How can I use Apache as a reverse proxy for https?

Question

My company uses a CMS system hosted in the cloud. We want to create internally DNS-aliases to make it easier for developers to remember. Reading the documentation for mod_proxy_connect I do think it should be possible to do something like

<VirtualHost *:443>
 ServerAdmin mellomvaredrift@mycorp.no
 ServerName test-cms.mycorp.no

 AllowCONNECT
 ProxyPass /  https://mycorp-xpqa-lb-8qh7ip0n.cms.cloud/mycorp
 ProxyPassReverse /  https://mycorp-xpqa-lb-8qh7ip0n.cms.cloud/mycorp
</VirtualHost>

Until now I have not been able to get this to work, worth mentioning is

• I do not have access to the certificate/key of the CMS-system, other than the public vert.

Is this possible to do using Apache?

Answer 1

My company uses a CMS system hosted in the cloud. We want to create internally DNS-aliases to make it easier for developers to remember.

_{If your developers can't follow the link you provide them with and can't create a bookmark when it's too difficult to remember I'd worry about that...}

I also think you are probably thinking too technical and DIY ; I'd start by contacting the CMS provider and state that you want to use your own domain to access the CMS. They can probably (re)configure their service so that it works with your preferred domain and associated TLS certificate.

Then the only config you need to maintain on your side is the DNS CNAME record to points test-cms.example.com. to mycorp-xpqa-lb-8qh7ip0n.cms.cloud.

---

Now back to your Apache config.

mod_proxy_connect is only needed for a forward HTTPS proxy, you're setting up a reverse proxy and don't need AllowCONNECT.

Your reverse proxy also needs its own TLS certificate, which is missing in your code.

Often mapping different URL paths in a reverse proxy, / to /mycorp, leads to incompatibilities, as do unbalanced trailing slashes.

Consider this instead:

  RedirectMatch ^/$ /mycorp
  ProxyPass /  https://mycorp-xpqa-lb-8qh7ip0n.cms.cloud/
  ProxyPassReverse /  https://mycorp-xpqa-lb-8qh7ip0n.cms.cloud/

That redirects requests for the root, the bare subdomain to the correct sub directory and also insures to for instance content from shared, not company specific, directories such as https://mycorp-xpqa-lb-8qh7ip0n.cms.cloud/common will remain available.

<VirtualHost *:443>
  ServerName test-cms.example.com

  SSLEngine on
  SSLCertificateFile /etc/apache2/ssl/test-cms.example.com.crt
  SSLCertificateKeyFile /etc/apache2/ssl/test-cms.example.com.key

  RedirectMatch ^/$ /mycorp
  SSLProxyEngine on
  ProxyPass /  https://mycorp-xpqa-lb-8qh7ip0n.cms.cloud/
  ProxyPassReverse /  https://mycorp-xpqa-lb-8qh7ip0n.cms.cloud/

</VirtualHost>

Any sufficiently advanced security configuration on the side of the CMS may still detect that an unknown domain name is used and subsequently deny access.

Answer 2

The answer by HBruijn did explain some of the tricky parts for me, but I have still not been able to solve it. But I have managed to get around the SSL-issue simply by adding

SSLProxyEngine on
SSLProxyVerify none

What does not seem to work, also ref. the answer posted by HBruijn and the line

 RedirectMatch ^/$ /mycorp

it does not work. The / returns http 404 and that is what I get, but if /mycorp had been added I would expect a http 401.

But, I will create a new question for this issue.