2015-03-23 20:01 GMT+01:00 Abdelouahed Haitoute <ahaito...@rinis.nl>:
> Hello, > > I’m trying to setup a proxy server which selects the correct certificate > based on destination IP-address. I’m using apache 2.4 on CentOS 6.6. > > I’m using the following configuration: > > <VirtualHost *:3128> > SSLProxyEngine On > SSLProxyVerify require > SSLProxyVerifyDepth 10 > <If "%{REMOTE_ADDR} -ipmatch '192.168.0.0/24'"> > SSLProxyMachineCertificateFile /etc/pki/tls/certs/example.com.cer > SSLProxyCACertificateFile /etc/pki/tls/certs/ca.cer > </If> > <Else> > SSLProxyMachineCertificateFile /etc/pki/tls/certs/example.org.cer > SSLProxyCACertificateFile /etc/pki/tls/certs/ca.cer > </Else> > > RewriteEngine On > RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [NC,P] > > ProxyPreserveHost On > ProxyPass / https://$1/ > ProxyPassReverse / https://$1/ > </VirtualHost> > > But I’m getting the following error when I start the httpd service: > Starting httpd: AH00526: Syntax error on line 8 of > /opt/rh/httpd24/root/etc/httpd/conf.d/forward_ssl_proxy.conf: > SSLProxyMachineCertificateFile not allowed here > [FAILED] > > Can someone help me how to achieve my goal by using the correct > certificate based on destination address? > > With kind regards, > > Abdelouahed > Hello, Your configuration is confusing. Are you really trying to reverse proxy, or forward proxying your local network with destination outside to any url in Internet? REMODE_ADDRESS This variables checks SOURCE IP of the client connecting to your server, it is not a destination IP as you mention. If you really want to check source IP for some particular reason, you can't use SSLProxyMachineCertificateFile in that context because that directive can only be used in server config, and it should have all certificates in one single file, so you really don't need to define it twice, or define it conditionally as you are trying to do: http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatefile Now onto the proxy directives.... You also have two lines to do the same thing, but incorrectly: RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [NC,P] ProxyPass / https://$1/ <-- this does the same as above but it is incorrect as ProxyPass has no value for $1 AFAIK and first rewriterule is essentially doing the same, so use one of the other. HTTP_HOST implies the client can request any url and you will try to proxy to it, so for all purposes you seem to want <Proxy *> instead of ProxyPass/RewriteRule. In this were the case you certainly don't need to check certificate according to destination. So... if you want to do reverse proxy because there are only limited destinations, by all means, specify them manually instead of using HTTP_HOST and use ProxyPass as you are trying. like: in serverconfig SSLProxyMachineCertificateFile /path/to/catchallfile.pem then <VirtualHost *:3128> ServerName example.com (SSLProxy directives here...) ProxyRequests off ProxyPass / https://example.com/ <VirtualHost> <VirtualHost *:3128> ServerName example.org (SSLProxy directives here...) ProxyRequests off ProxyPass / https://example.org/ <VirtualHost> And if you want to FORWARD Proxy then: <VirtualHost *:3128> ProxyRequests on <Proxy *> Require ip range <--- in case you want to allow proxy only from specific ips </Proxy> AllowCONNECT 443 Hope this helps. Regards, -- *Daniel Ferradal* IT Specialist email dferra...@gmail.com linkedin es.linkedin.com/in/danielferradal