HTTPS proxy in Apache without certificates












1














The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate. Therefore, the server should be able to proxy the handshake, and all subsequent packets, to the correct domain/machine/server, without performing the authentication. Therefore, it should not need any certificates to perform this proxying.
This would come in handy when there are a couple of servers in the local network, each serving one domain.



My question is: is it possible to configure apache(2) to proxy incoming requests, over a HTTPS connection to the correct domains, without it having access to the certificates for said domains?










share|improve this question







New contributor




Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 1




    Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
    – Steffen Ullrich
    4 hours ago










  • Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
    – Tempestas Ludi
    4 hours ago
















1














The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate. Therefore, the server should be able to proxy the handshake, and all subsequent packets, to the correct domain/machine/server, without performing the authentication. Therefore, it should not need any certificates to perform this proxying.
This would come in handy when there are a couple of servers in the local network, each serving one domain.



My question is: is it possible to configure apache(2) to proxy incoming requests, over a HTTPS connection to the correct domains, without it having access to the certificates for said domains?










share|improve this question







New contributor




Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • 1




    Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
    – Steffen Ullrich
    4 hours ago










  • Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
    – Tempestas Ludi
    4 hours ago














1












1








1







The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate. Therefore, the server should be able to proxy the handshake, and all subsequent packets, to the correct domain/machine/server, without performing the authentication. Therefore, it should not need any certificates to perform this proxying.
This would come in handy when there are a couple of servers in the local network, each serving one domain.



My question is: is it possible to configure apache(2) to proxy incoming requests, over a HTTPS connection to the correct domains, without it having access to the certificates for said domains?










share|improve this question







New contributor




Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate. Therefore, the server should be able to proxy the handshake, and all subsequent packets, to the correct domain/machine/server, without performing the authentication. Therefore, it should not need any certificates to perform this proxying.
This would come in handy when there are a couple of servers in the local network, each serving one domain.



My question is: is it possible to configure apache(2) to proxy incoming requests, over a HTTPS connection to the correct domains, without it having access to the certificates for said domains?







apache https reverse-proxy






share|improve this question







New contributor




Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 4 hours ago









Tempestas Ludi

1084




1084




New contributor




Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Tempestas Ludi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








  • 1




    Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
    – Steffen Ullrich
    4 hours ago










  • Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
    – Tempestas Ludi
    4 hours ago














  • 1




    Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
    – Steffen Ullrich
    4 hours ago










  • Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
    – Tempestas Ludi
    4 hours ago








1




1




Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
– Steffen Ullrich
4 hours ago




Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
– Steffen Ullrich
4 hours ago












Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
– Tempestas Ludi
4 hours ago




Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
– Tempestas Ludi
4 hours ago










1 Answer
1






active

oldest

votes


















2














Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.






share|improve this answer





















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "45"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    Tempestas Ludi is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwebmasters.stackexchange.com%2fquestions%2f119835%2fhttps-proxy-in-apache-without-certificates%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2














    Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.






    share|improve this answer


























      2














      Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.






      share|improve this answer
























        2












        2








        2






        Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.






        share|improve this answer












        Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 2 hours ago









        Steffen Ullrich

        62136




        62136






















            Tempestas Ludi is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            Tempestas Ludi is a new contributor. Be nice, and check out our Code of Conduct.













            Tempestas Ludi is a new contributor. Be nice, and check out our Code of Conduct.












            Tempestas Ludi is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to Webmasters Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwebmasters.stackexchange.com%2fquestions%2f119835%2fhttps-proxy-in-apache-without-certificates%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            404 Error Contact Form 7 ajax form submitting

            How to know if a Active Directory user can login interactively

            Refactoring coordinates for Minecraft Pi buildings written in Python