reverse-proxy – Can a Reverse Proxy Use SNI with SSL Pass Through?

httpsreverse-proxysni

I need to serve several applications over https using one external ip address.

The ssl certificates should not be managed on the reverse proxy. They are installed on the application servers.

Can a reverse proxy be configured to use SNI and pass ssl through for termination at the endpoint?

Is this possible using something like Nginx or Apache? What does the configuration look like?

Best Answer

This IS possible with Haproxy. You can setup a TCP proxy and extract the SNI and do routing based on the SNI. Here's an example:

backend be.app1
    mode tcp
    no option checkcache
    no option httpclose
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }
    tcp-request content reject
    use-server server1 if { req.ssl_sni -m beg app1. }
    server server1 server1:8443 check id 1 weight 0

It is essential to delay the request until you get the SSL hello, otherwise haproxy will try to make a connection before receiving the SNI header.

I am using servers with weight 0 because, in my current configuration, I only have one server running for each SNI and I don't want them to receive random requests. You can probably find better ways to play with this.

I hope this helps.

Related Solutions

Nginx Reverse Proxy – How to Set Up Nginx as Reverse Proxy with Upstream SSL

For anybody stumbling across this question that wants to use nginx you can set this up like any normal proxy, and to accept a self-signed certificate from the backend you need to provide the exported pem certificate (and perhaps a key) and set ssl verification off. For example:

...

server {
    listen       10.1.2.3:80;
    server_name  10.1.2.3 myproxy.mycompany.com;

    location / {
         proxy_pass                    https://backend.server.ip/;
         proxy_ssl_trusted_certificate /etc/nginx/sslcerts/backend.server.pem;
         proxy_ssl_verify              off;

         ... other proxy settings
    }

If your secure back end is using Server Name Identification SNI with multiple hosts being served per IP/Port pair you may also need to include proxy_ssl_server_name on; in the configuration. This works on nginx 1.7.0 and later.

Jenkins reports reverse proxy setup incorrect with Apache using virtual hosts with SNI

The one issue that I see with your config is that:

ProxyPassReverse  /  https://jenkins.example.com

Should be:

ProxyPassReverse  /  https://jenkins.example.com/

Seems like the service is sending http:// instead of https:// location headers (probably because your connection to its listener from Apache is unencrypted on the localhost listener), in which case you'll need to add:

ProxyPassReverse  /  http://jenkins.example.com/

So, what's probably occurring currently is the API call is failing because it gets an http:// address in the Location: header of the redirect (which is missed for un-translation in the ProxyPassReverse because it's not http).

It sends the request to that location and gets another redirect response, from your <VirtualHost *:80>. Their validity checker knows that ain't right and errors, while curl follows one more redirect and gets a valid response.

Add the ProxyPassReverse for http:// above and this should correct the issue, if I'm right.

Best Answer

Related Solutions

Nginx Reverse Proxy – How to Set Up Nginx as Reverse Proxy with Upstream SSL

Jenkins reports reverse proxy setup incorrect with Apache using virtual hosts with SNI

Related Topic