Proxying with SSL

ekkis picture ekkis · Jul 20, 2011 · Viewed 63.3k times · Source

I have a Linux host running Apache and a Windows host running IIS. I have a domain that points to the Linux host and need to relay (proxy) requests for it to IIS; I thus have the following virtual host definition in Apache (which works just fine):

<VirtualHost 192.168.0.2:80>
    ServerName www.acme.com
    DocumentRoot /var/www/acme.com

    RewriteEngine On
    RewriteOptions Inherit
    RewriteRule ^/(.*) http://win.acme.com/$1 [P]
</VirtualHost>

now I want to add SSL support; the definition becomes:

<VirtualHost 192.168.0.2:443>
    ServerName www.acme.com
    DocumentRoot /var/www/acme.com
    GnuTLSEnable On
    GnuTLSPriorities NORMAL:%COMPAT
    GnuTLSCertificateFile /var/www/ssl/www.acme.com.crt
    GnuTLSKeyFile /var/www/ssl/www.acme.com.key

    RewriteEngine On
    RewriteOptions Inherit
    RewriteRule ^/(.*) https://win.acme.com/$1 [P]
</VirtualHost>

I have valid and trusted certificates on both web servers and if I visit https://win.acme.com all is well, however, when I visit https://www.acme.com I get a 500 Internal Server Error message. A peek at the error logs shows:

[Wed Jul 20 08:35:34 2011] [error] [client 76.168.166.70] SSL Proxy requested for www.wileybits.com:80 but not enabled [Hint: SSLProxyEngine] [Wed Jul 20 08:35:34 2011] [error] proxy: HTTPS: failed to enable ssl support for 74.166.186.70:443 (win.acme.com)

do notice that the proxy request seems to be for the wrong domain (wileybits)... the domain it shows is also hosted by my Apache server but I don't get why it shows up in the logs of acme.com (a reverse DNS lookup perhaps?)

in any case, what am I missing?

thanks in advance - ekkis

p.s. host names and addresses have been altered to protect the innocent :)

* update *

with:

RewriteRule ^/(.*) https://win.acme.com/$1 [R,L]

it seems to work fine, but of course, the Windows' hostname becomes visible, which is not acceptable in my scenario

I also tried (instead of mod_rewrite):

ProxyRequests Off
ProxyPass / https://win.acme.com/

but same error

Answer

ekkis picture ekkis · Jul 20, 2011

figured it out... apparently I can do this:

SSLProxyEngine On
RequestHeader set Front-End-Https "On"
ProxyPass / https://win.acme.com/
ProxyPassReverse / https://win.acme.com/
CacheDisable *

and it works just fine!

[the solution came from mikeg's posting on 3cx.org]