Configuring Apache2 for HTTPS Proxying

Enable SSL in your reverse proxy server, and configure the messaging and replication ports for two-way HTTPS proxying. This procedure describes the configuration of an Apache2 reverse proxy server.

1. Enable the SSL and proxy modules.
   Uncomment these rows in the Apache2.2\conf\httpd.conf file, to load the headers, SSL and proxy modules.

   LoadModule headers_module modules/mod_headers.so
   LoadModule ssl_module modules/mod_ssl.so
   LoadModule proxy_module modules/mod_proxy.so
   LoadModule proxy_connect_module modules/mod_proxy_connect.so
   LoadModule proxy_http_module modules/mod_proxy_http.so

   The three proxy_* modules are required by the three proxy modes: HTTP, one-way HTTPS and two-way HTTPS.

   The ssl_module is required by both HTTPS proxy modes.

   The headers_module is required by the two-way HTTPS proxy mode.

2. Enable the messaging port (8002) as a two-way HTTPS Proxy.

   Add content similar to the following into httpd.conf to enable the messaging port as a two-way HTTPS proxy:

   Listen 8082
     <VirtualHost *:8082>
       ServerName 10.128.103.133
         ErrorLog "C:/Apache2.2/logs/error.log"
         TransferLog  "C: /Apache2.2/logs/access.log"
         # activate HTTPS on the reverse proxy
         SSLEngine on
         # apache server public certificate
         SSLCertificateFile "C:/ Apache2.2/conf/liatris_cr-sha1.crt"
         # apache server private certificate
         SSLCertificateKeyFile "C:/ Apache2.2/conf/liatris_cr-decry-sha1.key"
         # apache server certificate root/chain file
         SSLCertificateChainFile "C:/ Apache2.2/conf/clientroot.crt"
         # trusted client certificate
         SSLCACertificateFile "C:/ Apache2.2/conf/clientroot.crt"
         SSLVerifyClient require
         SSLVerifyDepth  10
         SSLProxyEngine On
         # trusted back server certificate
         SSLProxyCACertificateFile "C:/ Apache2.2/conf/sample2.crt"
         # apache server id/certificate for connecting back server
         SSLProxyMachineCertificateFile "C:/ Apache2.2/conf/rsoe.pem"
         # initialize the special headers to a blank  value to avoid http header forgeries
         RequestHeader set  SSL_CLIENT_CERT ""
         <Location />
           # add  SSL_CLIENT_CERT header to forward real client certificate
           RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
           ProxyPass  https://orchid.dhcp.pek3.sap.corp:8002/     
           ProxyPassReverse  https://orchid.dhcp.pek3.sap.corp:8002/   
         </Location>
     </VirtualHost>     
   

3. Enable the replication port (2482) as a two-way HTTPS Proxy.

   Add content similar to the following into httpd.conf to enable the replication port as a two-way HTTPS proxy:

   Listen 2482
   <VirtualHost *:2482>
     ServerName proxy-server
     
     ErrorLog "C:/Apache2.2/logs/error.log"
     TransferLog "C:/Apache2.2/logs/access.log"
     
     # activate HTTPS on the reverse proxy
     SSLEngine on
     SSLCertificateFile "C:/Apache2.2/conf/proxy-server.crt"
     SSLCertificateKeyFile "C:/Apache2.2/conf/proxy-server.key"
     SSLCertificateChainFile "C:/Apache2.2/conf/proxy-server-ca.crt"
     # activate the client certificate authentication 
     SSLCACertificateFile "C:/Apache2.2/conf/trusted-client-ca.crt"
     SSLVerifyClient require
     SSLVerifyDepth  10
     SSLProxyEngine On
     SSLProxyCACertificateFile C:/Apache2.2/conf/SMP-server-ca.crt
     SSLProxyMachineCertificateFile C:/Apache2.2/conf/proxy-client.pem
     # initialize the special headers to a blank value to avoid http header forgeries
     RequestHeader set SSL_CLIENT_CERT ""
     <Location />
       # add SSL_CLIENT_CERT header to forward real client certificate
       RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
       ProxyPass  https://SMP-server:2482/
       ProxyPassReverse  https://SMP-server:2482/
     </Location>
   </VirtualHost>