Ssl – Securing communication between an IIS reverse Proxy and Backend service with SSL/TLS on both servers

httpsiisPROXYssl

I am currently in the process of setting up an internet facing IIS reverse proxy that will forward HTTP requests to an internal API server. I was able to get the server to work with the connection between the world and the reverse proxy over SSL, and the connection between the reverse proxy and API server running over plain HTTP. I attempted to set the API server to run on HTTPS with a self signed certificate, however I get a 502 Bad Gateway Error when attempted to access it through the proxy as before. I have a guess that the issue is with the self signed certificate because:
The reverse proxy server is accessing the API via its Internal IP Address and not the name on the self signed certificate?

Also –
Would I want SSL Offloading enabled or disabled? If it is disabled, would the proxy try to pass the certificate of the API to the client, or its own certificate? Would there be two separate SSL connections or one all the way through?

Any and all help is appreciated!

Thanks!

Best Answer

When a reverse proxy has to use HTTPS to forward a request to a backend server, it isn't that much different than it itself being a client to the backend. If you open a browser on your reverse proxy server and send a web request to the backend in the same manner the reverse proxy is doing it, you will see a certificate warning from the browser as well. Once the certificate warning is corrected (make sure the host matches the certificate's CN or one of its Subject Altername Name, the valid from and to are correct and the certificate is trusted), you will most likely stop seeing those 502 errors, provided they are being caused by the SSL handshake.

The proxy server cannot forward the API server's certificate as it doesn't have its private key to successfully perform an SSL handshake.

Related Solutions

Ssl – Squid reverse proxy with optional SSL

UPDATE (actually tried this from my squid...):

acl is_ssl port 443
https_port 443 cert=<yourcert> key=<yourkey> accel name=site_ssl defaultsite=<y\
our_external_site>
cache_peer <your_internal_ssl> parent 443 0 no-query originserver ssl sslflags=\
DONT_VERIFY_PEER name=site_ssl
cache_peer_access site_ssl allow is_ssl
cache_peer_access site_ssl deny !is_ssl

acl nonssl port 80
http_port 80 accel defaultsite=<your_external_site>  name=site_nonssl
cache_peer <your_internal_nonssl> parent 80 0 no-query name=site_nonssl origins\
erver
cache_peer_access site_nonssl allow nonssl
cache_peer_access site_nonssl deny !is_nonssl

ORIGINAL ANSWER BELOW HERE:

you want something like

cache_peer 10.0.0.11 parent 443 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=site_ssl
acl sites_server_3 dstdomain site_ssl
cache_peer_access site_ssl allow ssl_servers
http_access allow ssl_servers

Nginx as reverse proxy with upstream SSL

For anybody stumbling across this question that wants to use nginx you can set this up like any normal proxy, and to accept a self-signed certificate from the backend you need to provide the exported pem certificate (and perhaps a key) and set ssl verification off. For example:

...

server {
    listen       10.1.2.3:80;
    server_name  10.1.2.3 myproxy.mycompany.com;

    location / {
         proxy_pass                    https://backend.server.ip/;
         proxy_ssl_trusted_certificate /etc/nginx/sslcerts/backend.server.pem;
         proxy_ssl_verify              off;

         ... other proxy settings
    }

If your secure back end is using Server Name Identification SNI with multiple hosts being served per IP/Port pair you may also need to include proxy_ssl_server_name on; in the configuration. This works on nginx 1.7.0 and later.

Best Answer

Related Solutions

Ssl – Squid reverse proxy with optional SSL

Nginx as reverse proxy with upstream SSL

Related Topic