So, the only place the SSL information is placed is in the proxy instance?
The other instances are just simple without needed anything else? That's a
bonus if that's correct.

BTW, I was working with LetsEncrypt for a customer who needed a short time
SSL cert until they get to V7R3... well, I did the CSR and it didn't give
me a certificate with the subject alternative names as domain.com and
www.domain.com, which of course caused issues. (I used one of the web
interfaces they have).

The issues seemed to be that they were using the CSR I generated and
leaving off the www SAN. I could do it without a CSR, but then I couldn't
import it into DCM.

Decided to spend $9 at Namecheap.com and just do it that way. Same CSR and
it generated to two proper SANs.

Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #7 <https://www.bvstools.com/mailtool.html>: The ability
to completely bypass the IBM SMTP system all together using MAILTOOL Plus
or other Addons.

On Fri, Aug 31, 2018 at 3:22 PM Pete Helgren <pete@xxxxxxxxxx> wrote:

Took a little "hack a here, hack a there" but I NOW have two sites that
are secured by a front-end reverse proxy by different LetsEncrypt
certificates, one that is a wildcard. SNI was the key. My original
attempt was close...ONE directive was wrong....

So, the original scenario was you had a single IHS on IBM i server
instance that handles all your web traffic on a single internal IP.
Getting that to work really comes down to virtual host entries using
named virtual hosts. Further, in my particular case, my virtual hosts
point "back" to other instances running on different internal IP's and
ports which allows me to bounce the instances rather than my reverse
proxy if I need to do some maintenance. Grabbing the examples from the
Redbook and making a few modifications to help with understanding, here
is the narrative:

For those who flag this as TL;DR, the short version is: Use the
SSLServerCert directive in your reverse proxy vhost sections to point
each virtual host to the correct certificate. You'll find the
Certificate labels in DCM (View Certificate). If you have a space in
the label name, use the label name with quotes around it.

For THIS example: The reverse proxy listens for requests coming in on a
particular IP and port. It listens on both port 80 and 443 on the
reverse proxy instance. The vhost instance for the example1.com domain
listens on IP 10.0.10.207 at port 4080 and the vhost instance for the
example2.com domain listens on IP 10.0.10.205 at port 5080. While there
are two vhost *entries* in the reverse proxy for each domain, port 80
and port 443, you only need ONE vhost *instance* running at whatever
IP/port combination you need. BOTH the port 80 and the port 443 vhost
entries point to the same vhost *instance*. So here is the "essentials"
of the configuration:

### Reverse Proxy ####
LoadModule directives here......

Listen MYInternalIP:80
Listen MYInternalIP:443

# Entries Virtual host 1

<VirtualHost *:80>
ServerName www.example1.com
ProxyPreserveHost On
ProxyPass / http://10.0.10.207:4080/
ProxyPassReverse / http://10.0.10.207:4080/
</VirtualHost>

<VirtualHost *:443>
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_APACHE1
ServerName www.example1.com
SSLServerCert "Example 1 cert"
ProxyPreserveHost On
ProxyPass / http://10.0.10.207:4080/
ProxyPassReverse / http://10.0.10.207:4080/
</VirtualHost>


# Virtual host 2

<VirtualHost *:80>
ServerName www.example2.com
ProxyPreserveHost On
ProxyPass / http://10.0.10.205:5080/
ProxyPassReverse / http://10.0.10.205:5080/
</VirtualHost>

<VirtualHost *:443>
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_APACHE2
ServerName www.example2.com
SSLServerCert "Example 2 cert"
ProxyPreserveHost On
ProxyPass / http://10.0.10.205:5080/
ProxyPassReverse / http://10.0.10.205:5080/
</VirtualHost>


### Separate *instances* for virtual hosts ####
## EXAMPLE1 domain instance

Again, LoadModule, SetEnvIf, LogFormat, etc directives......

Listen 10.0.10.207:4080
DocumentRoot /www/example1/htdocs/blog

RewriteEngine on

ErrorLog logs/example1.log

<Directory />
Require all denied
</Directory>

<Directory /www/example1/htdocs/blog >
Order Allow,Deny
Allow From all
</Directory>

<Directory /www/example1/htdocs>
Require all granted
</Directory>


## EXAMPLE2 domain instance

Again, LoadModule, SetEnvIf, LogFormat, etc directives......

Listen 10.0.10.205:5080
DocumentRoot /www/example2/htdocs/blog

RewriteEngine on

ErrorLog logs/example2.log

<Directory />
Require all denied
</Directory>

<Directory /www/example2/htdocs/blog >
Order Allow,Deny
Allow From all
</Directory>

<Directory /www/example2/htdocs>
Require all granted
</Directory>

Again, I thought that since the certificate was assigned to the
application, I just needed the SSLAppName directive. NOPE! YOU also
need that SSLServerCert directive as well and it has to point to
whatever label is on your certificate in DCM.

Whew....that was a couple of days of trial and error. The complexity is
that the two websites I have been playing with use Wordpress which
itself gets wacky when behind a proxy using SSL. That is my next
challenge....


Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

On 8/31/2018 10:26 AM, Bradley Stone wrote:
Kevin,

Yes, SNI works great. Pete and I though use a single proxy as a server
to
distribute requests to different domains/subdomains. Each of these
would
be a separate instance instead of having one big instance running all
domains/subdomains.

Reverse proxy works great with non SSL, but we want to also make it work
with SSL. I only mentioned SNI as it may be part of the clues on how to
do
it.

I remember searching to see how others on other systems did it, but those
discussions get muddy pretty quick on Stackoverflow... :)


Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #8 <https://www.bvstools.com/mailtool.html>: Email
Logging
- Each email that is sent out is logged with a delivery status. MAILTOOL
also tracks each of the recipients for each email as well as the
attachment(s) sent along with each email.

On Fri, Aug 31, 2018 at 10:21 AM Kevin Bucknum <
Kevin@xxxxxxxxxxxxxxxxxxx>
wrote:

I don't know about with reverse proxy, or the version on the IBM i, but
with my linux hosts SNI just works. I set up multiple virtual hosts and
inside each of them point to the respective certificate, and each site
serves the correct cert.


Kevin Bucknum
Senior Programmer Analyst
MEDDATA/MEDTRON
Tel: 985-893-2550

-----Original Message-----
From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Pete
Helgren
Sent: Friday, August 31, 2018 10:11 AM
To: web400@xxxxxxxxxxxx
Subject: Re: [WEB400] SSL and reverse proxy and multiple
certificates/domains

Yeah...I saw SNI referred to in many "generic" Apache posts but I
couldn't
find documentation about it for IHS for IBM i. *Just* found the 7.2
HTTP
Server for IBM i Redbook so I'll peruse that and it does specifically
state:
Server Name Indication(SNI) is an extension to the SSL and TLS
protocols
that
indicates what hostname the client is attempting to connect to at the
start of
the handshaking process. This allows a server to present multiple
certificates
on the same IP address and port number and hence allows multiple secure
(HTTPS) websites to be served off the same IP address without requiring
all
those sites to use the same certificate. It is the conceptual
equivalent
to
HTTP/1.1 virtual hosting for HTTPS.

I hope there is a *good* example of a working configuration......

Once done, if done, I'll post up the working config so you won't have
to
experiment as much as I have....

Pete Helgren
www.petesworkshop.com
GIAC Secure Software Programmer-Java
Twitter - Sys_i_Geek IBM_i_Geek

On 8/31/2018 9:59 AM, Bradley Stone wrote:
I've tried this in the past without luck. But that was before the
apache server was able to use SNI. I haven't tried since as I want my
sites to be up. Maybe one weekend I'll give it another shot.:)

SNI -https://www.fieldexit.com/forum/display?threadid=439


Bradley V. Stone
www.bvstools.com
MAILTOOL Benefit #5<https://www.bvstools.com/mailtool.html>: Easy
setup!
No confusing or obscure setup instructions, directory entries, SMTP
users, aliases or host tables. All you need is TCPIP, a connection to
the internet and you're done!
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400)
mailing
list
To post a message email: WEB400@xxxxxxxxxxxx To subscribe,
unsubscribe,
or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/web400.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.



--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/web400.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.