >>>>   ServerName sslhost3.example.com
> >>>>   ServerAlias sslhost4.example.com
> >>>>   ProxyPass / http://localhost:44344/
> >>>>   ProxyPassReverse / http://localhost:44344/
> >>>>   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
> >>>>     +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >>>>   SSLCertificateFile /etc/ssl/example.com.crt
> >>>>   SSLCertificateKeyFile /etc/ssl/private/example.com.key
> >>>>   SetEnvIf User-Agent ".*MSIE.*" nokeepalive
> >>>>      ssl-unclean-shutdown downgrade-1.0 force-response-1.0
> >>>> </VirtualHost>
> >>>>
> >>>> # Second Proxy Server
> >>>> <Directory proxy:http://localhost:8030/>
> >>>>   Order deny,allow
> >>>>   Allow from all
> >>>> </Directory>
> >>>> <VirtualHost *:44344>
> >>>>   SSLEngine on
> >>>>   ServerName sslhost3.example.com
> >>>>   ProxyPass / http://localhost:8030/
> >>>>   ProxyPassReverse / http://localhost:8030/
> >>>>   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
> >>>>     +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >>>>   SSLCertificateFile /etc/ssl/example.com.crt
> >>>>   SSLCertificateKeyFile /etc/ssl/private/example.com.key
> >>>>   SetEnvIf User-Agent ".*MSIE.*" nokeepalive
> >>>>      ssl-unclean-shutdown downgrade-1.0 force-response-1.0
> >>>> </VirtualHost>
> >>>>
> >>>> <Directory proxy:http://localhost:8040/>
> >>>>   Order deny,allow
> >>>>   Allow from all
> >>>> </Directory>
> >>>> <VirtualHost *:44344>
> >>>>   SSLEngine on
> >>>>   ServerName sslhost4.example.com
> >>>>   ProxyPass / http://localhost:8040/
> >>>>   ProxyPassReverse / http://localhost:8040/
> >>>>   SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
> >>>>     +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >>>>   SSLCertificateFile /etc/ssl/example.com.crt
> >>>>   SSLCertificateKeyFile /etc/ssl/private/example.com.key
> >>>>   SetEnvIf User-Agent ".*MSIE.*" nokeepalive
> >>>>      ssl-unclean-shutdown downgrade-1.0 force-response-1.0
> >>>> </VirtualHost>
> >>>>
> >>>> So far I haven't gotten this to work.  Whatever I do it seems to pick
> >>>> the first VirtualHost listed, seemingly ignoring the ServerName.  At the
> >>>> point of processing the port 44344 request no encryption should hinder
> >>>> the name based VirtualHost resolution, right?  Is there anything I'm
> >>>> overlooking?
> >>>>
> >>>>   Claus
> >>>>
> >>>> PS:  I'm aware about mismatch between the SSL certificate and the domain
> >>>> names.  At this point I'm not concerned about it.
> >>>> _______________________________________________
> >>>> Cialug mailing list
> >>>> Cialug at cialug.org
> >>>> http://cialug.org/mailman/listinfo/cialug
> > 
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
> >>
> 
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> 
> 
> 
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug

More information about the Cialug mailing list