A question about Self-signed certificate

I want to launch a reverse proxy server and I have a question about HTTPS certificate. My plan is like below:

The Internet --> Reverse Proxy Server (Public IP) --> Web Server (Private IP)

The HTTPS certificate for my Reverse Proxy Server is Let’s Encrypt and I want to have a Self-signed certificate for my Web Server with private IP address. My question is that the Self-signed certificate settings must be addressed in the Virtual Host file on the Reverse Proxy Server or in the Virtual Host file on the Web Server?

Thank you.

On the web server. The responsibility for the SSL certificate is always the responsibility of the server, never of the client.
Now since you’re using a self-signed certificate you could optionally duplicate the certificate on the client (here: the reverse proxy) too, so that it can verify that the certificate used by the server is the correct one (and as result know that we’re talking to the right server), but in general this isn’t being done it’s quite a bit of hassle to set up and keep up to date.


Thus, In the Virtual Host file on the Reverse Proxy Server, I just need Let’s Encrypt options?

If by “options” you mean “SSL Certificate configuration options” then yes, that’s correct.

1 Like

How about below configuration on the Reverse Proxy Server:

<VirtualHost *:80>
        ProxyPreserveHost On
        ProxyPass /
        ProxyPassReverse /

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin root@localhost
ServerName Example.example
ServerAlias www.Example.example
ErrorLog /var/log/httpd/error.log
CustomLog /var/log/httpd/access.log common
SSLEngine On
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/Example.example/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/Example.example/privkey.pem

Is it OK?

Well, the ProxyPass and ProxyPassReverse should be on the VirtualHost listening on port 443 and the VirtualHost on port 80 should redirect to HTTPS.

Also, once you know that HTTPS works you should remove the <IfModule mod_ssl.c> and /IfModule> lines. No need asking the server over and over if it can do something you’ve seen it can do.

1 Like

Can you edit my configuration here and add your changes?

Nope. You should be able to figure it out from what you had combined with what I said.

1 Like

Thank you.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.