Apache – Issues with self-signed certificate behind an Apache reverse-proxy

apachePROXYssl

I understand this topic was discussed in a couple of older posts, especially
Will a self-signed certificate work behind an Apache reverse-proxy? posted by @Ryan

I am facing the same issue but unable to get around it. I have Apache 2.4.12 setup as reverse proxy in front of an Oracle HTTP server. I have valid certs on the proxy server but self signed certs on Oracle HTTP server. The goal is to do https all the way through, but whenever the browser gets to myhost.domain, it throws a cert warning(because of self signed certs). Having authentic certs on Oracle HTTP server is not an option and the users browsers are restricted and hence cannot ignore the self signed cert warning.

Here's my virtual host

LogLevel ERROR
ServerName  myhost.domain
ServerAlias  xxx.xxx.xxx.xx
DocumentRoot D:/xyz/pubdocs
SSLEngine      On
SSLProxyEngine On
SSLCertificateFile      certs/myserver.crt
SSLCertificateKeyFile   certs/myserver.key
SSLCertificateChainFile certs/myserver_chain.crt
SSLProxyCACertificateFile certs/my_self_signed.pem
SSLProxyVerify none
SSLProxyCheckPeerName off
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
SSLProtocol    -all +TLSv1
SSLProxyProtocol +SSLv3 +TLSv1 +TLSv1.1
#SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!NULL:RC4+RSA:+HIGH:+MEDIUM
ErrorLog "logs/abc-error.log"
CustomLog "logs/abc-access.log" cert

ProxyRequests Off  
# IE compatibility
Header set X-UA-Compatible "IE=EmulateIE8"
# Prevent page from being loaded within an IFrame (Cross-Frame Scripting protection)
Header always append X-Frame-Options SAMEORIGIN
# Prevent mime sniffing exploint ; disabled breaks PEM Popup image rendering
# Header set X-Content-Type-Options: nosniff
# Disable caching
Header set Cache-Control "no-cache, must-revalidate, private"
# Enable X-XSS-Protection
Header set X-XSS-Protection: "1; mode=block"
ProxyPass / https://myhost.domain/
ProxyPassReverse / https://myhost.domain/

It seems like using the following directives worked for many people, but doesnt seem to work for me

SSLProxyVerify none

SSLProxyCheckPeerName off

SSLProxyCheckPeerCN off

SSLProxyCheckPeerExpire off

Is there anything else i am missing.

Any help is appreciated.

Thanks,
Raj

Best Answer

It seems that the error is not entirely connected to proxying. The configuration is not entirely clear. I will assume that there are following three machines:

  1. 'laptop' - you
  2. 'proxy' - where the apache with your conf is running
  3. 'oracle' - with some arbitrary webserver

I also assume that all DNS domains aim at the 'proxy' and the rest of the machines are accessed by IP adresses.

The certification path you see from browser is only between 'laptop' and 'proxy'. If you are seeing invalid cert from browser, it meens the 'proxy' failed to authenticate to 'laptop'. If 'oracle' could not identify itself towards 'proxy', the connection would fail outright, throwing 502 error.

So now, what to do next:

  • Check the certificate from the browser. See whose cert it is.
  • If it comes from 'oracle', it means you are not proxying the request at all. Make sure your DNS records aims at the 'proxy' machine.
  • If it comes from 'proxy', but the browser throws fit about wrong CN, you need to create certificate that also includes the 'oracle' domain and put it on the 'proxy' machine.

In case none of it works, try to investigate at which point the following scenario fails:

  1. Laptop asks DNS for 'oracle.domain.com'
  2. DNS returns IP address for 'proxy' machine and sends request.
  3. 'proxy' authenticates to you as provider of the 'oracle.domain.com' service
  4. At this moment you get a green lock icon in browser.
  5. 'proxy' machine resolves the IP adress of the 'oracle' and sends request.
  6. 'oracle' authenticates towards 'proxy' with the self signed cert
  7. content is returned from 'oracle' through 'proxy' to you.

Also, you should include the 'SSLProxyVerify require' to make your config at least a bit secure.

Related Topic