Written by James McDonald

August 16, 2018

This is the working configuration for an SSL Apache 2.4.6 Reverse Proxy back to an Apache-Coyote/1.1 server, including letsencrypt configuration to allow the automated renewal of certificates using a local webroot on the Reverse Proxy Server

Apache Reverse Proxy SSL Configuration

# /etc/httpd/conf.d/ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>
    ServerName mytest.toggen.com.au
    DocumentRoot /var/www/mytest
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn
    SSLEngine on

    # Allow the reverse Proxy to create an
    # SSL Connection back to a https:// server
    SSLProxyEngine on

    # don't worry about trusting the cert, peername, expiry. This is probably bad but... working!!!
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerExpire off
    SSLProxyCheckPeerName off
    
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    
    # this allows lets encrypt do cert renewal without passing it back to the back end server
    ProxyPass /.well-known/ !
	
    # This allows websocket to work
    ProxyPass "/federator/sub" "wss://10.100.200.7/federator/sub"

	ProxyPass / https://10.100.200.7/
	ProxyPassReverse / https://10.100.200.7/

	Include /etc/letsencrypt/options-ssl-apache.conf

	SSLCertificateFile /etc/letsencrypt/live/mytest.toggen.com.au/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mytest.toggen.com.au/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/mytest.toggen.com.au/chain.pem

</VirtualHost>

Let’s Encrypt Crontab

I’m not posting how to install and run certbot to renew your let’s encrypt certificates. But once you have let’s encrypt to auto renew certs you need to setup is automatic certificate renewal:

# crontab
7 2,14  *  *  * /usr/bin/certbot renew --no-self-upgrade

0 Comments

You May Also Like…

Squarespace Image Export

To gain continued access to your Squarespace website images after cancelling your subscription you have several...

MySQL 8.x GRANT ALL STATEMENT

-- CREATE CREATE USER 'tgnrestoreuser'@'localhost' IDENTIFIED BY 'AppleSauceLoveBird2024'; GRANT ALL PRIVILEGES ON...

Exetel Opt-Out of CGNAT

If your port forwards and inbound and/or outbound site-to-site VPN's have failed when switching to Exetel due to their...