A question about Self-signed certificate

hack3rcon · April 23, 2021, 5:55pm

Hello,
I want to launch a reverse proxy server and I have a question about HTTPS certificate. My plan is like below:

The Internet --> Reverse Proxy Server (Public IP) --> Web Server (Private IP)

The HTTPS certificate for my Reverse Proxy Server is Let’s Encrypt and I want to have a Self-signed certificate for my Web Server with private IP address. My question is that the Self-signed certificate settings must be addressed in the Virtual Host file on the Reverse Proxy Server or in the Virtual Host file on the Web Server?

Thank you.

rpkamp · April 24, 2021, 8:40am

On the web server. The responsibility for the SSL certificate is always the responsibility of the server, never of the client.
Now since you’re using a self-signed certificate you could optionally duplicate the certificate on the client (here: the reverse proxy) too, so that it can verify that the certificate used by the server is the correct one (and as result know that we’re talking to the right server), but in general this isn’t being done it’s quite a bit of hassle to set up and keep up to date.

hack3rcon · April 24, 2021, 9:27am

Thus, In the Virtual Host file on the Reverse Proxy Server, I just need Let’s Encrypt options?

rpkamp · April 24, 2021, 12:31pm

If by “options” you mean “SSL Certificate configuration options” then yes, that’s correct.

hack3rcon · April 25, 2021, 11:20am

Thanks.
How about below configuration on the Reverse Proxy Server:

<VirtualHost *:80>
        ProxyPreserveHost On
        ProxyPass / http://192.168.56.9/
        ProxyPassReverse / http://192.168.56.9/
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin root@localhost
ServerName Example.example
ServerAlias www.Example.example
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log common
SSLEngine On
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/Example.example/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/Example.example/privkey.pem
</VirtualHost>
</IfModule>

Is it OK?

rpkamp · April 25, 2021, 11:24am

Well, the ProxyPass and ProxyPassReverse should be on the VirtualHost listening on port 443 and the VirtualHost on port 80 should redirect to HTTPS.

Also, once you know that HTTPS works you should remove the <IfModule mod_ssl.c> and /IfModule> lines. No need asking the server over and over if it can do something you’ve seen it can do.

hack3rcon · April 25, 2021, 11:44am

Can you edit my configuration here and add your changes?

rpkamp · April 25, 2021, 6:13pm

Nope. You should be able to figure it out from what you had combined with what I said.

hack3rcon · April 26, 2021, 8:32am

Thank you.

system · July 26, 2021, 3:32pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.