apache2 - Apache SSL working with IP but not FQDN
2014-04
All was well in my little network until I switch internet providers and had to change my IP address on my internal network from 172.16.0.x to 192.168.1.x, they have funky hardware and this is in my house.
So, I have Apache 2.2 running on a machine, when I access it via IP address, the SSL pages come up just fine and load. When I try to FQDN on the server, it works fine, when I try it on any other machine, they all see the unsigned cert and warn me, then they give me a "connection was reset"
The only Listen statements I have look like this:
Listen 80
Listen 443
And then this is a trimmed down version of the virtual host:
<VirtualHost _default_:443>
ServerName www.domain.local:443
DocumentRoot "k:/apache/htdocs-ssl"
<Directory k:/apache/htdocs-ssl>
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>
The results from httpd -S:
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 secure.domain.com (H:/Apache2.2/conf/sslsettings.conf:11)
*:80 is a NameVirtualHost
default server server1.domain.com (H:/Apache2.2/conf/httpd-vhosts.conf:22)
port 80 namevhost server1.domain.com (H:Apache2.2/conf/httpd-vhosts.conf:22)
port 80 namevhost devinst.domain.com (H:Apache2.2/conf/httpd-vhosts.conf:53)
Any suggestions on what I might be missing?
I'm inside a strict corporate environment. https traffic goes out via an internal proxy (for this example it's 10.10.04.33:8443) that's smart enough to block ssh'ing directly to ssh.glakspod.org:443.
I can get out via proxytunnel. I set up an apache2 VirtualHost at ssh.glakspod.org:443 thus:
ServerAdmin ssh@orl[email protected] ServerName ssh.glakspod.org
<!-- Proxy Section -->
<!-- Used in conjunction with ProxyTunnel -->
<!-- proxytunnel -q -p 10.10.04.33:8443 -r ssh.glakspod.org:443 -d %host:%port -->
ProxyRequests on
ProxyVia on
AllowCONNECT 22
<Proxy *>
Order deny,allow
Deny from all
Allow from 74.101
</Proxy>
So far so good: I hit the Apache proxy with a CONNECT and then PuTTY and my ssh server shake hands and I'm off to the races.
There are, however, two problems with this setup:
The internal proxy server can sniff my CONNECT request and also see that an SSH handshake is taking place. I want the entire connection between my desktop and ssh.glakspod.org:443 to look like HTTPS traffic no matter how closely the internal proxy inspects it.
I can't get the VirtualHost to be a regular https site while proxying. I'd like the proxy to coexist with something like this: SSLEngine on SSLProxyEngine on SSLCertificateFile /path/to/ca/samapache.crt SSLCertificateKeyFile /path/to/ca/samapache.key SSLCACertificateFile /path/to/ca/ca.crt
DocumentRoot /mnt/wallabee/www/html <Directory /mnt/wallabee/www/html/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> <!-- Need a valid client cert to get into the sanctum --> <Directory /mnt/wallabee/www/html/sanctum> SSLVerifyClient require SSLOptions +FakeBasicAuth +ExportCertData SSLVerifyDepth 1 </Directory>
So my question is: How to I enable SSL support on the ssh.glakspod.org:443 VirtualHost that will work with ProxyTunnel?
I've tried various combinations of proxytunnel's -e, -E, and -X flags without any luck.
The only lead I've found is Apache Bug No. 29744, but I haven't been able to find a patch that will install cleanly on Ubuntu Jaunty's Apache version 2.2.11-2ubuntu2.6.
Thanks in advance.
I pieced together the answer from the proxytunnel-users mailing list.
First, looking at the Apache bugreport number 29744, the attachment containing the patch for my version of Apache, 2.2.11-2ubuntu2.6, was hidden because it was considered obsolete. Clicking on the "Show Obsolete" link in the lower-right corner of the attachments box revealed the patch.
So I did an apt-get source apache2 on my jaunty box, patched the source, did a debuild . . . ate some cereal . . . and then did a dpkg -i *.deb on everything I built.
Now those two separate Apache snippets above live together in harmony.
The last piece of the puzzle is how to call proxytunnel. Here's what worked:
proxytunnel -q -X -p 10.10.04.33:8443 -r ssh.glakspod.org:443 -d %host:%port ServerAliveInterval 30
Hope this helps someone else down the line!