[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-users
Subject:    RE: [users@httpd] SSL and reverse proxying
From:       "Anil Dighade" <danil () TechMahindra ! com>
Date:       2006-06-30 6:27:33
Message-ID: FD17D65012AEA049AF96FD6A415F470EF30980 () SINPUNEX001 ! TechMahindra ! com
[Download RAW message or body]


Hi Steve,
I tried the same few months back and had prepared one document for
support team and future developers, see if it is useful for you. Copy
pasting only how toinstall and configure apache with ssl part of this
document.

How to Compile and Install apache with mod_ssl:
Steps below would describe how to compile the apache source code on unix
environments. We need to enable the ssl and proxy module support in the
new installation.

Extract the httpd-2.0.55.tar.gz file as  below
gzip -d httpd-2_0_NN.tar.gz
tar xvf httpd-2_0_NN.tar

Configure how to compile and which modules to compile by executing
configure script as below
$cd  httpd-2.0.55
$./configure --prefix=/usr/local/apache/live \
> --enable-ssl=static \
> --enable-proxy=static \
> --enable-proxy-http=static

Run following commands to compile and install Apache.

$make
$make install

Here we have compiled the source with static linking so there wont be
separate ".so" files for each modules. Instead it will be built in as
default pack. By doing this we need not have use LoadModule directive to
load the module whilst starting the service.

Configure SSL:
1.	Create Certificates
Goto openssl/bin/ directory and execute below mentioned steps to
generate the key and self signed certificate files.

./openssl req -config openssl.cnf -new -out 172.24.6.57.csr
./openssl rsa -in privkey.pem -out 172.24.6.57.key
./openssl x509 -in 172.24.6.57.csr -out 172.24.6.57.cert -req -signkey
172.24.6.57.key -days 365

Copy 172.24.6.57.key and 172.24.6.57.cert files from openssl/bin/
directory to you apache conf directory.

2.	Configure httpd.conf for SSL
Add following lines at respective location in the httpd.conf file

Listen 443
ServerName 172.24.6.57:443
NameVirtualHost 172.24.6.57:443
SSLMutex default
SSLRandomSeed startup builtin
SSLSessionCache none

<VirtualHost 172.24.6.57:443>
SSLEngine On
SSLCertificateFile
"/data2/basapp/apache/apachessl/conf/ssl/172.24.6.57.cert"
SSLCertificateKeyFile
"/data2/basapp/apache/apachessl/conf/ssl/172.24.6.57.key"
# Proceed with  your proxy and server settings here.
</VirtualHost>


Now I had reverse proxy for redirecting the address to actual webserver,
to achive the I used below directive in my virtual host(Both ssl and
normal ports)

<IfModule mod_proxy.c>
ProxyRequests off
 <Proxy *>
 order deny,allow
 Allow from all
 </Proxy>
 ProxyBadHeader Ignore
 Alias /bas/ "/data2/basapp/apache/apache1/htdocs/"
 Alias /bas "/data2/basapp/apache/apache1/htdocs/"
 ProxyPass	/bas/ http://172.24.226.59:7001/bas/
 ProxyPassReverse	/bas/ http://172.24.226.59:7001/bas/
</IfModule>

Please let me know if you had achieved it in different way.


Regards,
D Anil




-----Original Message-----
From: sniedermeyer@cob.org [mailto:sniedermeyer@cob.org]
Sent: Friday, June 30, 2006 2:52 AM
To: users@httpd.apache.org
Subject: [users@httpd] SSL and reverse proxying


Hello Everyone,

Just joined the list today.  I've used Apache HTTP Server for simple
static
sites with the default configuration and am looking at using it for
reverse
proxying now.  I'm a newbie and am confused about how to proceed with
enabling HTTPS to the reverse proxy server and then from the reverse
proxy
server to a back end application server.  I have valid certificates for
both servers, but I'm getting lost in the documentation for allowing the
reverse proxy server to gracefully pass on HTTPS requests to the
application server so that a web browser doesn't complain about a
certificate that's not for the correct server.  Does anyone know of a
good
tutorial, book, or example config file I could reference?  I tried
looking
for a good Apache book that covered the basics as well as the SSL and
proxying I'm trying to accomplish for Apache 2.2 and haven't found one
yet.

Thanks for any help you can pass along.  I'll be sure to reciprocate as
I
learn more ;)
____________________________
Steven Niedermeyer
Information Technology Services
City of Bellingham
625 Halleck St
Bellingham, WA 98225
Phone: (360) 676-6671 x156
Fax: (360) 676-7693



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


============================================================================================================================


Tech Mahindra, formerly Mahindra-British Telecom.


Disclaimer:


The contents of this E-mail (including the contents of the enclosure(s) or \
attachment(s) if any) are privileged and confidential material of Tech Mahindra and \
should not be disclosed to, used by or copied in any manner by anyone other than the \
intended addressee(s). In case you are not the desired addressee, you should delete \
this message and/or re-direct it to the sender. The views expressed in this E-mail \
message (including the enclosure(s) or attachment(s) if any) are those of the \
individual sender, except where the sender expressly, and with authority, states them \
to be the views of Tech Mahindra.


This e-mail message including attachment/(s), if any, is believed to be free of any \
virus. However, it is the responsibility of the recipient to ensure that it is virus \
free and Tech Mahindra is not responsible for any loss or damage arising in any way \
from its use.

============================================================================================================================


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]