With regard to:
reverse proxy --> HTTP --> back-end server
and in respect to the sensitivity of your requests and responses, you
might want to consider any security implications or if this violates any
compliance requirements depending on the proximity of your proxy to your
back-end server. It's likely the proxy -> back-end server stays within a
very tight environment. However, that request and response is traveling
some segment of network whether physical or virtual and likely only
yours, unencrypted or perhaps protected at most by VPN encryption.
On 1/13/2022 5:05 PM, Jeroen Verhoeckx wrote:
Hello Dino / HTH,
Thank you for your very elaborate answer!!
Your 'diagram' made it very clear!
Clients --> INTERNET --> Apache httpd reverse proxy (answer to HTTPS
requests made by your clients) --> Your internal backend(s) (answer to
HTTPS requests coming from your proxy).
It's also good to know that I set-up my reverse proxy in the correct
way (only installing the SSL certificates on the reverse proxy).
My set-up is: Clients --> HTTPS - -> reverse proxy --> HTTP -->
back-end server
There is no need in my set-up to use HTTPS between the reverse proxy
and the back-end server.
Thanks for clarification!
Jeroen
--------------------------------------------------------
/Support the independent web, use //Firefox/
<https://www.mozilla.org/en-US/firefox/new/>
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, January 13th, 2022 at 7:15 PM, Dino Ciuffetti
<d...@tuxweb.it> wrote:
Apache httpd works at layer 7 (HTTP/HTTPS).
You CANNOT have a reverse proxy at layer 4 with apache httpd where
the X509 certificates are only needed on your backends (like HAProxy
does).
Clients --> INTERNET --> Apache httpd reverse proxy (answer to HTTPS
requests made by your clients) --> Your internal backend(s) (answer
to HTTPS requests coming from your proxy).
The traffic between your internet clients and apache httpd is
protected via TLS protocol (HTTPS) so you need a X509 certificate and
its private key on your httpd public facing reverse proxy virtual
host to terminate TLS internet traffic to your reverse proxy.
If you also want your reverse proxy to talk to your internal
backend(s) via HTTPS you also need a X509 certificate and private key
on your HTTPS backend servers.
RECAP: You will need a certificate released by a public (known to all
major browsers) Certification Authority for your reverse proxy and a
certificate released by a private Certification Authority (only known
by your proxy and your backends) on your backends. You could even use
self signed certificates on your private side, or mantain a private
CA by yourself via openssl.
HTH
13 gennaio 2022 12:58, "Jeroen Verhoeckx"
<j.verhoe...@protonmail.com.invalid
<mailto:j.verhoe...@protonmail.com.invalid?to=%22Jeroen%20Verhoeckx%22%20<j.verhoe...@protonmail.com.invalid>>>
wrote:
Thanks, great to know that it is possible!
You write that you need to install the SSL certificates on both
the reverse proxy and in the virtual machine (or another local
server)?
Is that really necessary? I try to avoid duplication whenever
that is possible.
Do you have an example set-up somewhere?
Thanks!!
--------------------------------------------------------
/Support the independent web, use //Firefox/
<https://www.mozilla.org/en-US/firefox/new/>
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Wednesday, January 12th, 2022 at 5:23 PM, Dino Ciuffetti
<d...@tuxweb.it> wrote:
My question:
/Would it have been possible to install the SSL certificates
in the virtual machines?/
YES. It's possibile to send Internet HTTPS traffic to an
internal HTTPS service behind apache httpd as a reverse proxy.
You eventally need to install same SSL certificates (but you
don't have to necessarily) on both the reverse proxy and the
internal service, enable SSLProxyProtol on your VHs and send the
traffic to HTTPS via your ProxyPass.