0

Apache proxy with one physical IP = 10.2.2.1 and a logical IP = 10.2.2.2

Configuration is similar to below

<VirtualHost *:80>
   ServerName example.com
   <Location />
           ProxyPass http://server:8080/
           ProxyPassReverse http://server:8080/
   </Location>
</VirtualHost>

<VirtualHost *:80>
   ServerName example2.com
   <Location />
           ProxyPass http://server:8081/
           ProxyPassReverse http://server:8081/
   </Location>
</VirtualHost>

<VirtualHost 10.2.2.2:443>
ServerName example3.com
SSLEngine on
SSLCertificateFile /example3.com.cer
SSLCertificateKeyFile /example3.com.key
SSLCertificateChainFile /example3chain.com.cer                                              
Redirect / https://example3.com
<Location />
        ProxyPass http://server:8082/
        ProxyPassReverse http://server:8082/
    </Location> 
</VirtualHost>

<VirtualHost 10.2.2.1:443>
ServerName example4.com
SSLEngine on
SSLCertificateFile /example4.com.cer
SSLCertificateKeyFile /example4.com.key
SSLCertificateChainFile /example4chain.com.cer                                              
Redirect / https://example4.com
<Location />
        ProxyPass http://server:8083/
        ProxyPassReverse http://server:8083/
    </Location> 
</VirtualHost>

<VirtualHost *:80>
    ServerName example4.com
    Redirect / https://example4.com
</VirtualHost>

What is happening is the URL https://external4.com site is not hitting the correct virtual host it is going to the non-SSL redirect and just staying there and serving an SSL error page. I have been assured the DNS and firewalls are correct.

Is there a restriction when using mixed IP and Name based vhosts that the SSL sites have to be on separate IP's from each other and the non-SSL sites? Need some help here.

Gareth
  • 135
  • 1
  • 6
  • There can be a problem, depending on whether your users use SNI or not. Modern browsers support SNI, most older ones don't. See http://serverfault.com/questions/507599/two-domains-when-ssl-on-same-directory/507613#507613 for more info on that. – Jenny D Dec 06 '13 at 09:31
  • No SNI was used. Apache 2.0.x so SNI isn't available. – Gareth Dec 06 '13 at 10:55
  • Which apache version is used is very important information. Given this, your question is basically a duplicate of the one I linked to. – Jenny D Dec 06 '13 at 11:24
  • The one you linked was an issue with Name based domains without SNI. I am using a mix of IP based (for SSL) and Name based (for non-SSL) and without SNI for various reasons from the version of apache to users using antiquated browsers. Version is 2.0.63. – Gareth Dec 06 '13 at 13:23
  • It answers the last question in your post, about having to have the SSL sites on different IPs. As for the redirect problem, @HBruijn answered that. – Jenny D Dec 06 '13 at 13:46

1 Answers1

1

The Redirect / https://example4.com in the SSL VirtualHost for example4.com seems like a loop to me...

HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • https://example3.com works with the same Redirect in its VirtualHost. This is the baffling part example3 and example4 are very similar except that one uses the physical box IP and the other uses a logical IP. – Gareth Dec 06 '13 at 10:54
  • And `openssl s_client -connect example4.com:443` resturns the correct certificate and no obvious errors in the apache log files? – HBruijn Dec 06 '13 at 11:25
  • I'm not entirely sure if openssl is installed. I have very limited access. Would it be required for SSL in apache? The logs indicate that the VirtualHost non-SSL example4.com is being used even though I have specified https://example4.com. The certificate doesn't get returned because it doesn't get to the SSL virtual host (I can tell from the logs). – Gareth Dec 06 '13 at 13:27