Forum

Reverse proxy SSL woes

Luis Mendes
4 June 2018, 21:18
HI,

I've setup correctly SSL on the ending instance that is going to serve one wordpress site.
I've done the same to a hiwatha that should be used only for reverse proxying.
So, SSL configuration per se is not a problem.

What I'd like is to have the reverse proxy decode SSL and then send the plain connections to the receiving ends, as I'd like to have several applications for http. But spent many hours on this and the best I get is a sign that the connection is not secure.

The configuration of the reverse proxy:
set LOCALHOST = 127.0.0.0/8                                                                                                                                                                                                                                                     
set MyIPv4 = 127.0.0.1
ServerId = www
ConnectionsTotal = 1000
ConnectionsPerIP = 25
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
Binding {
Port = 80
}
Binding {
Port = 443
TLScertFile = tls/hino.pt-1.pem
#Interface = 127.0.0.1
MaxRequestSize = 2048
TimeForRequest = 30
}
Hostname = 127.0.0.1
WebsiteRoot = /usr/local/www/hiawatha
StartFile = index.html
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
VirtualHost {
Hostname = hino.pt, *.hino.pt
TLScertFile = tls/hino.pt-1.pem
WebsiteRoot = /usr/local/www/hiawatha/hino.pt/public
AccessLogfile = /usr/local/www/hiawatha/hino.pt/log/access.log
ErrorLogfile = /usr/local/www/hiawatha/hino.pt/log/error.log
TimeForCGI = 5
StartFile = index.html
ReverseProxy .* http://127.0.0.80:8080/
RequireTLS = no
}


The config of the ending webserver:
set LOCALHOST = 127.0.0.0/8
set MyIPv4 = 127.0.0.80
ServerId = www
ConnectionsTotal = 4000
ConnectionsPerIP = 32
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ThreadKillRate = 10
CacheSize = 8
CacheMaxFilesize = 512
MaxUrlLength = 1000
SocketSendTimeout = 30
LogfileMask = deny LOCALHOST, deny MyIPv4
RequestLimitMask = deny LOCALHOST, deny MyIPv4
Binding {
Port = 8080
MaxKeepAlive = 100
TimeForRequest = 5,15
MaxRequestSize = 16000
MaxUploadSize = 2
}
Binding {
Port = 443
TLScertFile = tls/hino.pt-1.pem
#Interface = 127.0.0.80
MaxRequestSize = 2048
TimeForRequest = 30
}
FastCGIserver {
FastCGIid = PHP7_hino
ConnectTo = /var/run/php-fpm/sockets/php-fpm_hino.sock
Extension = php
}
Hostname = 127.0.0.80
WebsiteRoot = /usr/local/www/hiawatha
StartFile = index.html
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
VirtualHost {
Hostname = hino.pt, *.hino.pt
TLScertFile = tls/hino.pt-1.pem
WebsiteRoot = /usr/local/www/hiawatha/hino.pt/public
AccessLogfile = /usr/local/www/hiawatha/hino.pt/log/access.log
ErrorLogfile = /usr/local/www/hiawatha/hino.pt/log/error.log
StartFile = index.php
TimeForCGI = 30
UseFastCGI = PHP7_hino
}


Tried to point (ReverseProxy .* http://127.0.0.80:8080/) to 8080, to 443, to 8443 (not shown)...
I'd appreciate the have the solution for this!
Luis Mendes
4 June 2018, 23:29
Ok, already solved this.

ReverseProxy .* https://127.0.0.80:8443/

Added the 's', so as to be 'https' and changed also to the ssl binding in the receiving webserver.
Don't know if the receiving webserver is using any certificate or not, would like to be clarified in order to try to understand this.
Hugo Leisink
9 June 2018, 20:38
The receiving webserver must be using SSL if the https reverse proxy works. It will of course be using a certificate. By default, Hiawatha doesn't the the validity of that certificate. Use the CAcertificates setting for that.
Allowed BBcodes:
[quote]
[code]
[config]
[url]
[color]
[size]
[img]
[b]
[i]
[u]
[s]
[list]
[ul]
[ol]
[*]