1.  Home
  2. WEB400
  3. August 2018

SSL and reverse proxy and multiple certificates/domains

Actually the subject is really reverse proxy with *multiple* SSL virtual hosts.  I can get a *single* SSL virtual host working fine but, based on what I have read about Apache and SSL AND a reverse proxy with multiple virtual hosts, the SSL cert on the first selected domain is the one that is used to decrypt the traffic and this end up up conflicting with other virtual host entries (as far as I understand it).

Scenario:  Reverse proxy as a front end to multiple web server instances.  Single listening IP that ALL domains resolve to. The configs below won't be complete put will hopefully give you a flavor of the details.  Also, running V7R2 with all the latest PTF's/Groups/TR's

##### This will work but ONLY for the first site  #####

Listen 10.0.10.210:80
Listen 10.0.10.210:443
......
<VirtualHost *:80>
ServerName mysite1.com
ProxyPass / http://10.0.10.207:4080/
ProxyPassReverse / http://10.0.10.207:4080/
</VirtualHost>

<VirtualHost *:443>
ServerName mysite1.com
SetEnv HTTPS_PORT 443
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_MYSITE1
SSLProtocolDisable SSLv2 SSLv3
ProxyPass / http://10.0.10.207:4080/
ProxyPassReverse / http://10.0.10.207:4080/
</VirtualHost>

<VirtualHost *:80>
ServerName mysite2.com
ProxyPass / http://10.0.10.205:5080/
ProxyPassReverse / http://10.0.10.205:5080/

</VirtualHost>

<VirtualHost *:443>
ServerName mysite2.com
SetEnv HTTPS_PORT 443
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_MYSITE2
SSLProtocolDisable SSLv2 SSLv3
ProxyPass / http://10.0.10.205:5080/
ProxyPassReverse / http://10.0.10.205:5080/
</VirtualHost>

With this config https://mysite1.com works fine but I get a warning on https://mysite2.com that the site isn't secure because it is using the certificate for mysite1.com.  OK.  With a bit of reading about Apache configs, I get that you can't have two SSL certificates at the "front end" of a reverse proxy (AFAICS) . So let's go to PLAN B:

This time I have the reverse proxy listening on port 443 but it then passes traffic to the virtual host listening on a "secure" port that unique to each vhost:

Listen 10.0.10.210:80
Listen 10.0.10.210:443

......

<VirtualHost *:80>
ServerName mysite1.com
ProxyPass / http://10.0.10.207:4080/
ProxyPassReverse / http://10.0.10.207:4080/
</VirtualHost>

<VirtualHost *:443>
ServerName mysite1.com
ProxyPass / https://10.0.10.207:40443/
ProxyPassReverse / https://10.0.10.207:40443/
</VirtualHost>

<VirtualHost *:80>
ServerName mysite2.com
ProxyPass / http://10.0.10.205:5080/
ProxyPassReverse / http://10.0.10.205:5080/

</VirtualHost>

<VirtualHost *:443>
ServerName mysite2.com
ProxyPass / https://10.0.10.205:50443/
ProxyPassReverse / https://10.0.10.205:50443/
</VirtualHost>

And then at each server instance I have them listening on the designated "secure" ports:

For mysite1.com

listen 10.0.10.207:80

listen 10.0.10.207:40443

.........

<VirtualHost *.40443>

ServerName mysite1.com
SetEnv HTTPS_PORT 40443
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_MYSITE1
SSLProtocolDisable SSLv2 SSLv3

</VirtualHost>

For mysite2.com

listen 10.0.10.205:80
listen 10.0.10.205:50443
.........

<VirtualHost *.50443>
ServerName mysite1.com
SetEnv HTTPS_PORT 50443
SSLEngine On
SSLAppName QIBM_HTTP_SERVER_MYSITE2
SSLProtocolDisable SSLv2 SSLv3
</VirtualHost>

I have not included many of the directives that actually serve the resources just to simplify the post..most of this is cut and paste with my own hacks to clean it up for a post here.

With "Plan B"  I get two different responses:  In Firefox I see "SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG"  In Chrome I see "This site can’t provide a secure connection"  and yet in the "security" tab in developer tools I see:

This page is not secure.
Certificate - valid and trusted
The connection to this site is using a valid, trusted server certificate issued by unknown name.
Resources - all served securely
All resources on this page are served securely.

So, I don't know what Chrome is actually complaining about.

So, have any of you skinned this cat?  I think Brad Stone commented once that he couldn't get SSL with reverse proxy to work.  I can, but only for ONE domain...the others get FUBAR'ed


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.