HTTPS proxy in Apache without certificates












1














The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate. Therefore, the server should be able to proxy the handshake, and all subsequent packets, to the correct domain/machine/server, without performing the authentication. Therefore, it should not need any certificates to perform this proxying.
This would come in handy when there are a couple of servers in the local network, each serving one domain.



My question is: is it possible to configure apache(2) to proxy incoming requests, over a HTTPS connection to the correct domains, without it having access to the certificates for said domains?






apache https reverse-proxy







share|improve this question







New contributor




Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 1




    Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
    – Steffen Ullrich
    4 hours ago










  • Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
    – Tempestas Ludi
    4 hours ago
















1














The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate. Therefore, the server should be able to proxy the handshake, and all subsequent packets, to the correct domain/machine/server, without performing the authentication. Therefore, it should not need any certificates to perform this proxying.
This would come in handy when there are a couple of servers in the local network, each serving one domain.



My question is: is it possible to configure apache(2) to proxy incoming requests, over a HTTPS connection to the correct domains, without it having access to the certificates for said domains?






apache https reverse-proxy







share|improve this question







New contributor




Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 1




    Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
    – Steffen Ullrich
    4 hours ago










  • Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
    – Tempestas Ludi
    4 hours ago














1












1








1







The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate. Therefore, the server should be able to proxy the handshake, and all subsequent packets, to the correct domain/machine/server, without performing the authentication. Therefore, it should not need any certificates to perform this proxying.
This would come in handy when there are a couple of servers in the local network, each serving one domain.



My question is: is it possible to configure apache(2) to proxy incoming requests, over a HTTPS connection to the correct domains, without it having access to the certificates for said domains?






apache https reverse-proxy







share|improve this question







New contributor




Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate. Therefore, the server should be able to proxy the handshake, and all subsequent packets, to the correct domain/machine/server, without performing the authentication. Therefore, it should not need any certificates to perform this proxying.
This would come in handy when there are a couple of servers in the local network, each serving one domain.



My question is: is it possible to configure apache(2) to proxy incoming requests, over a HTTPS connection to the correct domains, without it having access to the certificates for said domains?






apache https reverse-proxy




apache https reverse-proxy






share|improve this question







New contributor




Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 4 hours ago









Tempestas Ludi

1084




1084




New contributor




Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 1




    Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
    – Steffen Ullrich
    4 hours ago










  • Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
    – Tempestas Ludi
    4 hours ago














  • 1




    Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
    – Steffen Ullrich
    4 hours ago










  • Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
    – Tempestas Ludi
    4 hours ago








1




1




Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
– Steffen Ullrich
4 hours ago




Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
– Steffen Ullrich
4 hours ago












Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
– Tempestas Ludi
4 hours ago




Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
– Tempestas Ludi
4 hours ago










1 Answer
1






active

oldest

votes


















2














Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.






share|improve this answer





















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "45"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    Tempestas Ludi is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwebmasters.stackexchange.com%2fquestions%2f119835%2fhttps-proxy-in-apache-without-certificates%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2














    Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.






    share|improve this answer


























      2














      Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.






      share|improve this answer
























        2












        2








        2






        Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.






        share|improve this answer












        Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 2 hours ago









        Steffen Ullrich

        62136




        62136






















            Tempestas Ludi is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            Tempestas Ludi is a new contributor. Be nice, and check out our Code of Conduct.













            Tempestas Ludi is a new contributor. Be nice, and check out our Code of Conduct.












            Tempestas Ludi is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to Webmasters Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwebmasters.stackexchange.com%2fquestions%2f119835%2fhttps-proxy-in-apache-without-certificates%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            404 Error Contact Form 7 ajax form submitting

            Image
            0 The contact form does not work, and affects loading after one try. The chrome console shows the error message: POST http://example.com/wp-json/contact-form-7/v1/contact-forms/50/feedback 404 (Not Found) send @ jquery.js?ver=1.12.4:4 ajax @ jquery.js?ver=1.12.4:4 wpcf7.submit @ scripts.js?ver=5.0.3:346 (anonymous) @ scripts.js?ver=5.0.3:53 dispatch @ jquery.js?ver=1.12.4:3 r.handle @ jquery.js?ver=1.12.4:3 How to solve this issue? thanks in advance javascript wordpress contact-form-7 share | improve this question edited Jul 17 '18 at 5:39 Kiran Shahi 4,745 3 16 43
            Read more

            How to know if a Active Directory user can login interactively

            Image
            1 I would like to know if and how is it possible to know if a AD user can login interactively (on a server) in a domain. I need to know if I can find it out using a LDAP search. Thanks. windows active-directory login user-permissions user-profile share | improve this question edited 1 hour ago yagmoth555 ♦ 11.6k 3 17 42 asked 1 hour ago Luigi Luigi 6 1 New contributor
            Read more

            TypeError: fit_transform() missing 1 required positional argument: 'X'

            Image
            0 I am trying to do Feature Scaling in a dataset, but I get an error and have no idea how to proceed: > Traceback (most recent call last): > > File "<ipython-input-10-71bea414b4d0>", line 22, in <module> > x_train = sc_X.fit_transform(x_train) > > TypeError: fit_transform() missing 1 required positional argument: 'X' and here is my code: import pandas as pd # Importing the dataset dataset = pd.read_csv('Data.csv') X = dataset.iloc[:, :-1].values y = dataset.iloc[:, 3].values # Taking care of missing data from sklearn.preprocessing import Imputer imputer = Imputer(missing_values="NaN", strategy="mean", axis=0) imputer = Imputer.fit(imputer,X[:,1:3]) X[:, 1:3] = Imputer.transform(imputer,X[
            Read more