Re: SSL and reverse proxy and multiple certificates/domains -- WEB400

I've tried this in the past without luck. But that was before the apache
server was able to use SNI. I haven't tried since as I want my sites to be
up. Maybe one weekend I'll give it another shot. :)

SNI - https://www.fieldexit.com/forum/display?threadid=439

Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #5 <https://www.bvstools.com/mailtool.html>: Easy setup!
No confusing or obscure setup instructions, directory entries, SMTP users,
aliases or host tables. All you need is TCPIP, a connection to the internet
and you're done!

On Fri, Aug 31, 2018 at 9:11 AM Pete Helgren <pete@xxxxxxxxxx> wrote:

Actually the subject is really reverse proxy with *multiple* SSL virtual
hosts. I can get a *single* SSL virtual host working fine but, based on
what I have read about Apache and SSL AND a reverse proxy with multiple
virtual hosts, the SSL cert on the first selected domain is the one that
is used to decrypt the traffic and this end up up conflicting with other
virtual host entries (as far as I understand it).

Scenario: Reverse proxy as a front end to multiple web server
instances. Single listening IP that ALL domains resolve to. The configs
below won't be complete put will hopefully give you a flavor of the
details. Also, running V7R2 with all the latest PTF's/Groups/TR's

##### This will work but ONLY for the first site #####

Listen 10.0.10.210:80
Listen 10.0.10.210:443
......
<VirtualHost *:80>
ServerName mysite1.com
ProxyPass / http://10.0.10.207:4080/
ProxyPassReverse / http://10.0.10.207:4080/
</VirtualHost>

<VirtualHost *:443>
ServerName mysite1.com
SetEnv HTTPS_PORT 443
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_MYSITE1
SSLProtocolDisable SSLv2 SSLv3
ProxyPass / http://10.0.10.207:4080/
ProxyPassReverse / http://10.0.10.207:4080/
</VirtualHost>

<VirtualHost *:80>
ServerName mysite2.com
ProxyPass / http://10.0.10.205:5080/
ProxyPassReverse / http://10.0.10.205:5080/

</VirtualHost>

<VirtualHost *:443>
ServerName mysite2.com
SetEnv HTTPS_PORT 443
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_MYSITE2
SSLProtocolDisable SSLv2 SSLv3
ProxyPass / http://10.0.10.205:5080/
ProxyPassReverse / http://10.0.10.205:5080/
</VirtualHost>

With this config https://mysite1.com works fine but I get a warning on
https://mysite2.com that the site isn't secure because it is using the
certificate for mysite1.com. OK. With a bit of reading about Apache
configs, I get that you can't have two SSL certificates at the "front
end" of a reverse proxy (AFAICS) . So let's go to PLAN B:

This time I have the reverse proxy listening on port 443 but it then
passes traffic to the virtual host listening on a "secure" port that
unique to each vhost:

Listen 10.0.10.210:80
Listen 10.0.10.210:443

......

<VirtualHost *:80>
ServerName mysite1.com
ProxyPass / http://10.0.10.207:4080/
ProxyPassReverse / http://10.0.10.207:4080/
</VirtualHost>

<VirtualHost *:443>
ServerName mysite1.com
ProxyPass / https://10.0.10.207:40443/
ProxyPassReverse / https://10.0.10.207:40443/
</VirtualHost>

<VirtualHost *:80>
ServerName mysite2.com
ProxyPass / http://10.0.10.205:5080/
ProxyPassReverse / http://10.0.10.205:5080/

</VirtualHost>

<VirtualHost *:443>
ServerName mysite2.com
ProxyPass / https://10.0.10.205:50443/
ProxyPassReverse / https://10.0.10.205:50443/
</VirtualHost>

And then at each server instance I have them listening on the designated
"secure" ports:

For mysite1.com

listen 10.0.10.207:80

listen 10.0.10.207:40443

.........

<VirtualHost *.40443>

ServerName mysite1.com
SetEnv HTTPS_PORT 40443
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_MYSITE1
SSLProtocolDisable SSLv2 SSLv3

</VirtualHost>

For mysite2.com

listen 10.0.10.205:80
listen 10.0.10.205:50443
.........

<VirtualHost *.50443>
ServerName mysite1.com
SetEnv HTTPS_PORT 50443
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_MYSITE2
SSLProtocolDisable SSLv2 SSLv3
</VirtualHost>

I have not included many of the directives that actually serve the
resources just to simplify the post..most of this is cut and paste with
my own hacks to clean it up for a post here.

With "Plan B" I get two different responses: In Firefox I see "SSL
received a record that exceeded the maximum permissible length. Error
code: SSL_ERROR_RX_RECORD_TOO_LONG" In Chrome I see "This site can’t
provide a secure connection" and yet in the "security" tab in developer
tools I see:

This page is not secure.
Certificate - valid and trusted
The connection to this site is using a valid, trusted server certificate
issued by unknown name.
Resources - all served securely
All resources on this page are served securely.

So, I don't know what Chrome is actually complaining about.

So, have any of you skinned this cat? I think Brad Stone commented once
that he couldn't get SSL with reverse proxy to work. I can, but only
for ONE domain...the others get FUBAR'ed

--
Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.