https forwarding proxy howto

It took us some cells from our brain to invent a simple solution to forward all https requests to our server to the corresponding virtual hosts on the same server. After trying adding virtual hosts for https(:443) next to the already existing hosts it was possible to access only these hosts via https and we’ve got a lot of warnings from apache about overlapping virtual host directives. but we didn’t wanted to setup every virtual hosts two times…

The solution we have found uses the mod_rewrite-engine and you need a ssl certificate as described here.

Next to the “Listen 80″ line in your apache2.conf you need a “Listen 443″ line for telling apache to listen on the new port. (Just search for the text “Listen” in your apache config dir because the directive is sometimes imported from an other file (e.g. ports.conf in my case).)

To be able to use the required mod_proxy module you need to enable it. Just save the file proxy.load into your “mods-enabled” directory of your apache configuration.

The only thing left to do is creating one virtual host handling all secure requests:

    NameVirtualHost {YOUR_IP}:443
    <virtualhost {YOUR_IP}:443>
        ServerAdmin     webmaster@{YOUR_SERVER-DNS-NAME}
        ServerName      *
        CustomLog       /var/log/apache2/{YOUR_SERVER-DNS-NAME}-ssl.log combined
        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/apache.pem
        RewriteEngine on
        RewriteLog /var/log/apache2/proxy_rewrite.log
        RewriteLogLevel 1
        RewriteRule ^(http|https)://.* - [F]
        RewriteRule ^/(.*)$ http://%{HTTP_HOST}/$1 [P]
        RewriteRule ^.*$ - [F]
    </virtualhost>

The best way to do this is to download the file vhost-ssl.conf, save it in the “sites-enabled” folder of your apache-configuration and change the contents depending on your setup.

Let’s give it a try and restart your webserver:

apache2ctl graceful

There is still a problem with certificates that do not correspond to the server name. But this is only resolveable by using only one IP per domain. On a server with more than one domain – only the domain the certificate was signed to will completly work.