We have decided to run a secure web proxy through apache. we assigned the server a domain name and then bought SSL certificate for that domain and then applied on Ubuntu 12.04 (precise) with Apache/2.2.22.
When I ran the server the default site(HTTP) i.e. only with IP as virtualhost, the proxy worked fine.
Then I decided to do SSL for this proxy server, since SSL for IP address is not allowed, we chose a domain and therefore went ahead.
Also I enabled mod_rewrite, so that all HTTP requests go through SSL website
Here is my HTTP virtual host and SSL virtual host configruation respectively,
<VirtualHost 12.12.12.12:80>
ServerAdmin webmaster@localhost
ServerName example.net
ServerAlias www.example.net
ProxyRequests On
ProxyVia On
<Proxy *>
Order allow,deny
Deny from all
Allow from 104.12
</Proxy>
RewriteEngine on
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
DocumentRoot /var/www
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
SSL configuration
<IfModule mod_ssl.c>
<VirtualHost 12.12.12.12:443>
ServerAdmin webmaster@localhost
ServerName example.net
ServerAlias www.example.net
ProxyVia On
ProxyPass / https://127.0.0.1:443/
ProxyPreserveHost On
SSLProxyCheckPeerCN off
#ProxyPreserveHost on
ProxyRequests On
SSLEngine on
SSLProxyEngine On
SSLCertificateFile /etc/ssl/ssl_proxy/example_net.crt
SSLCertificateKeyFile /etc/ssl/ssl_proxy/example.net.key
SSLProxyVerify require
SSLProxyVerifyDepth 10
SSLProxyMachineCertificateFile /etc/ssl/ssl_proxy/example.net.csr
SSLProxyCACertificateFile /etc/ssl/ssl_proxy/example_net.ca-bundle
SSLStrictSNIVHostCheck on
DocumentRoot /var/www
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
<Proxy *>
Order allow,deny
Deny from all
Allow from 104.12
</Proxy>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
I tried all the above possiblities options, but none worked. So whenever I access a website what I get error as
Hostname example.net provided via SNI and hostname yahoo.com provided via HTTP are different.
Any idea of what am I doing wrong?
Thank You Sai