I'm configuring a DMZ which has the following Scheme:
Internet - Server A - Security Appliance - Server B - Intranet
In this DMZ I need a Proxy server for http(s) connections from the Intranet to Internet.
The Problem is, that all Traffic should be scanned by the Security Appliance. For this I have to terminate the SSL Connection at Server B, proxy it as plain http to Server A through the Security Appliance and then further as https into the Internet. An encryption is then persistent between the Client and Server B and the Target Server and Server A. The communication between Server A and Server B is unencrypted.
I know about the security risks and that the client will see some warning about the unknown CA of Server B's certificate.
As Software I want to use Apache Web Servers on Server A and Server B.
As first step I tried to configure Server B that it serves as endpoint for the SSL Encryption. So it has to establish the encryption with the client (answering HTTP CONNECT).
Listen 8443
<VirtualHost *:8443>
ProxyRequests On
ProxyPreserveHost On
AllowCONNECT 443
# SSL
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel debug
SSLProxyEngine on
SSLProxyMachineCertificateFile /etc/pki/tls/certs/localhost_private_public.crt
<Proxy *>
Order deny,allow
Deny from all
Allow from 192.168.0.0/22
</Proxy>
</VirtualHost>
With this Proxy only the CONNECT request is passed through and an encrypted Connection between the client and the target is established. Unfortunately there is no possibility to configure mod_proxy_connect to decrypt the SSL connection. Is there any possibility to accomplish that kind of proxying with Apache?
Best Answer
What you're trying to implement is an official SSL MITM proxy ("official" as opposed to attacker). I don't think Apache Httpd has the ability to do this (and re-generate a certificate with the right identity on the fly).
There are products that implement this. A quick search leads to these links: