httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel <dferra...@gmail.com>
Subject Re: [users@httpd] Selecting SSLProxyMachineCertificateFile based on destination address
Date Mon, 23 Mar 2015 20:07:38 GMT
2015-03-23 20:01 GMT+01:00 Abdelouahed Haitoute <ahaitoute@rinis.nl>:

> Hello,
>
> I’m trying to setup a proxy server which selects the correct certificate
> based on destination IP-address. I’m using apache 2.4 on CentOS 6.6.
>
> I’m using the following configuration:
>
> <VirtualHost *:3128>
>   SSLProxyEngine On
>   SSLProxyVerify require
>   SSLProxyVerifyDepth 10
>   <If "%{REMOTE_ADDR} -ipmatch '192.168.0.0/24'">
>     SSLProxyMachineCertificateFile /etc/pki/tls/certs/example.com.cer
>     SSLProxyCACertificateFile   /etc/pki/tls/certs/ca.cer
>   </If>
>   <Else>
>     SSLProxyMachineCertificateFile /etc/pki/tls/certs/example.org.cer
>     SSLProxyCACertificateFile   /etc/pki/tls/certs/ca.cer
>   </Else>
>
>   RewriteEngine On
>   RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [NC,P]
>
>   ProxyPreserveHost On
>   ProxyPass            /  https://$1/
>   ProxyPassReverse     /  https://$1/
> </VirtualHost>
>
> But I’m getting the following error when I start the httpd service:
> Starting httpd: AH00526: Syntax error on line 8 of
> /opt/rh/httpd24/root/etc/httpd/conf.d/forward_ssl_proxy.conf:
> SSLProxyMachineCertificateFile not allowed here
>                                                            [FAILED]
>
> Can someone help me how to achieve my goal by using the correct
> certificate based on destination address?
>
> With kind regards,
>
> Abdelouahed
>


Hello,

Your configuration is confusing.

Are you really trying to reverse proxy, or forward proxying your local
network with destination outside to any url in Internet?



REMODE_ADDRESS
This variables checks SOURCE IP of the client connecting to your server, it
is not a destination IP as you mention.

If you really want to check source IP for some particular reason, you can't
use SSLProxyMachineCertificateFile in that context because that directive
can only be used in server config, and it should have all certificates in
one single file, so you really don't need to define it twice, or define it
conditionally as you are trying to do:
http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatefile



Now onto the proxy directives....

You also have two lines to do the same thing, but incorrectly:
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [NC,P]
ProxyPass            /  https://$1/ <-- this does the same as above but it
is incorrect as ProxyPass has no value for $1 AFAIK and first rewriterule
is essentially doing the same, so use one of the other.

HTTP_HOST implies the client can request any url and you will try to proxy
to it, so for all purposes you seem to want <Proxy *> instead of
ProxyPass/RewriteRule. In this were the case you certainly don't need to
check certificate according to destination.




So... if you want to do reverse proxy because there are only limited
destinations, by all means, specify them manually instead of using
HTTP_HOST and use ProxyPass as you are trying.

like:
in serverconfig
SSLProxyMachineCertificateFile /path/to/catchallfile.pem

then
<VirtualHost *:3128>
ServerName example.com
(SSLProxy directives here...)
ProxyRequests off
ProxyPass / https://example.com/
<VirtualHost>
<VirtualHost *:3128>
ServerName example.org
(SSLProxy directives here...)
ProxyRequests off
ProxyPass / https://example.org/
<VirtualHost>

And if you want to FORWARD Proxy then:

<VirtualHost *:3128>
ProxyRequests on
<Proxy *>
Require ip range <--- in case you want to allow proxy only from specific ips
</Proxy>
AllowCONNECT 443


Hope this helps.

Regards,


-- 
*Daniel Ferradal*
IT Specialist

email         dferradal@gmail.com
linkedin     es.linkedin.com/in/danielferradal

Mime
View raw message