Configure https reverse proxy with multiple certificates using Apache

Question

Configure https reverse proxy with multiple certificates using Apache

I have the following setup:

one public IP
2 different domain names pointing to the same IP address: domain1.com and domain2.com
2 different ssl certificates: one for domain1.com and one for domain2.com
2 physical machines on the same local network (192.168.1.10 and 192.168.1.20) working with Apache2 and debian 8.5

I tested both servers, independently transmitting port 443 traffic to any of the machines. They work well.

Now I forward all requests to port 443 coming to the public IP address to the first server in 192.168.1.10, and I would like this server to act as the https server for https://domain1.com and redirect the https: / /domain2.com to the address 192.168.1.20

I tried setting up the reverse proxy on the first machine. It redirects requests to domain2 to the machine at 192.168.1.20, but it serves as a certificate for domain1. How to configure reverse proxy to provide the correct certificate for each of my servers?

thank you in advance. Julia

+5

ssl apache proxy

Malagasy desi Sep 11 '16 at 6:54

source share

3 answers

Robert Mikes · Answer 1 · 2016-09-19T18:48:21+0000

The simplest “solution” (well, a workaround) is to use a single certificate containing both host names. If you cannot do this, you need to configure Apache SNI, for example: SSL with virtual hosts using SNI

Malagasy desi · Answer 2 · 2016-09-20T07:24:35+0000

As I said, I tried using the Apache2 reverse proxy. This works somehow, but you must install all the certificates on the Apache2 machine. Thus, trafic on lan is no longer https, which does not satisfy my requirement.

The solution is to use haproxy. This package can be configured as a pass for https. There are many examples of such applications on the Internet. It does exactly what I ask for: I can host many https servers on the LAN behind the nat router with one public IP address. Traffic is sent by haproxy as https to the specified server on the local network. If someone is interested, I will be happy to share my configuration file, solving exactly the problem that I asked in my question.

Malagasy desi · Answer 3 · 2016-09-21T13:43:09+0000

Robert M: here my configuration will be added to the end of the default haproxy.cfg file:

frontend ft_https mode tcp option tcplog bind *:443 tcp-request inspect-delay 5s tcp-request content accept if { req.ssl_hello_type 1 } acl domain1_com req.ssl_sni -m end domain1.com # all url ending with domain1.com acl domain2_com req.ssl_sni -i www.domain2.com # exactly www.domain2.com use_backend b_domain1_com if domain1_com use_backend b_domain2_com if domain2_com default_backend b_default backend b_default mode tcp option tcplog server srv_default 127.0.0.1:1443 backend b_domain1_com mode tcp option tcplog server srv_domain1 192.168.1.10:1443 backend b_domain2_com mode tcp option tcplog server srv_domain2 192.168.1.20:443

I had to change the https port for apache on the first server to 1443, because both haproxy and apache cannot bind to the same 443 port, since they are on the same computer, but it is transparent to the user.

Configure https reverse proxy with multiple certificates using Apache

More articles: