HTTPS proxy in Apache without certificates
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate. Therefore, the server should be able to proxy the handshake, and all subsequent packets, to the correct domain/machine/server, without performing the authentication. Therefore, it should not need any certificates to perform this proxying.
This would come in handy when there are a couple of servers in the local network, each serving one domain.
My question is: is it possible to configure apache(2) to proxy incoming requests, over a HTTPS connection to the correct domains, without it having access to the certificates for said domains?
apache https reverse-proxy
asked Dec 25 '18 at 12:22
Tempestas LudiTempestas Ludi
1084
|
show 2 more comments
The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate. Therefore, the server should be able to proxy the handshake, and all subsequent packets, to the correct domain/machine/server, without performing the authentication. Therefore, it should not need any certificates to perform this proxying.
This would come in handy when there are a couple of servers in the local network, each serving one domain.
My question is: is it possible to configure apache(2) to proxy incoming requests, over a HTTPS connection to the correct domains, without it having access to the certificates for said domains?
apache https reverse-proxy
asked Dec 25 '18 at 12:22
Tempestas LudiTempestas Ludi
1084
1
Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
– Steffen Ullrich
Dec 25 '18 at 12:38
Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
– Tempestas Ludi
Dec 25 '18 at 12:41
"The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate." This is SNI, but works is underway to have encrypted SNI, at which point there will be nothing visible in the TLS handshake that will provide information on which website is requested.
– Patrick Mevzek
Dec 27 '18 at 14:56
@PatrickMevzek What I mainly meant, is that some part of the server software must know which domain is requested, in order to select the correct certificate. Therefore, it should be able to know which domain is requested and to which domain/machine it should proxy.
– Tempestas Ludi
Dec 27 '18 at 15:03
1
Not sure to understand your question and indeed should be posted separately if needed. I do not know where your "no certificates are used in the SNI encryption" comes from. The technical specification for that encrypted SNI is at tools.ietf.org/html/draft-ietf-tls-esni or look at blog.cloudflare.com/encrypted-sni for a gentler introduction on the subject.
– Patrick Mevzek
Dec 27 '18 at 17:22
|
show 2 more comments
The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate. Therefore, the server should be able to proxy the handshake, and all subsequent packets, to the correct domain/machine/server, without performing the authentication. Therefore, it should not need any certificates to perform this proxying.
This would come in handy when there are a couple of servers in the local network, each serving one domain.
My question is: is it possible to configure apache(2) to proxy incoming requests, over a HTTPS connection to the correct domains, without it having access to the certificates for said domains?
apache https reverse-proxy
asked Dec 25 '18 at 12:22
Tempestas LudiTempestas Ludi
1084
The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate. Therefore, the server should be able to proxy the handshake, and all subsequent packets, to the correct domain/machine/server, without performing the authentication. Therefore, it should not need any certificates to perform this proxying.
This would come in handy when there are a couple of servers in the local network, each serving one domain.
My question is: is it possible to configure apache(2) to proxy incoming requests, over a HTTPS connection to the correct domains, without it having access to the certificates for said domains?
apache https reverse-proxy
apache https reverse-proxy
asked Dec 25 '18 at 12:22
Tempestas LudiTempestas Ludi
1084
asked Dec 25 '18 at 12:22
Tempestas LudiTempestas Ludi
1084
asked Dec 25 '18 at 12:22
Tempestas LudiTempestas Ludi
1084
asked Dec 25 '18 at 12:22
Tempestas LudiTempestas Ludi
1084
asked Dec 25 '18 at 12:22
Tempestas LudiTempestas Ludi
1084
1084
1
Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
– Steffen Ullrich
Dec 25 '18 at 12:38
Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
– Tempestas Ludi
Dec 25 '18 at 12:41
"The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate." This is SNI, but works is underway to have encrypted SNI, at which point there will be nothing visible in the TLS handshake that will provide information on which website is requested.
– Patrick Mevzek
Dec 27 '18 at 14:56
@PatrickMevzek What I mainly meant, is that some part of the server software must know which domain is requested, in order to select the correct certificate. Therefore, it should be able to know which domain is requested and to which domain/machine it should proxy.
– Tempestas Ludi
Dec 27 '18 at 15:03
1
Not sure to understand your question and indeed should be posted separately if needed. I do not know where your "no certificates are used in the SNI encryption" comes from. The technical specification for that encrypted SNI is at tools.ietf.org/html/draft-ietf-tls-esni or look at blog.cloudflare.com/encrypted-sni for a gentler introduction on the subject.
– Patrick Mevzek
Dec 27 '18 at 17:22
|
show 2 more comments
1
Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
– Steffen Ullrich
Dec 25 '18 at 12:38
Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
– Tempestas Ludi
Dec 25 '18 at 12:41
"The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate." This is SNI, but works is underway to have encrypted SNI, at which point there will be nothing visible in the TLS handshake that will provide information on which website is requested.
– Patrick Mevzek
Dec 27 '18 at 14:56
@PatrickMevzek What I mainly meant, is that some part of the server software must know which domain is requested, in order to select the correct certificate. Therefore, it should be able to know which domain is requested and to which domain/machine it should proxy.
– Tempestas Ludi
Dec 27 '18 at 15:03
1
Not sure to understand your question and indeed should be posted separately if needed. I do not know where your "no certificates are used in the SNI encryption" comes from. The technical specification for that encrypted SNI is at tools.ietf.org/html/draft-ietf-tls-esni or look at blog.cloudflare.com/encrypted-sni for a gentler introduction on the subject.
– Patrick Mevzek
Dec 27 '18 at 17:22
1
1
Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
– Steffen Ullrich
Dec 25 '18 at 12:38
Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
– Steffen Ullrich
Dec 25 '18 at 12:38
Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
– Tempestas Ludi
Dec 25 '18 at 12:41
Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
– Tempestas Ludi
Dec 25 '18 at 12:41
"The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate." This is SNI, but works is underway to have encrypted SNI, at which point there will be nothing visible in the TLS handshake that will provide information on which website is requested.
– Patrick Mevzek
Dec 27 '18 at 14:56
"The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate." This is SNI, but works is underway to have encrypted SNI, at which point there will be nothing visible in the TLS handshake that will provide information on which website is requested.
– Patrick Mevzek
Dec 27 '18 at 14:56
@PatrickMevzek What I mainly meant, is that some part of the server software must know which domain is requested, in order to select the correct certificate. Therefore, it should be able to know which domain is requested and to which domain/machine it should proxy.
– Tempestas Ludi
Dec 27 '18 at 15:03
@PatrickMevzek What I mainly meant, is that some part of the server software must know which domain is requested, in order to select the correct certificate. Therefore, it should be able to know which domain is requested and to which domain/machine it should proxy.
– Tempestas Ludi
Dec 27 '18 at 15:03
1
1
Not sure to understand your question and indeed should be posted separately if needed. I do not know where your "no certificates are used in the SNI encryption" comes from. The technical specification for that encrypted SNI is at tools.ietf.org/html/draft-ietf-tls-esni or look at blog.cloudflare.com/encrypted-sni for a gentler introduction on the subject.
– Patrick Mevzek
Dec 27 '18 at 17:22
Not sure to understand your question and indeed should be posted separately if needed. I do not know where your "no certificates are used in the SNI encryption" comes from. The technical specification for that encrypted SNI is at tools.ietf.org/html/draft-ietf-tls-esni or look at blog.cloudflare.com/encrypted-sni for a gentler introduction on the subject.
– Patrick Mevzek
Dec 27 '18 at 17:22
|
show 2 more comments
1 Answer
1
active
oldest
votes
Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.
answered Dec 25 '18 at 14:36
Steffen UllrichSteffen Ullrich
62136
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "45"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwebmasters.stackexchange.com%2fquestions%2f119835%2fhttps-proxy-in-apache-without-certificates%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.
answered Dec 25 '18 at 14:36
Steffen UllrichSteffen Ullrich
62136
add a comment |
Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.
answered Dec 25 '18 at 14:36
Steffen UllrichSteffen Ullrich
62136
add a comment |
Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.
answered Dec 25 '18 at 14:36
Steffen UllrichSteffen Ullrich
62136
Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. What you want instead is proxying at the TCP level based on the name in the TLS handshake (SNI) - nginx and haproxy can do this, Apache not.
answered Dec 25 '18 at 14:36
Steffen UllrichSteffen Ullrich
62136
answered Dec 25 '18 at 14:36
Steffen UllrichSteffen Ullrich
62136
answered Dec 25 '18 at 14:36
Steffen UllrichSteffen Ullrich
62136
answered Dec 25 '18 at 14:36
Steffen UllrichSteffen Ullrich
62136
62136
add a comment |
add a comment |
Thanks for contributing an answer to Webmasters Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fwebmasters.stackexchange.com%2fquestions%2f119835%2fhttps-proxy-in-apache-without-certificates%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
Apache can only do proxying at the HTTP level which isn't sufficient for what you want to do. But nginx and haproxy can proxy at the TCP level based on the name in the TLS handshake (SNI) which is what you want.
– Steffen Ullrich
Dec 25 '18 at 12:38
Please turn this into an answer so I can upvote it and mark it as "the answer" ;-)
– Tempestas Ludi
Dec 25 '18 at 12:41
"The TLS handshake initiation contains the requested domain in cleartext, to allow a server to select the correct certificate." This is SNI, but works is underway to have encrypted SNI, at which point there will be nothing visible in the TLS handshake that will provide information on which website is requested.
– Patrick Mevzek
Dec 27 '18 at 14:56
@PatrickMevzek What I mainly meant, is that some part of the server software must know which domain is requested, in order to select the correct certificate. Therefore, it should be able to know which domain is requested and to which domain/machine it should proxy.
– Tempestas Ludi
Dec 27 '18 at 15:03
1
Not sure to understand your question and indeed should be posted separately if needed. I do not know where your "no certificates are used in the SNI encryption" comes from. The technical specification for that encrypted SNI is at tools.ietf.org/html/draft-ietf-tls-esni or look at blog.cloudflare.com/encrypted-sni for a gentler introduction on the subject.
– Patrick Mevzek
Dec 27 '18 at 17:22