Apache反向代理到具有TLS证书的Nginx正向代理

Question

One of our clients wants to run a website trough his server to our webserver, so the website has the public ip of his server instead of ours. This works fine over http, but over https all goes berserk.

The client's server runs Virtualmin with Apache and our server runs Nginx with php-fpm. We tried setting the same certificates for both the client's server and our webserver, but this site keeps showing handshake errors.

Both servers use exactly the same certificates.

Client's Apache config:

ProxyPass / http://1.2.3.4:8123/
ProxyPassReverse / http://1.2.3.4:8123/
SSLProxyEngine on
    SSLProxyCheckPeerCN on
    SSLProxyCheckPeerExpire on
SSLEngine on
SSLCertificateFile /foo/bar/ssl.cert
SSLCertificateKeyFile /foo/bar/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCACertificateFile /foo/bar/ssl.ca

Our Nginx config:

server {
  listen 8123;
  server_name some.site wwww.some.site;

  ssl_certificate /foo/bar/ssl.crt;
  ssl_certificate_key /foo/bar/ssl.crt
  ssl_prefer_server_ciphers on;

  root /var/www/some.site/public;
  index index.php;
  charset utf-8;

  location ~ /\. {
    deny all;
  }

  location / {
    try_files $uri $uri/ /index.php?$args;
  }

  location ~ \.php$ {
    fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
    fastcgi_index index.php;
    include /etc/nginx/fastcgi_params;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header Host $host;
  }
}

We would like to get this to work so we can use https://1.2.3.4:8123/ as the proxy address, to avoid MITM attacks and to be able to serve the website over https://some.site .

Answer 1

Creating a separate vhost in nginx, I found that the certificate wasn't set up properly. curl -I -L https://1.2.3.4:8483 returned curl: (60) SSL certificate problem: unable to get local issuer certificate . Running openssl verify ssl.crt threw an error, where openssl verify -CAfile ssl.ca-bundle ssl.crt didn't, which confirmed that the ca-bundles were missing ( source of verify commands ).

As stated , nginx doesn't support separate ca-files, so I created a new file ssl.combined and added that to the ssl_certificate directive: cp ssl.crt ssl.combined; cat ssl.ca-bundle >> ssl.combined cp ssl.crt ssl.combined; cat ssl.ca-bundle >> ssl.combined . Curl was happy now.

Apache had the same issue, but did support ca-files. Using SSLCertificateChainFile I added the ssl.ca-bundle .

Finally, with a sample configuration , I found the culprit: ProxyPreserveHost On is required for it all to work, which causes Apache to send the Proper Host-header over Proxy , which in turn makes the handshake work as it should.

As a reference for others, I've added my final configurations below:

For Apache (client's server, reverse proxy):

[...]
SSLEngine on
SSLCertificateFile /foo/bar/ssl.cert
SSLCertificateKeyFile /foo/bar/ssl.key
SSLCertificateChainFile /foo/bar/ssl.ca

ProxyRequests off
ProxyPreserveHost On
SSLProxyEngine on
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on

ProxyPass / https://1.2.3.4:8483/
ProxyPassReverse / https://1.2.3.4:8483/

<Proxy *>
  allow from all
</Proxy>
[...]

For nginx (our server, forward proxy):

server {
  listen 8483 ssl;
  server_name site.url www.site.url;

  ssl on;
  ssl_certificate /foo/bar/ssl.combined;
  ssl_certificate_key /foo/bar/ssl.key;
  ssl_stapling on;
  ssl_stapling_verify on;

  root /var/www/site.url/public
  index index.php;
  charset utf-8;

  location ~ /\. {
    deny all;
  }

  location / {
    try_files $uri $uri/ /index.php?$args;
  }

  location ~ \.php$ {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Host $host;
    fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
    fastcgi_index index.php;
    include /etc/nginx/fastcgi_params;
  }
}