HTTPS proxy in Apache without certificates





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







1















The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate. Therefore, the server should be able to proxy the handshake, and all subsequent packets, to the correct domain/machine/server, without performing the authentication. Therefore, it should not need any certificates to perform this proxying.
This would come in handy when there are a couple of servers in the local network, each serving one domain.



My question is: is it possible to configure apache(2) to proxy incoming requests, over a HTTPS connection to the correct domains, without it having access to the certificates for said domains?






apache https reverse-proxy







share|improve this question


















  • 1





    Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.

    – Steffen Ullrich
    Dec 25 '18 at 12:38











  • Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)

    – Tempestas Ludi
    Dec 25 '18 at 12:41











  • "The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate." This is SNI, but works is underway to have encrypted SNI, at which point there will be nothing visible in the TLS handshake that will provide information on which website is requested.

    – Patrick Mevzek
    Dec 27 '18 at 14:56











  • @PatrickMevzek What I mainly meant, is that some part of the server software must know which domain is requested, in order to select the correct certificate. Therefore, it should be able to know which domain is requested and to which domain/machine it should proxy.

    – Tempestas Ludi
    Dec 27 '18 at 15:03








  • 1





    Not sure to understand your question and indeed should be posted separately if needed. I do not know where your "no certificates are used in the SNI encryption" comes from. The technical specification for that encrypted SNI is at tools.ietf.org/html/draft-ietf-tls-esni or look at blog.cloudflare.com/encrypted-sni for a gentler introduction on the subject.

    – Patrick Mevzek
    Dec 27 '18 at 17:22


















1















The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate. Therefore, the server should be able to proxy the handshake, and all subsequent packets, to the correct domain/machine/server, without performing the authentication. Therefore, it should not need any certificates to perform this proxying.
This would come in handy when there are a couple of servers in the local network, each serving one domain.



My question is: is it possible to configure apache(2) to proxy incoming requests, over a HTTPS connection to the correct domains, without it having access to the certificates for said domains?






apache https reverse-proxy







share|improve this question


















  • 1





    Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.

    – Steffen Ullrich
    Dec 25 '18 at 12:38











  • Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)

    – Tempestas Ludi
    Dec 25 '18 at 12:41











  • "The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate." This is SNI, but works is underway to have encrypted SNI, at which point there will be nothing visible in the TLS handshake that will provide information on which website is requested.

    – Patrick Mevzek
    Dec 27 '18 at 14:56











  • @PatrickMevzek What I mainly meant, is that some part of the server software must know which domain is requested, in order to select the correct certificate. Therefore, it should be able to know which domain is requested and to which domain/machine it should proxy.

    – Tempestas Ludi
    Dec 27 '18 at 15:03








  • 1





    Not sure to understand your question and indeed should be posted separately if needed. I do not know where your "no certificates are used in the SNI encryption" comes from. The technical specification for that encrypted SNI is at tools.ietf.org/html/draft-ietf-tls-esni or look at blog.cloudflare.com/encrypted-sni for a gentler introduction on the subject.

    – Patrick Mevzek
    Dec 27 '18 at 17:22














1












1








1








The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate. Therefore, the server should be able to proxy the handshake, and all subsequent packets, to the correct domain/machine/server, without performing the authentication. Therefore, it should not need any certificates to perform this proxying.
This would come in handy when there are a couple of servers in the local network, each serving one domain.



My question is: is it possible to configure apache(2) to proxy incoming requests, over a HTTPS connection to the correct domains, without it having access to the certificates for said domains?






apache https reverse-proxy







share|improve this question














The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate. Therefore, the server should be able to proxy the handshake, and all subsequent packets, to the correct domain/machine/server, without performing the authentication. Therefore, it should not need any certificates to perform this proxying.
This would come in handy when there are a couple of servers in the local network, each serving one domain.



My question is: is it possible to configure apache(2) to proxy incoming requests, over a HTTPS connection to the correct domains, without it having access to the certificates for said domains?






apache https reverse-proxy




apache https reverse-proxy






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 25 '18 at 12:22









Tempestas LudiTempestas Ludi

1084




1084








  • 1





    Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.

    – Steffen Ullrich
    Dec 25 '18 at 12:38











  • Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)

    – Tempestas Ludi
    Dec 25 '18 at 12:41











  • "The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate." This is SNI, but works is underway to have encrypted SNI, at which point there will be nothing visible in the TLS handshake that will provide information on which website is requested.

    – Patrick Mevzek
    Dec 27 '18 at 14:56











  • @PatrickMevzek What I mainly meant, is that some part of the server software must know which domain is requested, in order to select the correct certificate. Therefore, it should be able to know which domain is requested and to which domain/machine it should proxy.

    – Tempestas Ludi
    Dec 27 '18 at 15:03








  • 1





    Not sure to understand your question and indeed should be posted separately if needed. I do not know where your "no certificates are used in the SNI encryption" comes from. The technical specification for that encrypted SNI is at tools.ietf.org/html/draft-ietf-tls-esni or look at blog.cloudflare.com/encrypted-sni for a gentler introduction on the subject.

    – Patrick Mevzek
    Dec 27 '18 at 17:22














  • 1





    Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.

    – Steffen Ullrich
    Dec 25 '18 at 12:38











  • Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)

    – Tempestas Ludi
    Dec 25 '18 at 12:41











  • "The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate." This is SNI, but works is underway to have encrypted SNI, at which point there will be nothing visible in the TLS handshake that will provide information on which website is requested.

    – Patrick Mevzek
    Dec 27 '18 at 14:56











  • @PatrickMevzek What I mainly meant, is that some part of the server software must know which domain is requested, in order to select the correct certificate. Therefore, it should be able to know which domain is requested and to which domain/machine it should proxy.

    – Tempestas Ludi
    Dec 27 '18 at 15:03








  • 1





    Not sure to understand your question and indeed should be posted separately if needed. I do not know where your "no certificates are used in the SNI encryption" comes from. The technical specification for that encrypted SNI is at tools.ietf.org/html/draft-ietf-tls-esni or look at blog.cloudflare.com/encrypted-sni for a gentler introduction on the subject.

    – Patrick Mevzek
    Dec 27 '18 at 17:22








1




1





Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.

– Steffen Ullrich
Dec 25 '18 at 12:38





Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.

– Steffen Ullrich
Dec 25 '18 at 12:38













Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)

– Tempestas Ludi
Dec 25 '18 at 12:41





Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)

– Tempestas Ludi
Dec 25 '18 at 12:41













"The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate." This is SNI, but works is underway to have encrypted SNI, at which point there will be nothing visible in the TLS handshake that will provide information on which website is requested.

– Patrick Mevzek
Dec 27 '18 at 14:56





"The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate." This is SNI, but works is underway to have encrypted SNI, at which point there will be nothing visible in the TLS handshake that will provide information on which website is requested.

– Patrick Mevzek
Dec 27 '18 at 14:56













@PatrickMevzek What I mainly meant, is that some part of the server software must know which domain is requested, in order to select the correct certificate. Therefore, it should be able to know which domain is requested and to which domain/machine it should proxy.

– Tempestas Ludi
Dec 27 '18 at 15:03







@PatrickMevzek What I mainly meant, is that some part of the server software must know which domain is requested, in order to select the correct certificate. Therefore, it should be able to know which domain is requested and to which domain/machine it should proxy.

– Tempestas Ludi
Dec 27 '18 at 15:03






1




1





Not sure to understand your question and indeed should be posted separately if needed. I do not know where your "no certificates are used in the SNI encryption" comes from. The technical specification for that encrypted SNI is at tools.ietf.org/html/draft-ietf-tls-esni or look at blog.cloudflare.com/encrypted-sni for a gentler introduction on the subject.

– Patrick Mevzek
Dec 27 '18 at 17:22





Not sure to understand your question and indeed should be posted separately if needed. I do not know where your "no certificates are used in the SNI encryption" comes from. The technical specification for that encrypted SNI is at tools.ietf.org/html/draft-ietf-tls-esni or look at blog.cloudflare.com/encrypted-sni for a gentler introduction on the subject.

– Patrick Mevzek
Dec 27 '18 at 17:22










1 Answer
1






active

oldest

votes


















2














Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.






share|improve this answer
























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "45"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwebmasters.stackexchange.com%2fquestions%2f119835%2fhttps-proxy-in-apache-without-certificates%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2














    Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.






    share|improve this answer




























      2














      Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.






      share|improve this answer


























        2












        2








        2







        Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.






        share|improve this answer













        Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 25 '18 at 14:36









        Steffen UllrichSteffen Ullrich

        62136




        62136






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Webmasters Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwebmasters.stackexchange.com%2fquestions%2f119835%2fhttps-proxy-in-apache-without-certificates%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Le Mesnil-Réaume

            Image
            Le Mesnil-Réaume Region Normandie Département Seine-Maritime Arrondissement Dieppe Kanton Eu Gemeindeverband Villes Sœurs Koordinaten 49° 58′  N , 1° 27′  O 49.9725 1.4463888888889 Koordinaten: 49° 58′  N , 1° 27′  O Höhe 92–156 m Fläche 5,55 km 2 Einwohner 793 (1. Januar 2016) Bevölkerungsdichte 143 Einw./km 2 Postleitzahl 76260 INSEE-Code 76435 Website http://www.mesnil-reaume.net/ Rathaus (Mairie) und Schule von Le Mesnil-Réaume Le Mesnil-Réaume ist eine französische Gemeinde mit 793 Einwohnern (Stand: 1. Januar 2016) im Département Seine-Maritime in der Region Normandie (vor 2016 Haute-Normandie). Sie gehört zum Arrondissement Dieppe und zum Kanton Eu. Die Einwohner werden Mesnillais genannt. Inhaltsverzeichnis 1 Geographie 2 Bevölkerungsentwicklung 3 Sehenswürdigkeiten 4 Weblinks Geographie | Le Mesnil-Réaume liegt etwa 43 Kilomet
            Read more

            Bundesstraße 106

            Image
            Dieser Artikel beschreibt die Bundesstraße 106 in Deutschland. Zur gleichnamigen Straße in Österreich siehe Mölltal Straße. Vorlage:Infobox hochrangige Straße/Wartung/DE-B Bundesstraße 106 in Deutschland Karte Basisdaten Betreiber: Deutschland  Bundesrepublik Deutschland Straßenbeginn: Wismar ( 53° 54′  N , 11° 24′  O 53.900536 11.396875 ) Straßenende: Schwerin ( 53° 36′  N , 11° 24′  O 53.592785 11.404892 ) Gesamtlänge: 40,7 km Bundesland: Mecklenburg-Vorpommern Ausbauzustand: zweistreifig [1] Bundesstraße 106 in Schwerin (Umgehungsstraße) Straßenverlauf Land Mecklenburg-Vorpommern Landkreis Nordwestmecklenburg Ortsumgehung Wismar Wallensteingraben über   Dorf Mecklenburg Wallensteingraben Groß Stieten Bad Kleinen OT Niendorf Bahnstrecke Lübeck–Bad Kleinen Zickhusen Lübstorf Klein Trebbow OT Kirch Stück
            Read more

            Ida-Boy-Ed-Garten

            Image
            Die Lage des Ida-Boy-Ed-Gartens, rot markiert Der Ida-Boy-Ed-Garten Der Ida-Boy-Ed-Garten, Blick von der Wakenitzmauer durch das Tor in der Stadtmauer Der Ida-Boy-Ed-Garten ist eine Straße der Lübecker Altstadt. Inhaltsverzeichnis 1 Lage 2 Geschichte 3 Literatur 4 Weblinks Lage | Der etwa 90 Meter lange Ida-Boy-Ed-Garten befindet sich an der nördlichen Spitze der Altstadtinsel, vor dem Burgtor. Die in einem Bogen durch eine Grünanlage hangaufwärts führende Straße verbindet die Wakenitzmauer mit der Burgtorbrücke. Geschichte | Der heutige Ida-Boy-Ed-Garten wurde ursprünglich als Verlängerung der Wakenitzmauer angelegt. 1903 wurde in den erhaltenen Teil der mittelalterlichen Stadtmauer, an dem die Wakenitzmauer bei der Einmündung der Kaiserstraße begann, ein Tor mit einem großen Bogen für die Durchführung der Straße und zwei kleineren seitlichen Öffnungen für Fußgänger gebrochen, um für die neu errichteten Wohnhäuser in diesem Bereich
            Read more