Apache proxy / redirect https to https with one ipRedirect only one website to httpsBasic auth Apache with TomcatUnbuntu server running Apache with an SSL Cert IssueSetting up an Apache forward proxy with 2-way SSL with certificate CN check failsServerAlias without www not working on SSL virtualhostRedirect/rewrite url with apache reverse proxyIssues with https to https redirect in ApacheUnable to configure apache proxy with HTTPSSSL Permission Error: Node.js with HTTPS + Let's Encrypt SSL + Apache + Non-Root UserApache proxy redirect https to http

Do sudoku answers always have a single minimal clue set?

The difference between Rad1 and Rfd1

Why won't the ground take my seed?

In native German words, is Q always followed by U, as in English?

Difference between 'demás' and 'otros'?

What is the line crossing the Pacific Ocean that is shown on maps?

How can I check type T is among parameter pack Ts... in C++?

In F1 classification, what is ON?

Generate and Graph the Recamán Sequence

Do I need a visa for Singapore if I have an Australian PR?

Why transcripts instead of degree certificates?

Which centaur is more 'official'?

What's the point of DHS warning passengers about Manila airport?

Should the Torah be covered or uncovered during the Aliyah blessings?

How to formulate maximum function in a constraint?

Do we or do we not observe (measure) superpositions all the time?

Children's short story about material that accelerates away from gravity

Coefficients of the characteristic polynomial

Deleting lines automatically which are not connected

Finding or mounting boot partition to create /boot/ssh

Averting Real Women Don’t Wear Dresses

A way to connect Microsoft Green-Eyed mouse to modern computer?

How could I adjust the text of a column in a table?

How was film developed in the late 1920s?

Apache proxy / redirect https to https with one ip

Redirect only one website to httpsBasic auth Apache with TomcatUnbuntu server running Apache with an SSL Cert IssueSetting up an Apache forward proxy with 2-way SSL with certificate CN check failsServerAlias without www not working on SSL virtualhostRedirect/rewrite url with apache reverse proxyIssues with https to https redirect in ApacheUnable to configure apache proxy with HTTPSSSL Permission Error: Node.js with HTTPS + Let's Encrypt SSL + Apache + Non-Root UserApache proxy redirect https to http

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

I have one WAN-IP with an apache webserver which host A.domain.com and I will reverse proxy to B.domain.com to another server in the same local network.

Without SSL I solved it this way in the vhosts:

<VirtualHost *:80>
ServerName Z.domain.com
ProxyRequests Off

ProxyPass / http://1.1.1.7/
ProxyPassReverse / http://1.1.1.7/

but with SSL enabled it doesn't work this way...

for better understanding I tried to draw it:

 -- A.domain.com(local IP:1.1.1.1)
 |
WAN --¦Firewall (NAT to 1.1.1.1) ¦-- LAN
 |
 -- B.domain.com(local IP:1.1.1.2)

Server 1.1.1.1 should redirect to 1.1.1.2

my config /etc/apache2/sites-available/B.domain.com.conf:

<VirtualHost *:443>
 ServerName B.domain.com
 SSLEngine on
 SSLCertificateFile /etc/letsencrypt/live/B.domain.com/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/B.domain.com/privkey.pem

 ProxyRequests Off
 <Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>
 ProxyPass / https://1.1.1.2/
 ProxyPassReverse / https://1.1.1.2/
</VirtualHost>

I have activated it with:a2ensite B.domain.com
and restarted apache.
Result is an internal server error if i call the site.
Without the I have the same fault.

If i call apache2ctl -S it looks all good.

edited Jan 20 '17 at 18:06

asked Jan 18 '17 at 20:27

rovivo

63 bronze badges

2

what do you mean with "it doesn't work that way" exactly? SSL virtualhost will be exactly the same thing but enabling ssl and loading certificates, and just setting the proxy directives the same way wherever you want to point them, and if you wanted to proxy to a SSL backend the main difference is you need to add "SSLProxyEngine on". What is it you tried? what problems you get? The picture may look pretty clear in your head but from here it looks rather confusing.

– ezra-s
Jan 19 '17 at 8:55

add a comment |

I have one WAN-IP with an apache webserver which host A.domain.com and I will reverse proxy to B.domain.com to another server in the same local network.

Without SSL I solved it this way in the vhosts:

<VirtualHost *:80>
ServerName Z.domain.com
ProxyRequests Off

ProxyPass / http://1.1.1.7/
ProxyPassReverse / http://1.1.1.7/

but with SSL enabled it doesn't work this way...

for better understanding I tried to draw it:

 -- A.domain.com(local IP:1.1.1.1)
 |
WAN --¦Firewall (NAT to 1.1.1.1) ¦-- LAN
 |
 -- B.domain.com(local IP:1.1.1.2)

Server 1.1.1.1 should redirect to 1.1.1.2

my config /etc/apache2/sites-available/B.domain.com.conf:

<VirtualHost *:443>
 ServerName B.domain.com
 SSLEngine on
 SSLCertificateFile /etc/letsencrypt/live/B.domain.com/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/B.domain.com/privkey.pem

 ProxyRequests Off
 <Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>
 ProxyPass / https://1.1.1.2/
 ProxyPassReverse / https://1.1.1.2/
</VirtualHost>

I have activated it with:a2ensite B.domain.com
and restarted apache.
Result is an internal server error if i call the site.
Without the I have the same fault.

If i call apache2ctl -S it looks all good.

edited Jan 20 '17 at 18:06

asked Jan 18 '17 at 20:27

rovivo

63 bronze badges

2

what do you mean with "it doesn't work that way" exactly? SSL virtualhost will be exactly the same thing but enabling ssl and loading certificates, and just setting the proxy directives the same way wherever you want to point them, and if you wanted to proxy to a SSL backend the main difference is you need to add "SSLProxyEngine on". What is it you tried? what problems you get? The picture may look pretty clear in your head but from here it looks rather confusing.

– ezra-s
Jan 19 '17 at 8:55

add a comment |

I have one WAN-IP with an apache webserver which host A.domain.com and I will reverse proxy to B.domain.com to another server in the same local network.

Without SSL I solved it this way in the vhosts:

<VirtualHost *:80>
ServerName Z.domain.com
ProxyRequests Off

ProxyPass / http://1.1.1.7/
ProxyPassReverse / http://1.1.1.7/

but with SSL enabled it doesn't work this way...

for better understanding I tried to draw it:

 -- A.domain.com(local IP:1.1.1.1)
 |
WAN --¦Firewall (NAT to 1.1.1.1) ¦-- LAN
 |
 -- B.domain.com(local IP:1.1.1.2)

Server 1.1.1.1 should redirect to 1.1.1.2

my config /etc/apache2/sites-available/B.domain.com.conf:

<VirtualHost *:443>
 ServerName B.domain.com
 SSLEngine on
 SSLCertificateFile /etc/letsencrypt/live/B.domain.com/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/B.domain.com/privkey.pem

 ProxyRequests Off
 <Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>
 ProxyPass / https://1.1.1.2/
 ProxyPassReverse / https://1.1.1.2/
</VirtualHost>

I have activated it with:a2ensite B.domain.com
and restarted apache.
Result is an internal server error if i call the site.
Without the I have the same fault.

If i call apache2ctl -S it looks all good.

edited Jan 20 '17 at 18:06

asked Jan 18 '17 at 20:27

rovivo

63 bronze badges

I have one WAN-IP with an apache webserver which host A.domain.com and I will reverse proxy to B.domain.com to another server in the same local network.

Without SSL I solved it this way in the vhosts:

<VirtualHost *:80>
ServerName Z.domain.com
ProxyRequests Off

ProxyPass / http://1.1.1.7/
ProxyPassReverse / http://1.1.1.7/

but with SSL enabled it doesn't work this way...

for better understanding I tried to draw it:

 -- A.domain.com(local IP:1.1.1.1)
 |
WAN --¦Firewall (NAT to 1.1.1.1) ¦-- LAN
 |
 -- B.domain.com(local IP:1.1.1.2)

Server 1.1.1.1 should redirect to 1.1.1.2

my config /etc/apache2/sites-available/B.domain.com.conf:

<VirtualHost *:443>
 ServerName B.domain.com
 SSLEngine on
 SSLCertificateFile /etc/letsencrypt/live/B.domain.com/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/B.domain.com/privkey.pem

 ProxyRequests Off
 <Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>
 ProxyPass / https://1.1.1.2/
 ProxyPassReverse / https://1.1.1.2/
</VirtualHost>

I have activated it with:a2ensite B.domain.com
and restarted apache.
Result is an internal server error if i call the site.
Without the I have the same fault.

If i call apache2ctl -S it looks all good.

apache-2.4 ubuntu-16.04

edited Jan 20 '17 at 18:06

asked Jan 18 '17 at 20:27

rovivo

63 bronze badges

edited Jan 20 '17 at 18:06

asked Jan 18 '17 at 20:27

rovivo

63 bronze badges

edited Jan 20 '17 at 18:06

asked Jan 18 '17 at 20:27

rovivo

63 bronze badges

asked Jan 18 '17 at 20:27

rovivo

63 bronze badges

asked Jan 18 '17 at 20:27

rovivo

63 bronze badges

2

what do you mean with "it doesn't work that way" exactly? SSL virtualhost will be exactly the same thing but enabling ssl and loading certificates, and just setting the proxy directives the same way wherever you want to point them, and if you wanted to proxy to a SSL backend the main difference is you need to add "SSLProxyEngine on". What is it you tried? what problems you get? The picture may look pretty clear in your head but from here it looks rather confusing.

– ezra-s
Jan 19 '17 at 8:55

add a comment |

2

what do you mean with "it doesn't work that way" exactly? SSL virtualhost will be exactly the same thing but enabling ssl and loading certificates, and just setting the proxy directives the same way wherever you want to point them, and if you wanted to proxy to a SSL backend the main difference is you need to add "SSLProxyEngine on". What is it you tried? what problems you get? The picture may look pretty clear in your head but from here it looks rather confusing.

– ezra-s
Jan 19 '17 at 8:55

what do you mean with "it doesn't work that way" exactly? SSL virtualhost will be exactly the same thing but enabling ssl and loading certificates, and just setting the proxy directives the same way wherever you want to point them, and if you wanted to proxy to a SSL backend the main difference is you need to add "SSLProxyEngine on". What is it you tried? what problems you get? The picture may look pretty clear in your head but from here it looks rather confusing.

– ezra-s
Jan 19 '17 at 8:55

add a comment |

2 Answers
2

active

oldest

votes

Try a simpler method and change ProxyPass https to http.

 ProxyPass / http://1.1.1.2/
 ProxyPassReverse / http://1.1.1.2/

It's quite usual for a frontend (aka a reverse proxy) to talk to backend with plain http if you reasonably secure the 1.1.1.0 net.

Chances are you haven't implemented https server on 1.1.1.2 at all... this would give you the internal error 50x symptoms you describe.

answered Jan 20 '17 at 18:25

kubanczyk

10.9k4 gold badges30 silver badges46 bronze badges

add a comment |

I tried the info from ezra-s "SSLProxyEngine on" but i still get the error:

The proxy server could not handle the request GET /

Reason: Error during SSL Handshake with remote server

After some searching I found a working solution.

my config /etc/apache2/sites-available/B.domain.com.conf now:

<VirtualHost *:443>
 ServerName B.domain.com
 SSLProxyEngine on
 SSLProxyVerify none
 SSLProxyCheckPeerCN off
 SSLProxyCheckPeerName off
 SSLProxyCheckPeerExpire off

 SSLCertificateFile /etc/letsencrypt/live/B.domain.com/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/B.domain.com/privkey.pem

 ProxyPass / https://1.1.1.2/
 ProxyPassReverse / https://1.1.1.2/

But is the connection from outside still secure now?

answered Jan 20 '17 at 22:38

rovivo

63 bronze badges

You need to understand that, if you reverse proxy to a server and use the ip, that "name" must match the CN in the backend certificate, otherwise you will need additional SSLProxy directives to make apache ignore the CN in the backend certificate. That is you will probably need to add these directives too or at least one of them: SSLProxyCheckPeerCN off and/or SSLProxyCheckPeerName off.

– ezra-s
Jan 23 '17 at 9:28

add a comment |

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);

);

draft saved

draft discarded

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f827145%2fapache-proxy-redirect-https-to-https-with-one-ip%23new-answer', 'question_page');

);

Post as a guest

Name

Required, but never shown

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

Try a simpler method and change ProxyPass https to http.

 ProxyPass / http://1.1.1.2/
 ProxyPassReverse / http://1.1.1.2/

It's quite usual for a frontend (aka a reverse proxy) to talk to backend with plain http if you reasonably secure the 1.1.1.0 net.

Chances are you haven't implemented https server on 1.1.1.2 at all... this would give you the internal error 50x symptoms you describe.

answered Jan 20 '17 at 18:25

kubanczyk

10.9k4 gold badges30 silver badges46 bronze badges

add a comment |

Try a simpler method and change ProxyPass https to http.

 ProxyPass / http://1.1.1.2/
 ProxyPassReverse / http://1.1.1.2/

It's quite usual for a frontend (aka a reverse proxy) to talk to backend with plain http if you reasonably secure the 1.1.1.0 net.

Chances are you haven't implemented https server on 1.1.1.2 at all... this would give you the internal error 50x symptoms you describe.

answered Jan 20 '17 at 18:25

kubanczyk

10.9k4 gold badges30 silver badges46 bronze badges

add a comment |

Try a simpler method and change ProxyPass https to http.

 ProxyPass / http://1.1.1.2/
 ProxyPassReverse / http://1.1.1.2/

It's quite usual for a frontend (aka a reverse proxy) to talk to backend with plain http if you reasonably secure the 1.1.1.0 net.

Chances are you haven't implemented https server on 1.1.1.2 at all... this would give you the internal error 50x symptoms you describe.

answered Jan 20 '17 at 18:25

kubanczyk

10.9k4 gold badges30 silver badges46 bronze badges

Try a simpler method and change ProxyPass https to http.

 ProxyPass / http://1.1.1.2/
 ProxyPassReverse / http://1.1.1.2/

It's quite usual for a frontend (aka a reverse proxy) to talk to backend with plain http if you reasonably secure the 1.1.1.0 net.

Chances are you haven't implemented https server on 1.1.1.2 at all... this would give you the internal error 50x symptoms you describe.

answered Jan 20 '17 at 18:25

kubanczyk

10.9k4 gold badges30 silver badges46 bronze badges

answered Jan 20 '17 at 18:25

kubanczyk

10.9k4 gold badges30 silver badges46 bronze badges

answered Jan 20 '17 at 18:25

kubanczyk

10.9k4 gold badges30 silver badges46 bronze badges

answered Jan 20 '17 at 18:25

kubanczyk

10.9k4 gold badges30 silver badges46 bronze badges

add a comment |

I tried the info from ezra-s "SSLProxyEngine on" but i still get the error:

The proxy server could not handle the request GET /

Reason: Error during SSL Handshake with remote server

After some searching I found a working solution.

my config /etc/apache2/sites-available/B.domain.com.conf now:

<VirtualHost *:443>
 ServerName B.domain.com
 SSLProxyEngine on
 SSLProxyVerify none
 SSLProxyCheckPeerCN off
 SSLProxyCheckPeerName off
 SSLProxyCheckPeerExpire off

 SSLCertificateFile /etc/letsencrypt/live/B.domain.com/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/B.domain.com/privkey.pem

 ProxyPass / https://1.1.1.2/
 ProxyPassReverse / https://1.1.1.2/

But is the connection from outside still secure now?

answered Jan 20 '17 at 22:38

rovivo

63 bronze badges

You need to understand that, if you reverse proxy to a server and use the ip, that "name" must match the CN in the backend certificate, otherwise you will need additional SSLProxy directives to make apache ignore the CN in the backend certificate. That is you will probably need to add these directives too or at least one of them: SSLProxyCheckPeerCN off and/or SSLProxyCheckPeerName off.

– ezra-s
Jan 23 '17 at 9:28

add a comment |

I tried the info from ezra-s "SSLProxyEngine on" but i still get the error:

The proxy server could not handle the request GET /

Reason: Error during SSL Handshake with remote server

After some searching I found a working solution.

my config /etc/apache2/sites-available/B.domain.com.conf now:

<VirtualHost *:443>
 ServerName B.domain.com
 SSLProxyEngine on
 SSLProxyVerify none
 SSLProxyCheckPeerCN off
 SSLProxyCheckPeerName off
 SSLProxyCheckPeerExpire off

 SSLCertificateFile /etc/letsencrypt/live/B.domain.com/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/B.domain.com/privkey.pem

 ProxyPass / https://1.1.1.2/
 ProxyPassReverse / https://1.1.1.2/

But is the connection from outside still secure now?

answered Jan 20 '17 at 22:38

rovivo

63 bronze badges

You need to understand that, if you reverse proxy to a server and use the ip, that "name" must match the CN in the backend certificate, otherwise you will need additional SSLProxy directives to make apache ignore the CN in the backend certificate. That is you will probably need to add these directives too or at least one of them: SSLProxyCheckPeerCN off and/or SSLProxyCheckPeerName off.

– ezra-s
Jan 23 '17 at 9:28

add a comment |

I tried the info from ezra-s "SSLProxyEngine on" but i still get the error:

The proxy server could not handle the request GET /

Reason: Error during SSL Handshake with remote server

After some searching I found a working solution.

my config /etc/apache2/sites-available/B.domain.com.conf now:

<VirtualHost *:443>
 ServerName B.domain.com
 SSLProxyEngine on
 SSLProxyVerify none
 SSLProxyCheckPeerCN off
 SSLProxyCheckPeerName off
 SSLProxyCheckPeerExpire off

 SSLCertificateFile /etc/letsencrypt/live/B.domain.com/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/B.domain.com/privkey.pem

 ProxyPass / https://1.1.1.2/
 ProxyPassReverse / https://1.1.1.2/

But is the connection from outside still secure now?

answered Jan 20 '17 at 22:38

rovivo

63 bronze badges

I tried the info from ezra-s "SSLProxyEngine on" but i still get the error:

The proxy server could not handle the request GET /

Reason: Error during SSL Handshake with remote server

After some searching I found a working solution.

my config /etc/apache2/sites-available/B.domain.com.conf now:

<VirtualHost *:443>
 ServerName B.domain.com
 SSLProxyEngine on
 SSLProxyVerify none
 SSLProxyCheckPeerCN off
 SSLProxyCheckPeerName off
 SSLProxyCheckPeerExpire off

 SSLCertificateFile /etc/letsencrypt/live/B.domain.com/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/B.domain.com/privkey.pem

 ProxyPass / https://1.1.1.2/
 ProxyPassReverse / https://1.1.1.2/

But is the connection from outside still secure now?

answered Jan 20 '17 at 22:38

rovivo

63 bronze badges

answered Jan 20 '17 at 22:38

rovivo

63 bronze badges

answered Jan 20 '17 at 22:38

rovivo

63 bronze badges

answered Jan 20 '17 at 22:38

rovivo

63 bronze badges

You need to understand that, if you reverse proxy to a server and use the ip, that "name" must match the CN in the backend certificate, otherwise you will need additional SSLProxy directives to make apache ignore the CN in the backend certificate. That is you will probably need to add these directives too or at least one of them: SSLProxyCheckPeerCN off and/or SSLProxyCheckPeerName off.

– ezra-s
Jan 23 '17 at 9:28

add a comment |

You need to understand that, if you reverse proxy to a server and use the ip, that "name" must match the CN in the backend certificate, otherwise you will need additional SSLProxy directives to make apache ignore the CN in the backend certificate. That is you will probably need to add these directives too or at least one of them: SSLProxyCheckPeerCN off and/or SSLProxyCheckPeerName off.

– ezra-s
Jan 23 '17 at 9:28

You need to understand that, if you reverse proxy to a server and use the ip, that "name" must match the CN in the backend certificate, otherwise you will need additional SSLProxy directives to make apache ignore the CN in the backend certificate. That is you will probably need to add these directives too or at least one of them: SSLProxyCheckPeerCN off and/or SSLProxyCheckPeerName off.

– ezra-s
Jan 23 '17 at 9:28

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Server Fault!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Otdfbt

2 Answers
2

Your Answer

Post as a guest

2 Answers
2

2 Answers
2

Post as a guest

Popular posts from this blog

Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

2 Answers 2

Your Answer

Sign up or log in

Post as a guest

Post as a guest

2 Answers 2

2 Answers 2

Sign up or log in

Post as a guest

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Sign up or log in

Post as a guest

Popular posts from this blog

Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O﻿ / ﻿43.24775, -8.60070

2 Answers
2

2 Answers
2

2 Answers
2

Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070