Join Log in
Score:0
Mnemosyne avatar Server

Configure SSL for Apache Reverse Proxy

fr flag
Mnemosyne

I want to redirect HTTPS connections to my domain towards a unique subdomain using Apache2 reverse proxy. I want all the connections that come to a.example.com to be redirected towards $random$.b.example.com. To generate the random value I have a script running on port 3000, all requests for a.example.com are proxied to my script which sends back a reply to client with the 302 redirect code and the new domain $random$.b.example.com and then all connections towards $random$.b.example.com are supposed to be served normally.

I have key and certificates for a.example.com and $random$.b.example.com (wildcard certificate *.b.example.com). However when my client receives the redirect it throws invalid peer certificate: CertNotValidForName and does not move on to query $random$.b.example.com. What am I doing wrong?

My virtual hosts look like this:

IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerName a.example.com

                SSLProxyEngine on
                ProxyPass / http://localhost:3000/
                ProxyPassReverse / http://localhost:3000/

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log vhost_combined
                SSLEngine on
                SSLCertificateFile      /etc/apache2/ssl/wildcard_domain.pem
                SSLCertificateKeyFile /etc/apache2/ssl/wildcard_domain.key
        </VirtualHost>
        <VirtualHost *:443>
                ServerAdmin webmaster@localhost
                ServerName b.example.com
                ServerAlias *.b.example.com
                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log vhost_combined
                SSLEngine on

                SSLCertificateFile      /etc/apache2/ssl/wildcard_domain.pem
                SSLCertificateKeyFile /etc/apache2/ssl/wildcard_domain.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                Alias /data /path/to/data
                <Directory /path/to/data>
                    Options Indexes FollowSymLinks
                    AllowOverride All
                    Require all granted
            </Directory>

        </VirtualHost>
</IfModule>
63
1 + 0
ssl
Score:2
Steffen Ullrich avatar Server
se flag
Steffen Ullrich

The error you get means that the subject alternative names in the certificate do not match the hostname from the URL you visit.

According to your config you seem to use the same certificate both for a.example.com and *.b.example.com. You get this error then because the certificate is not valid for both domains, i.e. you either get the certificate error before the redirect (when visiting a.example.com) or after (when visiting whatever.b.example.com).

The fix is to either use a certificate which covers both names or use two different certificates in your configuration, one for a.example.com and another which covers b.example.com and *.b.example.com. Note that a certificate for *.example.com will cover only a.example.com and b.example.com but not *.b.example.com.

+ 4
Mnemosyne avatar
fr flag
Mnemosyne
I have two different certificates: one for a.example.com and another one for *.b.example.com but how do I combine the two given the configuration above?
0
Reply
Steffen Ullrich avatar
se flag
Steffen Ullrich
@Mnemosyne: if you have two different certificates then set SSLCertificateFile and SSLCertificateKeyFile to the certificate matching the specific VirtualHost instead of using the same certificate for both VirtualHost
1
Reply
Mnemosyne avatar
fr flag
Mnemosyne
hello, i changed the certificates in the first VH to match the original domain and i dont get this error anymore. Thank you! My new issue is that the path to get the data is now the new $random$.b.example.com/data instead of a.example.com/data (same IP as a.example.com) but the data is no longer accessible under the new domain. Do you have any idea how to fix this in the Directory directive? Thank you again for any suggestions.
0
Reply
Steffen Ullrich avatar
se flag
Steffen Ullrich
@Mnemosyne: *"My new issue ..."* - please open a new question for this with all necessary details. From this short comment alone I'm not able to understand the problem.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.