1

We have decided to run a secure web proxy through apache. we assigned the server a domain name and then bought SSL certificate for that domain and then applied on Ubuntu 12.04 (precise) with Apache/2.2.22.

When I ran the server the default site(HTTP) i.e. only with IP as virtualhost, the proxy worked fine.

Then I decided to do SSL for this proxy server, since SSL for IP address is not allowed, we chose a domain and therefore went ahead.

Also I enabled mod_rewrite, so that all HTTP requests go through SSL website

Here is my HTTP virtual host and SSL virtual host configruation respectively, 

<VirtualHost 12.12.12.12:80>
    ServerAdmin webmaster@localhost
    ServerName example.net
    ServerAlias www.example.net
    ProxyRequests On
    ProxyVia On
    <Proxy *>
    Order allow,deny
    Deny from all
    Allow from 104.12
    </Proxy>
    RewriteEngine   on
    RewriteCond     %{SERVER_PORT} ^80$
    RewriteRule     ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
    DocumentRoot /var/www
    ErrorLog ${APACHE_LOG_DIR}/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel debug

    CustomLog ${APACHE_LOG_DIR}/access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
    Options Indexes MultiViews FollowSymLinks
   AllowOverride None
    Order deny,allow
    Deny from all
   Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

SSL configuration

    <IfModule mod_ssl.c>
     <VirtualHost  12.12.12.12:443>
        ServerAdmin webmaster@localhost
        ServerName example.net
        ServerAlias www.example.net
        ProxyVia On
        ProxyPass / https://127.0.0.1:443/
        ProxyPreserveHost On
        SSLProxyCheckPeerCN off
        #ProxyPreserveHost on
        ProxyRequests On
        SSLEngine on
        SSLProxyEngine On
        SSLCertificateFile    /etc/ssl/ssl_proxy/example_net.crt
        SSLCertificateKeyFile /etc/ssl/ssl_proxy/example.net.key
        SSLProxyVerify require
        SSLProxyVerifyDepth 10
        SSLProxyMachineCertificateFile /etc/ssl/ssl_proxy/example.net.csr
        SSLProxyCACertificateFile /etc/ssl/ssl_proxy/example_net.ca-bundle
        SSLStrictSNIVHostCheck on
        DocumentRoot /var/www
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
        <Proxy *>
        Order allow,deny
        Deny from all
        Allow from 104.12
        </Proxy>
        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        Alias /doc/ "/usr/share/doc/"
        <Directory "/usr/share/doc/">
                Options Indexes MultiViews FollowSymLinks
                AllowOverride None
                Order deny,allow
                Deny from all
                Allow from 127.0.0.0/255.0.0.0 ::1/128
        </Directory>
       <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory> 
        BrowserMatch "MSIE [2-6]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>
</IfModule>

I tried all the above possiblities options, but none worked. So whenever I access a website what I get error as

Hostname example.net provided via SNI and hostname yahoo.com provided via HTTP are different.

Any idea of what am I doing wrong?

Thank You Sai

Improve this question
17
  • 1
    Are example.net and yahoo.com the real names? It would help to have the exact error message.
    – harrymc
    Commented Apr 16, 2014 at 12:23
  • yes, example.net is my hostname (example is not original name, but it is a publicly setup) and I tried to connect through example.net to yahoo by enabling https on example.net. I hope I'm clear
    – J Bourne
    Commented Apr 16, 2014 at 13:32
  • Please also add the URL you are using and the mod_rewrite rules and some more info of what you are trying to do. It seems as if you are setting up an HTTPS pass-through to yahoo and the two certificates are getting mixed up.
    – harrymc
    Commented Apr 16, 2014 at 14:43
  • Please check the confgurations of both HTTP and HTTPS are given. However do you need my real URL? What I'm trying to do is to setup a Forward Proxy with HTTPS over which I need to access anything on Web like not only html pages, but also music and videos. This is what I'm trying to achieve.
    – J Bourne
    Commented Apr 17, 2014 at 6:40
  • What is the request you send to the proxy when you get this error, HTTP or HTTPS? If it is HTTPS, the CONNECT method required is not implemented before Apache 2.2.24 if I remember correctly. Also, could you increase the LogLevel and post the result?
    – bonob
    Commented Apr 17, 2014 at 8:21

2 Answers 2

Reset to default
0

There was a bug in Apache which caused this error due to a case-sensitive comparison of hostnames. It was fixed recently and a new build with the fix is now available. In addition, you can have the certificate changed to all lowercase to be more compatible with convention (uppercase is rarely used).

Improve this answer
0
0

All I figured out is, it is not possible through apache. But modern servers like Nginx, Node.js support it via SPDY protocol, Here is the link

Improve this answer
2
  • I know you are answering your own question, but can you provide the key points in your answer and use the link as a reference. Links can quickly become outdated or removed making your answer pointless for those who find your answer following a similar issue.
    – Matthew Williams
    Commented Apr 22, 2014 at 10:59
  • mod_spdy was available on Apache at least since 2012...
    – Auspex
    Commented Nov 25, 2016 at 14:59

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .