Re: SSL and reverse proxy and multiple certificates/domains - SUCCESS!

So, the only place the SSL information is placed is in the proxy instance?
The other instances are just simple without needed anything else? That's a
bonus if that's correct.

BTW, I was working with LetsEncrypt for a customer who needed a short time
SSL cert until they get to V7R3... well, I did the CSR and it didn't give
me a certificate with the subject alternative names as domain.com and
www.domain.com, which of course caused issues. (I used one of the web
interfaces they have).

The issues seemed to be that they were using the CSR I generated and
leaving off the www SAN. I could do it without a CSR, but then I couldn't
import it into DCM.

Decided to spend $9 at Namecheap.com and just do it that way. Same CSR and
it generated to two proper SANs.

Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #7 <https://www.bvstools.com/mailtool.html>: The ability
to completely bypass the IBM SMTP system all together using MAILTOOL Plus
or other Addons.

On Fri, Aug 31, 2018 at 3:22 PM Pete Helgren <pete@xxxxxxxxxx> wrote:

Took a little "hack a here, hack a there" but I NOW have two sites that
are secured by a front-end reverse proxy by different LetsEncrypt
certificates, one that is a wildcard. SNI was the key. My original
attempt was close...ONE directive was wrong....

So, the original scenario was you had a single IHS on IBM i server
instance that handles all your web traffic on a single internal IP.
Getting that to work really comes down to virtual host entries using
named virtual hosts. Further, in my particular case, my virtual hosts
point "back" to other instances running on different internal IP's and
ports which allows me to bounce the instances rather than my reverse
proxy if I need to do some maintenance. Grabbing the examples from the
Redbook and making a few modifications to help with understanding, here
is the narrative:

For those who flag this as TL;DR, the short version is: Use the
SSLServerCert directive in your reverse proxy vhost sections to point
each virtual host to the correct certificate. You'll find the
Certificate labels in DCM (View Certificate). If you have a space in
the label name, use the label name with quotes around it.

For THIS example: The reverse proxy listens for requests coming in on a
particular IP and port. It listens on both port 80 and 443 on the
reverse proxy instance. The vhost instance for the example1.com domain
listens on IP 10.0.10.207 at port 4080 and the vhost instance for the
example2.com domain listens on IP 10.0.10.205 at port 5080. While there
are two vhost *entries* in the reverse proxy for each domain, port 80
and port 443, you only need ONE vhost *instance* running at whatever
IP/port combination you need. BOTH the port 80 and the port 443 vhost
entries point to the same vhost *instance*. So here is the "essentials"
of the configuration:

### Reverse Proxy ####
LoadModule directives here......

Listen MYInternalIP:80
Listen MYInternalIP:443

# Entries Virtual host 1

<VirtualHost *:80>
ServerName www.example1.com
ProxyPreserveHost On
ProxyPass / http://10.0.10.207:4080/
ProxyPassReverse / http://10.0.10.207:4080/
</VirtualHost>

<VirtualHost *:443>
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_APACHE1
ServerName www.example1.com
SSLServerCert "Example 1 cert"
ProxyPreserveHost On
ProxyPass / http://10.0.10.207:4080/
ProxyPassReverse / http://10.0.10.207:4080/
</VirtualHost>


# Virtual host 2

<VirtualHost *:80>
ServerName www.example2.com
ProxyPreserveHost On
ProxyPass / http://10.0.10.205:5080/
ProxyPassReverse / http://10.0.10.205:5080/
</VirtualHost>

<VirtualHost *:443>
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_APACHE2
ServerName www.example2.com
SSLServerCert "Example 2 cert"
ProxyPreserveHost On
ProxyPass / http://10.0.10.205:5080/
ProxyPassReverse / http://10.0.10.205:5080/
</VirtualHost>


### Separate *instances* for virtual hosts ####
## EXAMPLE1 domain instance

Again, LoadModule, SetEnvIf, LogFormat, etc directives......

Listen 10.0.10.207:4080
DocumentRoot /www/example1/htdocs/blog

RewriteEngine on

ErrorLog logs/example1.log

<Directory />
Require all denied
</Directory>

<Directory /www/example1/htdocs/blog >
Order Allow,Deny
Allow From all
</Directory>

<Directory /www/example1/htdocs>
Require all granted
</Directory>


## EXAMPLE2 domain instance

Again, LoadModule, SetEnvIf, LogFormat, etc directives......

Listen 10.0.10.205:5080
DocumentRoot /www/example2/htdocs/blog

RewriteEngine on

ErrorLog logs/example2.log

<Directory />
Require all denied
</Directory>

<Directory /www/example2/htdocs/blog >
Order Allow,Deny
Allow From all
</Directory>

<Directory /www/example2/htdocs>
Require all granted
</Directory>

Again, I thought that since the certificate was assigned to the
application, I just needed the SSLAppName directive. NOPE! YOU also
need that SSLServerCert directive as well and it has to point to
whatever label is on your certificate in DCM.

Whew....that was a couple of days of trial and error. The complexity is
that the two websites I have been playing with use Wordpress which
itself gets wacky when behind a proxy using SSL. That is my next
challenge....


Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

On 8/31/2018 10:26 AM, Bradley Stone wrote:

Kevin,

Yes, SNI works great. Pete and I though use a single proxy as a server

to

distribute requests to different domains/subdomains. Each of these

would

be a separate instance instead of having one big instance running all
domains/subdomains.

Reverse proxy works great with non SSL, but we want to also make it work
with SSL. I only mentioned SNI as it may be part of the clues on how to

do

it.

I remember searching to see how others on other systems did it, but those
discussions get muddy pretty quick on Stackoverflow... :)


Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #8 <https://www.bvstools.com/mailtool.html>: Email

Logging

- Each email that is sent out is logged with a delivery status. MAILTOOL
also tracks each of the recipients for each email as well as the
attachment(s) sent along with each email.

On Fri, Aug 31, 2018 at 10:21 AM Kevin Bucknum <

Kevin@xxxxxxxxxxxxxxxxxxx>

wrote:

I don't know about with reverse proxy, or the version on the IBM i, but
with my linux hosts SNI just works. I set up multiple virtual hosts and
inside each of them point to the respective certificate, and each site
serves the correct cert.


Kevin Bucknum
Senior Programmer Analyst
MEDDATA/MEDTRON
Tel: 985-893-2550

-----Original Message-----

From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Pete
Helgren
Sent: Friday, August 31, 2018 10:11 AM
To: web400@xxxxxxxxxxxx
Subject: Re: [WEB400] SSL and reverse proxy and multiple
certificates/domains

Yeah...I saw SNI referred to in many "generic" Apache posts but I

couldn't

find documentation about it for IHS for IBM i. *Just* found the 7.2

HTTP

Server for IBM i Redbook so I'll peruse that and it does specifically

state:

Server Name Indication(SNI) is an extension to the SSL and TLS

protocols

that

indicates what hostname the client is attempting to connect to at the

start of

the handshaking process. This allows a server to present multiple

certificates

on the same IP address and port number and hence allows multiple secure
(HTTPS) websites to be served off the same IP address without requiring

all

those sites to use the same certificate. It is the conceptual

equivalent

to

HTTP/1.1 virtual hosting for HTTPS.

I hope there is a *good* example of a working configuration......

Once done, if done, I'll post up the working config so you won't have

to

experiment as much as I have....

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

On 8/31/2018 9:59 AM, Bradley Stone wrote:

I've tried this in the past without luck. But that was before the
apache server was able to use SNI. I haven't tried since as I want my
sites to be up. Maybe one weekend I'll give it another shot.:)

SNI -https://www.fieldexit.com/forum/display?threadid=439


Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #5<https://www.bvstools.com/mailtool.html>: Easy

setup!

No confusing or obscure setup instructions, directory entries, SMTP
users, aliases or host tables. All you need is TCPIP, a connection to
the internet and you're done!

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)

mailing

list

To post a message email: WEB400@xxxxxxxxxxxx To subscribe,

unsubscribe,

or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.

--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.