0

I have an Apache reverse proxy that correctly proxies an https internal server. It is configured to use a wildcard self signed certificate and to be a name-based virtual host with ServerName directive.

I am trying to add a second https internal server to proxy, I copied the configuration from the first server, changed ServerName , but it does not work: If I try to connect to the name of the second server, it always proxies me to the first.

Here is the configuration:

NameVirtualHost *:443 <VirtualHost *:443> ServerAdmin [email protected] SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /etc/apache2/siteX-cert/wildcard.siteX.com.crt SSLCertificateKeyFile /etc/apache2/siteX-cert/wildcard.siteX.com.key SSLCACertificateFile /etc/apache2/siteX-cert/my-ca.crt ServerName "website.siteX.com" CustomLog "/var/log/apache2/website.siteX.com-ssl-access.log" combined ErrorLog "/var/log/apache2/website.siteX.com-ssl-error.log" # We're not an open proxy ProxyRequests off # Proxying is available for anyone <Proxy *> Order deny,allow Allow from all </Proxy> # The site we're proxying through ProxyPass / https://10.3.0.16/ ProxyPassReverse / https://10.3.0.16/ # Allows the proxying of an SSL connection SSLProxyEngine On </VirtualHost> <VirtualHost *:443> ServerAdmin [email protected] SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /etc/apache2/siteX-cert/wildcard.siteX.com.crt SSLCertificateKeyFile /etc/apache2/siteX-cert/wildcard.siteX.com.key SSLCACertificateFile /etc/apache2/siteX-cert/my-ca.crt ServerName "website2.siteX.com" CustomLog "/var/log/apache2/website.siteX.com-ssl-access.log" combined ErrorLog "/var/log/apache2/website.siteX.com-ssl-error.log" #We're not an open proxy ProxyRequests off # Proxying is available for anyone <Proxy *> Order deny,allow Allow from all </Proxy> # The site we're proxying through ProxyPass / https://10.3.0.26/ ProxyPassReverse / https://10.3.0.26/ # Allows the proxying of an SSL connection SSLProxyEngine On </VirtualHost>
Improve this question
3
  • Does your server support SNI, i.e. at least 2.2.12? Does your browser and/or other client(s) send SNI? Commented May 26, 2016 at 5:12
  • I checked Apache version and it is 2.2.22-1ubuntu1.10 , so it should support SNI. Do I have to enable it somewhere? Commented May 26, 2016 at 8:24
  • You shouldn't need to enable it on the server, and I've never needed to enable it on a browser that supports it (although I don't rule out the possibility); other non-browser clients vary. If you can, install and run www.wireshark.org (on Windows or Mac server or machine close to the server) while making a request or run tcpdump or similar on the server to get a capture file and move it to wireshark for easier display; expand the ClientHello and look if it contains Extension: server_name containing the correct name or not. Commented May 27, 2016 at 8:12

1 Answer 1

Reset to default
1

I switched to Nginx and managed to get the two https sites working, with a quite simple configuration:

ssl_certificate /etc/nginx/siteX-cert/wildcard.siteX.com.crt; ssl_certificate_key /etc/nginx/siteX-cert/wildcard.siteX.com.key; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; server { listen 443 ssl; server_name website.siteX.com; ssl on; location / { proxy_pass https://10.3.0.16/; } } server { listen 443 ssl; server_name website2.siteX.com; ssl on; location / { proxy_pass https://10.3.0.26/; } }
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.