Geek Answers Handbook

Problems with a self-signed certificate behind the Apache reverse proxy?

I understand that this topic has been discussed in several older posts, especially Will a self-signed certificate work for the reverse Apache proxy? posted by @Ryan

I ran into the same problem but could not get around it. I have Apache 2.4.12 installed as a reverse proxy in front of the Oracle HTTP server. I have valid certificates on the proxy server, but I myself signed the certificates on the Oracle HTTP server. The goal is to do https all the way, but whenever the browser enters myhost.domain, it will issue a certificate warning (due to self-signed certificates). The presence of authentic certificates on the Oracle HTTP server is not an option, and user browsers are limited and therefore cannot ignore the self-signed certificate warning.

Here is my virtual host

LogLevel ERROR ServerName myhost.domain ServerAlias xxx.xxx.xxx.xx DocumentRoot D:/xyz/pubdocs SSLEngine On SSLProxyEngine On SSLCertificateFile certs/myserver.crt SSLCertificateKeyFile certs/myserver.key SSLCertificateChainFile certs/myserver_chain.crt SSLProxyCACertificateFile certs/my_self_signed.pem SSLProxyVerify none SSLProxyCheckPeerName off SSLProxyCheckPeerCN off SSLProxyCheckPeerExpire off SSLProtocol -all +TLSv1 SSLProxyProtocol +SSLv3 +TLSv1 +TLSv1.1 #SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!NULL:RC4+RSA:+HIGH:+MEDIUM ErrorLog "logs/abc-error.log" CustomLog "logs/abc-access.log" cert ProxyRequests Off # IE compatibility Header set X-UA-Compatible "IE=EmulateIE8" # Prevent page from being loaded within an IFrame (Cross-Frame Scripting protection) Header always append X-Frame-Options SAMEORIGIN # Prevent mime sniffing exploint ; disabled breaks PEM Popup image rendering # Header set X-Content-Type-Options: nosniff # Disable caching Header set Cache-Control "no-cache, must-revalidate, private" # Enable X-XSS-Protection Header set X-XSS-Protection: "1; mode=block" ProxyPass / https://myhost.domain/ ProxyPassReverse / https://myhost.domain/

It seems that using multiple directives works for many people, but doesn't seem to work for me.

SSLProxyVerify none

Disable SSLProxyCheckPeerName

SSLProxyCheckPeerCN off

SSLProxyCheckPeerExpire off

Is there anything else that I am missing.

Any help is appreciated.

Thanks Raj

+8
source share
1 answer

It seems that the error is not completely related to the proxy. The configuration is not entirely clear. I assume that there are the following three machines:

  1. "laptop" - you
  2. 'proxy' - where apache works with your conf
  3. oracle - with arbitrary web server

I also assume that all DNS domains are "proxied" and that the rest of the machines are accessed by IP address.

The certification path that you see in the browser is only between the β€œlaptop” and the β€œproxy”. If you see the wrong certificate from the browser, this means that the "proxy" could not authenticate with the "laptop". If the "oracle" cannot identify itself with the "proxy server", the connection will be disconnected immediately, which will lead to error 502.

So what to do next:

  • Check the certificate from the browser. See whose certificate it is.
  • If this comes from the oracle, it means that you are not sending the request at all. Make sure your DNS records are targeted to the proxy machine.
  • If it comes from a proxy, but the browser is suitable for the wrong CN, you need to create a certificate that also includes the oracle domain and put it on the proxy machine.

If none of this works, try to figure out at what point the following script does not work:

  1. Laptop is querying DNS for "oracle.domain.com"
  2. DNS returns the IP address of the computer with the proxy server and sends a request.
  3. proxy authenticates you as oracle.domain.com service provider
  4. At this point, you get a green lock icon in your browser.
  5. The proxy resolves the IP address of the oracle and sends the request.
  6. oracle authenticates against proxy with self-signed certificate
  7. content is returned from the oracle through the proxy to you.

In addition, you must enable ' SSLProxyVerify require ' to make your configuration at least a bit secure.

0
source

More articles:


All Articles