Hello Dino / HTH, Thank you for your very elaborate answer!!
Your 'diagram' made it very clear! Clients --> INTERNET --> Apache httpd reverse proxy (answer to HTTPS requests made by your clients) --> Your internal backend(s) (answer to HTTPS requests coming from your proxy). It's also good to know that I set-up my reverse proxy in the correct way (only installing the SSL certificates on the reverse proxy). My set-up is: Clients --> HTTPS - -> reverse proxy --> HTTP --> back-end server There is no need in my set-up to use HTTPS between the reverse proxy and the back-end server. Thanks for clarification! Jeroen -------------------------------------------------------- Support the independent web, use [Firefox](https://www.mozilla.org/en-US/firefox/new/) ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, January 13th, 2022 at 7:15 PM, Dino Ciuffetti <d...@tuxweb.it> wrote: > Apache httpd works at layer 7 (HTTP/HTTPS). > You CANNOT have a reverse proxy at layer 4 with apache httpd where the X509 > certificates are only needed on your backends (like HAProxy does). > > Clients --> INTERNET --> Apache httpd reverse proxy (answer to HTTPS requests > made by your clients) --> Your internal backend(s) (answer to HTTPS requests > coming from your proxy). > > The traffic between your internet clients and apache httpd is protected via > TLS protocol (HTTPS) so you need a X509 certificate and its private key on > your httpd public facing reverse proxy virtual host to terminate TLS internet > traffic to your reverse proxy. > > If you also want your reverse proxy to talk to your internal backend(s) via > HTTPS you also need a X509 certificate and private key on your HTTPS backend > servers. > > RECAP: You will need a certificate released by a public (known to all major > browsers) Certification Authority for your reverse proxy and a certificate > released by a private Certification Authority (only known by your proxy and > your backends) on your backends. You could even use self signed certificates > on your private side, or mantain a private CA by yourself via openssl. > > HTH > > 13 gennaio 2022 12:58, "Jeroen Verhoeckx" > <[j.verhoe...@protonmail.com.invalid](mailto:j.verhoe...@protonmail.com.invalid?to=%22Jeroen%20Verhoeckx%22%20<j.verhoe...@protonmail.com.invalid>)> > wrote: > >> Thanks, great to know that it is possible! >> >> You write that you need to install the SSL certificates on both the reverse >> proxy and in the virtual machine (or another local server)? >> Is that really necessary? I try to avoid duplication whenever that is >> possible. >> >> Do you have an example set-up somewhere? >> >> Thanks!! >> >> -------------------------------------------------------- >> Support the independent web, use >> [Firefox](https://www.mozilla.org/en-US/firefox/new/) >> >> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> On Wednesday, January 12th, 2022 at 5:23 PM, Dino Ciuffetti <d...@tuxweb.it> >> wrote: >> >>>> My question: >>>> Would it have been possible to install the SSL certificates in the virtual >>>> machines? >>> >>> YES. It's possibile to send Internet HTTPS traffic to an internal HTTPS >>> service behind apache httpd as a reverse proxy. >>> You eventally need to install same SSL certificates (but you don't have to >>> necessarily) on both the reverse proxy and the internal service, enable >>> SSLProxyProtol on your VHs and send the traffic to HTTPS via your ProxyPass.
