× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Took a little "hack a here, hack a there" but I NOW have two sites that are secured by a front-end reverse proxy by different LetsEncrypt certificates, one that is a wildcard.  SNI was the key.   My original attempt was close...ONE directive was wrong....

So, the original scenario was you had a single IHS on IBM i server instance that handles all your web traffic on a single internal IP.  Getting that to work really comes down to virtual host entries using named virtual hosts.  Further, in my particular case, my virtual hosts point "back"  to other instances running on different internal IP's and ports which allows me to bounce the instances rather than my reverse proxy if I need to do some maintenance.  Grabbing the examples from the Redbook and making a few modifications to help with understanding, here is the narrative:

For those who flag this as TL;DR,  the short version is:  Use the SSLServerCert directive in your reverse proxy vhost sections to point each virtual host to the correct certificate.  You'll find the Certificate labels in DCM (View Certificate).  If you have a space in the label name, use the label name with quotes around it.

For THIS example:  The reverse proxy listens for requests coming in on a particular IP and port.  It listens on both port 80 and 443 on the reverse proxy instance.  The vhost instance for the example1.com domain listens on IP 10.0.10.207 at port 4080 and the vhost instance for the example2.com domain listens on IP 10.0.10.205 at port 5080.  While there are two vhost *entries* in the reverse proxy for each domain, port 80 and port 443, you only need ONE vhost *instance* running at whatever IP/port combination you need.  BOTH the port 80 and the port 443 vhost entries point to the same vhost *instance*.  So here is the "essentials" of the configuration:

### Reverse Proxy  ####
LoadModule directives here......

Listen MYInternalIP:80
Listen MYInternalIP:443

# Entries Virtual host 1

<VirtualHost *:80>
ServerName www.example1.com
ProxyPreserveHost On
ProxyPass / http://10.0.10.207:4080/
ProxyPassReverse / http://10.0.10.207:4080/
</VirtualHost>

<VirtualHost *:443>
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_APACHE1
ServerName www.example1.com
SSLServerCert "Example 1 cert"
ProxyPreserveHost On
ProxyPass / http://10.0.10.207:4080/
ProxyPassReverse / http://10.0.10.207:4080/
</VirtualHost>


# Virtual host 2

<VirtualHost *:80>
ServerName www.example2.com
ProxyPreserveHost On
ProxyPass / http://10.0.10.205:5080/
ProxyPassReverse / http://10.0.10.205:5080/
</VirtualHost>

<VirtualHost *:443>
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_APACHE2
ServerName www.example2.com
SSLServerCert "Example 2 cert"
ProxyPreserveHost On
ProxyPass / http://10.0.10.205:5080/
ProxyPassReverse / http://10.0.10.205:5080/
</VirtualHost>


### Separate *instances* for virtual hosts  ####
## EXAMPLE1 domain instance

Again, LoadModule, SetEnvIf, LogFormat, etc directives......

Listen 10.0.10.207:4080
DocumentRoot /www/example1/htdocs/blog

RewriteEngine on

ErrorLog logs/example1.log

<Directory />
   Require all denied
</Directory>

<Directory /www/example1/htdocs/blog >
     Order Allow,Deny
     Allow From all
</Directory>

<Directory /www/example1/htdocs>
   Require all granted
</Directory>


## EXAMPLE2 domain instance

Again, LoadModule, SetEnvIf, LogFormat, etc directives......

Listen 10.0.10.205:5080
DocumentRoot /www/example2/htdocs/blog

RewriteEngine on

ErrorLog logs/example2.log

<Directory />
   Require all denied
</Directory>

<Directory /www/example2/htdocs/blog >
     Order Allow,Deny
     Allow From all
</Directory>

<Directory /www/example2/htdocs>
   Require all granted
</Directory>

Again, I thought that since the certificate was assigned to the application, I just needed the SSLAppName directive.  NOPE!  YOU also need that SSLServerCert directive as well and it has to point to whatever label is on your certificate in DCM.

Whew....that was a couple of days of trial and error.  The complexity is that the two websites I have been playing with use Wordpress which itself gets wacky when behind a proxy using SSL. That is my next challenge....


Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

On 8/31/2018 10:26 AM, Bradley Stone wrote:
Kevin,

Yes, SNI works great. Pete and I though use a single proxy as a server to
distribute requests to different domains/subdomains. Each of these would
be a separate instance instead of having one big instance running all
domains/subdomains.

Reverse proxy works great with non SSL, but we want to also make it work
with SSL. I only mentioned SNI as it may be part of the clues on how to do
it.

I remember searching to see how others on other systems did it, but those
discussions get muddy pretty quick on Stackoverflow... :)


Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #8 <https://www.bvstools.com/mailtool.html>: Email Logging
- Each email that is sent out is logged with a delivery status. MAILTOOL
also tracks each of the recipients for each email as well as the
attachment(s) sent along with each email.

On Fri, Aug 31, 2018 at 10:21 AM Kevin Bucknum <Kevin@xxxxxxxxxxxxxxxxxxx>
wrote:

I don't know about with reverse proxy, or the version on the IBM i, but
with my linux hosts SNI just works. I set up multiple virtual hosts and
inside each of them point to the respective certificate, and each site
serves the correct cert.


Kevin Bucknum
Senior Programmer Analyst
MEDDATA/MEDTRON
Tel: 985-893-2550

-----Original Message-----
From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Pete
Helgren
Sent: Friday, August 31, 2018 10:11 AM
To: web400@xxxxxxxxxxxx
Subject: Re: [WEB400] SSL and reverse proxy and multiple
certificates/domains

Yeah...I saw SNI referred to in many "generic" Apache posts but I
couldn't
find documentation about it for IHS for IBM i. *Just* found the 7.2 HTTP
Server for IBM i Redbook so I'll peruse that and it does specifically
state:
Server Name Indication(SNI) is an extension to the SSL and TLS protocols
that
indicates what hostname the client is attempting to connect to at the
start of
the handshaking process. This allows a server to present multiple
certificates
on the same IP address and port number and hence allows multiple secure
(HTTPS) websites to be served off the same IP address without requiring
all
those sites to use the same certificate. It is the conceptual equivalent
to
HTTP/1.1 virtual hosting for HTTPS.

I hope there is a *good* example of a working configuration......

Once done, if done, I'll post up the working config so you won't have to
experiment as much as I have....

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

On 8/31/2018 9:59 AM, Bradley Stone wrote:
I've tried this in the past without luck. But that was before the
apache server was able to use SNI. I haven't tried since as I want my
sites to be up. Maybe one weekend I'll give it another shot.:)

SNI -https://www.fieldexit.com/forum/display?threadid=439


Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #5<https://www.bvstools.com/mailtool.html>: Easy
setup!
No confusing or obscure setup instructions, directory entries, SMTP
users, aliases or host tables. All you need is TCPIP, a connection to
the internet and you're done!
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/web400.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.




As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.