how to: get apache proxypass working with ssl

31 Aug

their seems to be alot of documentation on apaches proxy module. Yet i was unable to find anything that worked to get a ssl to ssl proxy running.

you can also use this information for a basic proxypass, just ignore anything ssl related

most of the documentation left out one item : SSLProxyEngine on

You need to enable this option on the ssl virtual host in order to proxy content from your https url to another https url

you’ll also need at least the following, feel free to correct me if a module is a requirement.

mod_proxy.so
mod_proxy_http.so
mod_ssl.so

also you might want to check out : mod_proxy_html

here’s an example apache 2.2.4 vhost config that works for me.

DocumentRoot path/to/files
ServerAdmin admin@inhouse.sid
ErrorLog path/to/log
TransferLog path/to/log

ProxyPass https://otherserver.sid/path
ProxyPassReverse https://otherserver.sid/path

SSLProxyEngine on
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile path/to/server.crt
SSLCertificateKeyFile path/to/server.key

SSLOptions +StdEnvVars

BrowserMatch “.*MSIE.*”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0

CustomLog path/to/log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x ”%r” %b”

I should also mention two other options :
ProxyPassReverseCookieDomain
ProxyPassReverseCookiePath

You can find out more about them here :
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

If your using windows you can download apache modules here

5 Responses to “how to: get apache proxypass working with ssl”

  1. Arun 18. Mar, 2008 at 3:22 am #

    Thanks, I helped me !

  2. Scouse_down_under 26. May, 2008 at 9:07 pm #

    Thanks for this, I had everything but the five lines starting SSL… but kept getting a
    proxy: No protocol handler was valid for the URL /mirror/blah. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. error.

    This is now fixed!

  3. theist 21. Aug, 2008 at 1:52 am #

    Tanks!, just the directive I missed :P

    But I’m triying someting more complex now. I want to reverse proxy a SSL conection using the client certificate on a server configured with SSL Login + FakeBasicAuth. This is because we are moving mixed login services between servers and we want to keep a stable url space while doing so. Proxying makes basic http login working, but breaks certificate login.

  4. Nag 13. Nov, 2008 at 11:51 pm #

    Thanks a ton!
    SSLProxyEngine on was all I required.

  5. Dave.whitla@wotifgro 25. Feb, 2009 at 3:59 am #

    The problem with this is that it terminates the first request then initiates a new one to the backend server – not what you really want.

    You generally want to pass the SSL request/response through without decrypting it and therefore without having to have your private key on each proxy.

    By the way, outside a Location ProxyPass otherserver/path should actually be ProxyPass localpath remotehost/remotepath.