1

my question is about "security" I suppose that this question is also for nodejs or springboot or whatever running on another port with apache as primary server

Im trying some stuff with golang app and http2/push

http2 need https

my golang app is on https://127.0.0.1:7072/ and http2 working well on this

after many search here is my virtualhost (local WAMP, all proxy module and http2 loaded) that IS WORKING BUT :

<VirtualHost mygolang:443>

DocumentRoot "c:/wamp64/www"
ServerName mygolang:443
ServerAdmin admin@example.com
ErrorLog "c:/wamp64/bin/apache/apache2.4.27/logs/ssl_error.log"
TransferLog "c:/wamp64/bin/apache/apache2.4.27/logs/access.log"


SSLEngine on
SSLProxyEngine on
SSLProxyVerify none 
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off


SSLCertificateFile "C:\wamp64\bin\apache\apache2.4.27\conf\cert\certificate.crt"
SSLCertificateKeyFile "C:\wamp64\bin\apache\apache2.4.27\conf\key/private.key"

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "c:/wamp64/www">
    SSLOptions +StdEnvVars
</Directory>


BrowserMatch "MSIE [2-5]" \
     nokeepalive ssl-unclean-shutdown \
     downgrade-1.0 force-response-1.0

CustomLog "C:\wamp64\bin\apache\apache2.4.27\logs\ssl_request.log" \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ProxyRequests On
ProxyPreserveHost On
ProxyVia full
<proxy>
    Order deny,allow
    Allow from all
  </proxy>

  ProxyPass        /  https://127.0.0.1:7072/
  ProxyPassReverse /  https://127.0.0.1:7072/
</VirtualHost>

BUT my security question is about 

SSLProxyVerify none 
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

if i remove it there is a 500 in browser:

Proxy Error
The proxy server could not handle the request GET /.

Reason: Error during SSL Handshake with remote server

Apache/2.4.27 (Win64) OpenSSL/1.1.0f PHP/7.1.9 Server at mygolang Port 443

So , what do you think ? Removing the sslcheck is it a problem ? Is it another elegant solution for "i have apache and want to full redirect but preserve domain on one account on http2 ?"

Ledahu
  • 11
  • 1

2 Answers2

1
ProxyPass        /  https://127.0.0.1

There is absolutely no need and little benefit to using TLS to connect back to localhost.
TLS adds transport security to prevent eavesdropping on the communications between systems and to provide (mutual) authentication neither of which is necessary for traffic that doesn't leave the system.

In addition: As far as I know neither Apache 2.4 nor nginx even support HTTP/2 on ProxyPass reverse proxy connections anyway.

HTTP/2 requires TLS but the benefits exist mainly in the connection between the client and the server, not so much on low latency LAN connections, or FastCGI/ProxyPass connections within the system itself and it is usually sufficient to terminate HTTP/2 on your front-end and communicate in HTTP/1.1 to your back-ends.

Note: Apache httpd version 2.5 has experimental support for HTTP/2 https://httpd.apache.org/docs/trunk/mod/mod_proxy_http2.html

HTTP/2 (TLS)

ProxyPass "/app" "h2://app.example.com"
ProxyPassReverse "/app" "https://app.example.com"

HTTP/2 (cleartext)

ProxyPass "/app" "h2c://app.example.com"
ProxyPassReverse "/app" "http://app.example.com"
HBruijn
  • 77,029
  • 24
  • 135
  • 201
0

A few things to add to @HBruijn’s answer.

You are proxying to an IP address:

ProxyPass        /  https://127.0.0.1:7072/
ProxyPassReverse /  https://127.0.0.1:7072/

It’s rare (though not impossible) that a certificate has an IP address in it. So that is why you are getting a certificate error and why you have remove the error checks for this to work.

I totally agree with @HBruijn that using HTTPS for the proxy pass connection - especially when it is on localhost - is unnecessary.

Additionally this connection is over HTTP/1.1 as it is using the https mod_proxy_http protocol. Apache (2.5/trunk and 2.4) does allow Proxy Pass over HTTP/2 using it with (h2) or with HTTPS (h2c). HTTP/2 does not need HTTPS - only when using it with the browser does it need this. So it can be used without HTTPS for proxy pass connections. However even h2 and h2c then do not allow HTTP/2 Push on proxy connections so there is not much benefit of using this at all (especially as it is still marked as experimental). The recommended way to push from the backend is to use Link HTTP headers -which can be done over HTTP/1.1 connections too.

So to sum up: Just connect over HTTP/1.1 without HTTPS to avoid having to turn off those verify checks. You can still push from back end server using Link headers.

Barry Pollard
  • 4,591
  • 15
  • 26