httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Krist van Besien" <>
Subject Re: [users@httpd] Https proxy on http Virtual Host
Date Wed, 10 Oct 2007 11:00:07 GMT
On 10/10/07, Boyle Owen <> wrote:
> > -----Original Message-----
> > From: Bronzetti Marco []
> > Sent: Wednesday, October 10, 2007 9:46 AM
> > To:
> > Subject: [users@httpd] Https proxy on http Virtual Host
> >
> > Hi,
> > I need to do a Reverse proxy to a Https WebSite from an Http  WebSite,
> > my httpd.conf  should be  like that :
> >
> > <VirtualHost>
> >  ServerName
> >  ErrorLog /appl1/logs/http_error.log
> >  CustomLog /appl1/logs/http_access.log common
> >  DocumentRoot /docroot
> >  DirectoryIndex index.html index.html.var
> >  <IfModule mod_proxy.c>
> >    ProxyPass /rep-rs/
> >    ProxyPass /ti-csr/
> >  </IfModule>
> > </VirtualHost>
> >
> > Is it possible to do that ?
> Yes, but not like that...
> If the back-end is an HTTPS server, then the front-end (ie your apache)
> has to talk SSL to it. To do this, it needs to use mod_ssl and special
> directives to contact a back-end HTTPS server (see
> and

Important is also that you have the following directives:
SSLProxyEngine on
SSLProxyCACertificateFile <file>
SSLProxyCACertificatePath <pat>

You see, apache needs to act as an ssl _client_, which it doesn't do
out of the box. In order for apache to act as an ssl client it needs a
few extra directives, and you must make the CA certificate used to
signthe certificate of the sever(s) you're communicating with
available to it using the SSLProxyCACertificateFile (or Path). See the

> By the way, I guess the back-end is a legacy server that you can't
> change? Otherwise, it is pretty silly to do this since the connection
> from the client to the front-end will be plain HTTP and it makes no
> sense to protect data for only part of its journey.

I've had to set up such a configuration, to allow a legacy service
that only was able to make http requests to communicate with a new
service that only accepted https requests. The http -> https proxy ran
on the same machine as the legacy service, so there were no big
security issues.


Bremgarten b. Bern, Switzerland
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message