I tried to set up the following chain of redirects via reverse proxy using Apache2
# ┌────────────────────────────────────────────┐
# │ Internet │
# │ ┌───────────────────────┐ │
# │ │ │ │
# │ │ client │ │
# │ └───────────┬───────────┘ │
# │ │ │
# │ │ │
# │ │ c.example.com │
# │ │ │
# │ │ │
# ┌────────┼──────────────────────┼─────────────────────┼────────┐
# │ │ │ │ │
# │ │ ┌───────────────▼───────────────┐ │ │
# │ │ │ Public Host │ │ │
# │ │ │ pub.ip 123.123.123.123 │ │ │
# │ │ │ ┌─────────────────────────┐ │ │ │
# │ │ │ │ Public-facing Proxy │ │ │ │
# │ │ │ └┬───────────────────────┬┘ │ │ │
# │ │ │ │ int.ip 10.0.0.2 │ │ │ │
# │ │ └───┼───────────────────────┼───┘ │ │
# │ │ │ │ │ │
# │ │ │ │ │ │
# │ └──────────┼───────────────────────┼─────────┘ │
# │ │ │ │
# │ │ a.example.com │ b.example.com │
# │ │ c.example.com │ d.example.com │
# │ │ │ │
# │ │ │ │
# │ │ │ │
# │ │ │ │
# │ ┌───────────┼───────────────────────┼───────────┐ │
# │ │ │ │ │ │
# │ │ │ │ │ │
# │ │ ┌───────▼───────┐ ┌───────▼───────┐ │ │
# │ │ │ Private-Host-1│ │ Private-Host-2│ │ │
# │ │ │ ┌───────────┐ │ │ ┌───────────┐ │ │ │
# │ │ │ │Inner Proxy│ │ │ │Inner Proxy│ │ │ │
# │ │ │ └─┬───────┬─┘ │ │ └─┬───────┬─┘ │ │ │
# │ │ │ │ │ │ │ │ │ │ │ │
# │ │ ├───┼───────┼───┤ ├───┼───────┼───┤ │ │
# │ │ │ │c. │a. │ │ │b. │d. │ │ │
# │ │ │ │ │ │ │ │ │ │ │ │
# │ │ │ │ │ │ │ │ │ │ │ │
# │ │ │ ┌─▼──┐ ┌──▼─┐ │ │ ┌─▼──┐ ┌──▼─┐ │ │ │
# │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │
# │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │
# │ │ │ │srv1│ │srv2│ │ │ │srv3│ │srv4│ │ │ │
# │ │ │ │10.1│ │10.1│ │ │ │10.1│ │10.1│ │ │ │
# │ │ │ │.0.2│ │.0.3│ │ │ │.0.4│ │.0.5│ │ │ │
# │ │ │ └────┘ └────┘ │ │ └────┘ └────┘ │ │ │
# │ │ │ containers │ │ containers │ │ │
# │ │ └───────────────┘ └───────────────┘ │ │
# │ │ 10.0.0.3 10.0.0.4 │ │
# │ │ │ │
# │ └───────────────────────────────────────────────┘ │
# │ 1ntranet 10.0.0.0/24 │
# └──────────────────────────────────────────────────────────────┘
My configuration file is as follows (same on public and private hosts, change IP as fit)
# c-example-com.conf on public host
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName c.example.com
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
Include /etc/letsencrypt/options-ssl-apache.conf
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/c.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/c.example.com/privkey.pem
ProxyRequests Off
ProxyPreserveHost On
SSLProxyEngine on
ProxyPass / https://10.0.0.3/ # on private host, this would 10.1.0.2 for all the rest of the passes
ProxyPassReverse / https://10.0.0.3/
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerName c.example.com
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://10.0.0.3/
ProxyPassReverse / http://10.0.0.3/
RewriteEngine on
</VirtualHost>
</IfModule>
<VirtualHost *:80>
ServerName c.example.com
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://10.0.0.3/
ProxyPassReverse / http://10.0.0.3/
RewriteEngine on
RewriteCond %{SERVER_NAME} =c.example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Without Public Host, i.e. if private host 1 is exposed to the internet and its public IP is mapped to the domain name and redirects to container srv1 via one reverse proxy, then it works just fine. However, when the public-facing proxy is chained on top of inner proxy 1, then the following happens:
1). http://c.example.com shows the default index.html of Apache2 from Public Host
2). https://c.example.com refuses to connect.
Each layer (public host, private host, and server) has its own SSL cert, but that's secondary. At the moment even http isn't working. Any ideas?
