Trying to figure out ssl over a reverse proxy with multiple backends/infrastructure

Question

I'm having a hard time wrapping my mind around ssl with multiple backends. I might just need advice on infrastructure in general.

Here is my scenario/question:

I have three servers:

1. main website
2. hosting control panel
3. development machine
4. Reverse Proxy

All the websites are located on foo.com and I want to pass the traffic from my firewall to each backend respectively.

I am using the reverse proxy with rules on the same network to redirect traffic to the backends except I cannot get SSL working to save my life. I have it mapped as follows:

dev.foo.com maps to server 3.

hosting.foo.com maps to 2.

Otherwise:

*.foo.com maps to 1.

I would like secure.*.foo.com to work the same way except it will rewrite the URL as https for SSL.

I am looking into various methods such as wildcard SSL, but there is not much good information out there.

Here is a little ASCII of my setup:

|--------|
|Internet|
|--------|
    |
|------|
|Router|----*-------*
|------|    |       |
   |        |       |
   |        |       |
|-------|   |   |-------|
|R-Proxy|   |   |Server1|
|-------|   |   |-------|
            |
            |   |-------|
            *---|Server2|
            |   |-------|
            |   
            |   |--------|
            *---|Server 3|
                |--------|

Any advice about the infrastructure would be nice.

Answer 1

What you should do is just terminate your SSL at the reverse-proxy. That way, you do not need to change your mapping rules at all. So:

 [internet]---https---[r-proxy]---http---+--[server 1]
                                         |
                                         +--[server 2]
                                         |
                                         +--[server 3]

That is probably the easiest way to do it. You can use a wildcard SSL cert on your reverse-proxy and also, do a redirect of all non-SSL traffic to secure.*.foo.com to the SSL version. This can be controlled within your webserver config.

Hope this helps.