Written by James McDonald

August 16, 2018

This is the working configuration for an SSL Apache 2.4.6 Reverse Proxy back to an Apache-Coyote/1.1 server, including letsencrypt configuration to allow the automated renewal of certificates using a local webroot on the Reverse Proxy Server

Apache Reverse Proxy SSL Configuration

# /etc/httpd/conf.d/ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>
    ServerName mytest.toggen.com.au
    DocumentRoot /var/www/mytest
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn
    SSLEngine on

    # Allow the reverse Proxy to create an
    # SSL Connection back to a https:// server
    SSLProxyEngine on

    # don't worry about trusting the cert, peername, expiry. This is probably bad but... working!!!
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerExpire off
    SSLProxyCheckPeerName off
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars

    BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    # this allows lets encrypt do cert renewal without passing it back to the back end server
    ProxyPass /.well-known/ !
    # This allows websocket to work
    ProxyPass "/federator/sub" "wss://"

	ProxyPass /
	ProxyPassReverse /

	Include /etc/letsencrypt/options-ssl-apache.conf

	SSLCertificateFile /etc/letsencrypt/live/mytest.toggen.com.au/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mytest.toggen.com.au/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/mytest.toggen.com.au/chain.pem


Let’s Encrypt Crontab

I’m not posting how to install and run certbot to renew your let’s encrypt certificates. But once you have let’s encrypt to auto renew certs you need to setup is automatic certificate renewal:

# crontab
7 2,14  *  *  * /usr/bin/certbot renew --no-self-upgrade


You May Also Like…

List local disks

GET-CimInstance -query "SELECT * from Win32_DiskDrive" DeviceID Caption Partitions Size Model -------- -------...

Create ISO using Powershell

Usage New-IsoFile -NewIsoFilePath C:\tmp\Hyper-V.iso-sources -ImageName Hyper-V -SourceFilePath 'C:\tmp\Hyper-V'...