SSL proxy - modssl

This is a discussion on SSL proxy - modssl ; I have several web servers currently that all have the same IP, but different host names, and I have an apache that uses mod_proxy to direct requests to the correct internal server to process the request. I would like to ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: SSL proxy

  1. SSL proxy

    I have several web servers currently that all have the same IP, but
    different host names, and I have an apache that uses mod_proxy to direct
    requests to the correct internal server to process the request.

    I would like to use my apache proxy server to provide SSL encryption and
    decryption, and not have to have each individual server do that.

    Is that possible?

    I have worked with virtual host configuration, and I have tried to set up
    the ssl stuff so that this will work, but so far I have not been successful.

    I have tried to search for this, but the closest I have come is proxy to an
    ssl server. I want to have the proxy server do the ssl stuff for me.

    Can anyone provide instructions or links?

    Thanks.


    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


  2. Re: SSL proxy

    How is it possible? By definition SSL does not allow different host names on
    the same IP:PORT.
    Or is there something I'm missing?




    > ---------- Forwarded message ----------
    > From: Gilles Cuesta (Gmail)
    > Date: Thu, Jul 10, 2008 at 10:38 PM
    > Subject: Re: SSL proxy
    > To: modssl-users@modssl.org
    >
    >
    > nrssl@thepinc.com a écrit :
    >
    >> I have several web servers currently that all have the same IP, but
    >> different host names, and I have an apache that uses mod_proxy to direct
    >> requests to the correct internal server to process the request.
    >>
    >> I would like to use my apache proxy server to provide SSL encryption and
    >> decryption, and not have to have each individual server do that.
    >>
    >> Is that possible?
    >>
    >>

    > Apparently, understanding what you want to do, it's possible.
    >
    > It might depend on Apache / modssl versions
    >
    > One of the best way is doing encrypted HTTPS between client and proxy and
    > clear HTTP between proxy and real server.
    > You can also do encrypted HTTPS between proxy and real server, just adding
    > some Apache configuration
    >
    > .
    > __________________________________________________ ____________________
    > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    > User Support Mailing List modssl-users@modssl.org
    > Automated List Manager majordomo@modssl.org
    >
    >



  3. Re: SSL proxy

    nrssl@thepinc.com schrieb:
    > I have several web servers currently that all have the same IP, but
    > different host names, and I have an apache that uses mod_proxy to direct
    > requests to the correct internal server to process the request.
    >
    > I would like to use my apache proxy server to provide SSL encryption and
    > decryption, and not have to have each individual server do that.
    >
    > Is that possible?
    >
    > I have worked with virtual host configuration, and I have tried to set up
    > the ssl stuff so that this will work, but so far I have not been successful.
    >
    > I have tried to search for this, but the closest I have come is proxy to an
    > ssl server. I want to have the proxy server do the ssl stuff for me.


    Hi,

    you can not use SSL with virtual hosting, see
    http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47

    You'll have to get a dedicated ip for every single ssl host. You could
    play around with one ssl proxy on your single ip with a common name
    and do some rewriting according to an url praefix matching the secure
    parts of your backend virtual hosts; decide yourself if this config
    work is worth it.

    Regards

    Eckard
    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


  4. Re: SSL proxy

    Eckard Wille a écrit :
    > nrssl@thepinc.com schrieb:
    >> I have several web servers currently that all have the same IP, but
    >> different host names, and I have an apache that uses mod_proxy to direct
    >> requests to the correct internal server to process the request.
    >>
    >> I would like to use my apache proxy server to provide SSL encryption and
    >> decryption, and not have to have each individual server do that.
    >>
    >> Is that possible?
    >>
    >> I have worked with virtual host configuration, and I have tried to
    >> set up
    >> the ssl stuff so that this will work, but so far I have not been
    >> successful.
    >>
    >> I have tried to search for this, but the closest I have come is proxy
    >> to an
    >> ssl server. I want to have the proxy server do the ssl stuff for me.

    >
    > Hi,
    >
    > you can not use SSL with virtual hosting, see
    > http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
    >
    > You'll have to get a dedicated ip for every single ssl host. You could
    > play around with one ssl proxy on your single ip with a common name
    > and do some rewriting according to an url praefix matching the secure
    > parts of your backend virtual hosts; decide yourself if this config
    > work is worth it.

    I thought that using wildcard or multi-cn certificates will work ?
    In this case, only one certificate is needeed for a range of Vhost

    --
    Gilles CUESTA - Logiciels Libres
    69139920



    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFIdxOR545quQSHen8RAs2UAKDTpfXdP7oojVv2cN2NJ8 mOLhajTgCeJ0ID
    Z09jBS0mqyjDumkRoPmHoBc=
    =TFva
    -----END PGP SIGNATURE-----


  5. Re: SSL proxy

    Cuesta Gilles schrieb:
    > I thought that using wildcard or multi-cn certificates will work ?


    No.

    > In this case, only one certificate is needeed for a range of Vhost


    If you only have one ip this won't make things better because virtual
    hosting is still not possible. Wildcard certs do not enable vHosting
    because the ssl handshake still takes place before the http host
    header can be evaluated. They were offered by CAs to make it easier
    for admins so they wouldn't have to fiddle around with dozens of certs
    and their validity management in a masshosting environment or for
    subdomains.

    Eckard
    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


  6. Re: SSL proxy

    Eckard Wille a écrit :
    > Cuesta Gilles schrieb:
    >> I thought that using wildcard or multi-cn certificates will work ?

    >
    > No.
    >
    >> In this case, only one certificate is needeed for a range of Vhost

    >
    > If you only have one ip this won't make things better because virtual
    > hosting is still not possible. Wildcard certs do not enable vHosting
    > because the ssl handshake still takes place before the http host
    > header can be evaluated. They were offered by CAs to make it easier
    > for admins so they wouldn't have to fiddle around with dozens of certs
    > and their validity management in a masshosting environment or for
    > subdomains.
    >


    So what about this ?
    "*MULTIPLE CN (SAN) SERVER CERTIFICATES*

    This type of certificate (also called /Subject Alternative Name/ (SAN) )
    enables to secure not only one website but a large number of sites (a
    list of sites) hosted on a shared infrastructure (server with multiple
    names, reverse proxy). Ideal to secure multiple brands of a corporation.
    One certificate per hardware is required."

    http://www.tbs-certificats.com/index.html.en

    --
    Gilles CUESTA - Logiciels Libres
    69139920



    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFIdzmS545quQSHen8RAha4AKCVFSOS7NlxqUKMdHC9uI +Df3tlZACgkPyQ
    W/Q8R0u54ICG9FsBnrO/JPY=
    =/rrm
    -----END PGP SIGNATURE-----


  7. Re: SSL proxy

    Cuesta Gilles schrieb:
    > "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
    >
    > This type of certificate (also called /Subject Alternative Name/ (SAN) )
    > enables to secure not only one website but a large number of sites (a
    > list of sites) hosted on a shared infrastructure (server with multiple
    > names, reverse proxy). Ideal to secure multiple brands of a corporation.
    > One certificate per hardware is required."


    This only means that one host can have several names by configuring
    ServerName and ServerAlias, but does not enable virtual hosting.

    Eckard
    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


  8. Re: SSL proxy

    Eckard Wille schrieb:
    > Cuesta Gilles schrieb:
    >> "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
    >>
    >> This type of certificate (also called /Subject Alternative Name/ (SAN)
    >> ) enables to secure not only one website but a large number of sites
    >> (a list of sites) hosted on a shared infrastructure (server with
    >> multiple names, reverse proxy). Ideal to secure multiple brands of a
    >> corporation. One certificate per hardware is required."

    >
    > This only means that one host can have several names by configuring
    > ServerName and ServerAlias, but does not enable virtual hosting.


    Hi Cuesta,

    with some tricks you could achive your goal by using the preconditions
    of mod_rewrite rules. If your ssl proxy has one single host entry with
    such a multi-named cert, it may be possible to rewrite via proxy after
    a look at the host header:

    RewriteEngine on
    RewriteCond %{HTTP_HOST} www.vhost1.com
    RewriteRule ^/(.*) www.internal.http.vhost1.com/$1 [P]

    RewriteCond %{HTTP_HOST} www.vhost2.com
    RewriteRule ^/(.*) www.internal.http.vhost2.com/$1 [P]

    If this works for you depends also on the backend webapps, for example
    if they are capable of running behind a reverse proxy with a different
    http schema (HTTP<->HTTPS, servername references in html, internal
    redirects...).

    Good luck

    Eckard
    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


  9. Re: SSL proxy

    It seem like you might be confusing "shared infrastructure" with
    "single ip". As others have said, you need a distinct address for each
    SSL-enabled httpd or proxy, although they can reside on the same hardware.

    A good example of this is the typical configuration for larger server
    farms. You find multiple High Availability load balancers in the DMZ for
    both http and https using something like ha/keepalived for linux. These
    proxy the incoming request back into private address space. The SSL
    proxies terminate the SSL connection and broker the request on behalf of
    the user and everything goes to the private address space in plain http.
    This allows each of the _real_ webservers to achieve better
    performance since the SSL overhead is not present.

    While you can use Apache as an SSL-terminating proxy, I find I get
    better performance, lower memory utilization and easier configuration
    using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have
    multiple public IP addresses floating between several hosts and pound
    binds https to those addresses.

    Hope that adds a bit of additional clarity,
    Dave

    Cuesta Gilles sent forth:
    > So what about this ?
    > "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
    >
    > This type of certificate (also called /Subject Alternative Name/ (SAN) )
    > enables to secure not only one website but a large number of sites (a
    > list of sites) hosted on a shared infrastructure (server with multiple
    > names, reverse proxy). Ideal to secure multiple brands of a corporation.
    > One certificate per hardware is required."
    >
    > http://www.tbs-certificats.com/index.html.en
    >

    __________________________________________________ ____________________
    Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    User Support Mailing List modssl-users@modssl.org
    Automated List Manager majordomo@modssl.org


  10. wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!

    stop stop sending me
    this bs , i have no idea who are you !!!!
    stop !!!!!!!!!!!!!!!
    -------------- Original message from Dave Paris : --------------


    > It seem like you might be confusing "shared infrastructure" with
    > "single ip". As others have said, you need a distinct address for each
    > SSL-enabled httpd or proxy, although they can reside on the same hardware.
    >
    > A good example of this is the typical configuration for larger server
    > farms. You find multiple High Availability load balancers in the DMZ for
    > both http and https using something like ha/keepalived for linux. These
    > proxy the incoming request back into private address space. The SSL
    > proxies terminate the SSL connection and broker the request on behalf of
    > the user and everything goes to the private address space in plain http.
    > This allows each of the _real_ webservers to achieve better
    > performance since the SSL overhead is not present.
    >
    > While you can use Apache as an SSL-terminating proxy, I find I get
    > better performance, lower memory utilization and easier configuration
    > using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have
    > multiple public IP addresses floating between several hosts and pound
    > binds https to those addresses.
    >
    > Hope that adds a bit of additional clarity,
    > Dave
    >
    > Cuesta Gilles sent forth:
    > > So what about this ?
    > > "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
    > >
    > > This type of certificate (also called /Subject Alternative Name/ (SAN) )
    > > enables to secure not only one website but a large number of sites (a
    > > list of sites) hosted on a shared infrastructure (server with multiple
    > > names, reverse proxy). Ideal to secure multiple brands of a corporation.
    > > One certificate per hardware is required."
    > >
    > > http://www.tbs-certificats.com/index.html.en
    > >

    > __________________________________________________ ____________________
    > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    > User Support Mailing List modssl-users@modssl.org
    > Automated List Manager majordomo@modssl.org



  11. Re: wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!

    you know what, You are a f***en idiot.
    if you do not want to receive these emails, just get your name taken off
    from the list instead of b-****ting.

    send an email to majordomo@modssl.org address (you can also find it at the
    bottom of this message) with subject as 'Remove me'.

    ok?

    On Mon, Jul 14, 2008 at 7:10 PM, wrote:

    > stop stop sending me
    > this bs , i have no idea who are you !!!!
    > stop !!!!!!!!!!!!!!!
    >
    > -------------- Original message from Dave Paris :
    > --------------
    >
    >
    > > It seem like you might be confusing "shared infrastructure" with
    > > "single ip". As others have said, you need a distinct address for each
    > > SSL-enabled httpd or proxy, although they can reside on the same

    > hardware.
    > >
    > > A good example of this is the typical configuration for larger server
    > > farms. You find multiple High Availability load balancers in the DMZ for
    > > both http and https using something like ha/keepalived for linux. These
    > > proxy the incoming request back into private address space. The SSL
    > > proxies terminate the SSL connection and broker the request on behalf of
    > > the user and everything goes to the private address space in plain http.
    > > This allows each of the _real_ webservers to achieve better
    > > performance since the SSL overhead is not present.
    > >
    > > While you can use Apache as an SSL-terminating proxy, I find I get
    > > better performance, lower memory utilization and easier configuration
    > > using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have
    > > multiple public IP addresses floating between several hosts and pound
    > > binds https to those addresses.
    > >
    > > Hope that adds a bit of additional clarity,
    > > Dave
    > >
    > > Cuesta Gilles sent forth:
    > > > So what about this ?
    > > > "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
    > > >
    > > > This type of certificate (also called /Subject Alternative Name/ (SAN)

    > )
    > > > enables to secure not only one website but a large number of sites (a
    > > > list of sites) hosted on a shared infrastructure (server with multiple
    > > > names, reverse proxy). Ideal to secure multiple brands of a

    > corporation.
    > > > One certificate per hardware is required."
    > > >
    > > > http://www.tbs-certificats.com/index.html.en
    > > >

    > > __________________________________________________ ____________________
    > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    > > User Support Mailing List modssl-users@modssl.org
    > > Automated List Manager majordomo@modssl.org

    >
    >



  12. Re: wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!

    THANK'S
    -------------- Original message from "Shahadat Hossain" : --------------


    you know what, You are a f***en idiot.
    if you do not want to receive these emails, just get your name taken off from the list instead of b-****ting.

    send an email to majordomo@modssl.org address (you can also find it at the bottom of this message) with subject as 'Remove me'.

    ok?


    On Mon, Jul 14, 2008 at 7:10 PM, wrote:

    stop stop sending me
    this bs , i have no idea who are you !!!!
    stop !!!!!!!!!!!!!!!
    -------------- Original message from Dave Paris : --------------


    > It seem like you might be confusing "shared infrastructure" with
    > "single ip". As others have said, you need a distinct address for each
    > SSL-enabled httpd or proxy, although they can reside on the same hardware.
    >
    > A good example of this is the typical configuration for larger server
    > farms. You find multiple High Availability load balancers in the DMZ for
    > both http and https using something like ha/keepalived for linux. These
    > proxy the incoming request back into private address space. The SSL
    > proxies terminate the SSL connection and broker the request on behalf of
    > the user and everything goes to the private address space in plain http.
    > This allows each of the _real_ webservers to achieve better
    > performance since the SSL overhead is not present.
    >
    > While you can use Apache as an SSL-terminating proxy, I find I get
    > better performance, lower memory utilization and easier configuration
    > using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have
    > multiple public IP addresses floating between several hosts and pound
    > binds https to those addresses.
    >
    > Hope that adds a bit of additional clarity,
    > Dave
    >
    > Cuesta Gilles sent forth:
    > > So what about this ?
    > > "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
    > >
    > > This type of certificate (also called /Subject Alternative Name/ (SAN) )
    > > enables to secure not only one website but a large number of sites (a
    > > list of sites) hosted on a shared infrastructure (server with multiple
    > > names, reverse proxy). Ideal to secure multiple brands of a corporation.
    > > One certificate per hardware is required."
    > >
    > > http://www.tbs-certificats.com/index.html.en
    > >

    > __________________________________________________ ____________________
    > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    > User Support Mailing List modssl-users@modssl.org
    > Automated List Manager majordomo@modssl.org



  13. Re: wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!

    One small comment. I have tried for years to get off this mailing list.
    I have sent my request and it has always been effective, for say a month
    or so,
    then I get put back on the mailing list. And it keeps coming. My
    solution was
    to add it to my spam filter. It doesn't bother me that way and
    occasionally I drop in
    to see what the latest complaint is.

    In this case I couldn't agree with the message more. Perhaps the tone
    is not quite right.
    Somebody ought to fix mailing-list software so that once you are off you
    are really gone.
    It is true that erika20@bellsouth.net ought to ask to be taken off the
    list; but it won't help much I'm afraid.

    BUZ

    erika20@bellsouth.net wrote:
    > stop stop sending me
    > this bs , i have no idea who are you !!!!
    > stop !!!!!!!!!!!!!!!
    >
    > -------------- Original message from Dave Paris
    > : --------------
    >
    >
    > > It seem like you might be confusing "shared infrastructure" with
    > > "single ip". As others have said, you need a distinct address

    > for each
    > > SSL-enabled httpd or proxy, although they can reside on the same

    > hardware.
    > >
    > > A good example of this is the typical configuration for larger

    > server
    > > farms. You find multiple High Availability load balancers in the

    > DMZ for
    > > both http and https using something like ha/keepalived for

    > linux. These
    > > proxy the incoming request back into private address space. The SSL
    > > proxies terminate the SSL connection and broker the request on

    > behalf of
    > > the user and everything goes to the private address space in

    > plain http.
    > > This allows each of the _real_ webservers to achieve better
    > > performance since the SSL overhead is not present.
    > >
    > > While you can use Apache as an SSL-terminating proxy, I find I get
    > > better performance, lower memory utilization and easier

    > configuration
    > > using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I

    > have
    > > multiple public IP addresses floating between several hosts and

    > pound
    > > binds https to those addresses.
    > >
    > > Hope that adds a bit of additional clarity,
    > > Dave
    > >
    > > Cuesta Gilles sent forth:
    > > > So what about this ?
    > > > "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
    > > >
    > > > This type of certificate (also called /Subject Alternative

    > Name/ (SAN) )
    > > > enables to secure not only one website but a large number of

    > sites (a
    > > > list of sites) hosted on a shared infrastructure (server with

    > multiple
    > > > names, reverse proxy). Ideal to secure multiple brands of a

    > corporation.
    > > > One certificate per hardware is required."
    > > >
    > > > http://www.tbs-certificats.com/index.html.en
    > > >

    > >

    > __________________________________________________ ____________________
    >
    > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
    > > User Support Mailing List modssl-users@modssl.org
    > > Automated List Manager majordomo@modssl.org

    >




+ Reply to Thread