Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: SSL and Reverse Proxies |
|
Author |
|
via
Joined: 10 May 2019 Posts: 2 Location: UK
|
Posted: Fri 10 May '19 16:01 Post subject: SSL and Reverse Proxies |
|
|
Hi all,
I am using a reverse proxy to forward to a few development servers on local addresses. The majority of these sites use SSL with Lets Encrypt certificates.
Currently I have the certification setup on the reverse proxy server and following virtualhost config...
Code: | <IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName test.domain.net
ProxyPreserveHost On
ProxyPass / http://10.0.6.80/
ProxyPassReverse / http://10.0.6.80/
SSLCertificateFile /etc/letsencrypt/live/test.domain.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/test.domain.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
|
Which works fine and appears to the outside world as https, however I take it communication between reverse proxy and web server will be running as http so unencrypted within the local network?
What would be best method in regards to certification at the web server? Would I need to use the original Lets Encrypt certificate or would it be fine to use a self signed certificate for this and outside world would still see the Lets Encrypt cert? |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7294 Location: Germany, Next to Hamburg
|
Posted: Fri 10 May '19 23:18 Post subject: Re: SSL and Reverse Proxies |
|
|
via wrote: | web server will be running as http so unencrypted within the local network?
|
since you use http://, yes the traffic is not encrypted.
Do you need to?
via wrote: |
What would be best method in regards to certification at the web server? Would I need to use the original Lets Encrypt certificate or would it be fine to use a self signed certificate for this and outside world would still see the Lets Encrypt cert? |
Both solution work fine. The advantage of the second solution is that you don't need to copy the certs from time to time to the backend server. |
|
Back to top |
|
via
Joined: 10 May 2019 Posts: 2 Location: UK
|
Posted: Sun 12 May '19 14:59 Post subject: |
|
|
Cheers, site holds sensitive information which I do not want passed unencrypted even over LAN.
Went for the self signed route which works perfect, was unsure how it would react and if reverse proxy wouldn't fetch it as untrusted.
Suprised very little tutorials around HTTPS and reverse proxies, plenty on how to setup for for HTTP but no mention on certificating HTTPS. |
|
Back to top |
|
|
|
|
|
|