Letsencrypt noob.. Apache reverse proxy + SSL on backend

sgvfr · July 23, 2018, 4:05am

Hello everyone, I’ve been reading for about 4 hours now and can’t seem to find what I’m looking for. I have solved a few issues but I have one hanging one… Or I have seen the answer, I’m just not understanding it.

my network… single public IP with several servers behind it on different VLANS. I need to have access to servers from both LAN and WAN… Previously I only had a couple servers and was using paid SSL certificates. Installation was easy… Now I have more services and need SSL everywhere… here is where i’m getting stumped…

I have two dns views with bind, one for internal, one external. Internally when I request a site i’m given the 10.x.x.x Ip address, when accessing the same services outside the LAN DNS returns me to the WAN IP.

Now i’m trying to use Lets Encrypt and save hundreds a year in SSL… This is where my confusion begins…

I previously used (and still using) Apache Reverse Proxy… Almost all servers are Ubuntu 16, and soon to be 18 LTS. As I understand it, certbot will create a verification file on the requesting machine in order to create the certificate. I have no problem creating all the certificates for the Virtual Hosts on the Reverse Proxy server (before configuring the Proxy for the subdomains…), thats the easy part… Where it’s confusing me is once I configure the proxy and send all traffic to the internal machines certbot won’t be able to automatically renew the cert on the proxy, since the internal servers will receive the request, however the internal servers will have no problem renewing… Is that correct??

a quick rough diagram

|internet|-----|cisco router|----[reverse proxy]----[L3 switching]---|---vlan10----[ssl server 1:443 - a.domain.com]
                                                         |           |---vlan20----[ssl server 2:443 - b.domain.com]
                                                         |           |---vlan30----[ssl server 3:443 - c.domain.com]
                                                         |
                                                         |
                                                         |
                                               [internal LAN]

In a nutshell, Is it possible to have auto updated SSL on both the proxy and the internal servers?
The more I read the more I learn, but the more confused I am with all the options.

Thanks, and I’m sorry if this has been answered already I likely am just not understanding the solution.

example vhost configs on the proxy, DNS is answered by tine internal view, so the local IP is returned for the domain name. Each vhost is a separate file.

<VirtualHost *:443>
SSLCertificateFile /etc/letsencrypt/live/a.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/a.domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
#LogLevel emerg
ServerName a.domain.com
ServerAdmin admin@domain.com
DocumentRoot /var/www/vhosts/a.domain.com/htdocs/
ErrorLog /var/www/vhosts/a.domain.com/logs/ssl-error.log
CustomLog /var/www/vhosts/a.domain.com/logs/ssl-access.log "combined"
  SSLProxyEngine on
  ProxyPreserveHost On
  # Servers to proxy the connection, or
  # List of application servers Usage
  ProxyPass / https://a.domain.com/
  ProxyPassReverse / https://a.domain.com/
</VirtualHost>


<VirtualHost *:443>
SSLCertificateFile /etc/letsencrypt/live/b.domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/b.domain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
#LogLevel emerg
ServerName b.domain.com
ServerAdmin admin@domain.com
DocumentRoot /var/www/vhosts/b.domain.com/htdocs/
ErrorLog /var/www/vhosts/b.domain.com/logs/ssl-error.log
CustomLog /var/www/vhosts/b.domain.com/logs/ssl-access.log "combined"
  SSLProxyEngine on
  ProxyPreserveHost On
  # Servers to proxy the connection, or
  # List of application servers Usage
  ProxyPass / https://b.domain.com/
  ProxyPassReverse / https://b.domain.com/
</VirtualHost>

jmorahan · July 23, 2018, 3:17pm

Provided you're using Certbot's --apache plugin: it creates a temporary alias in the relevant Apache VirtualHost to point to the file required to respond to the challenge. So it should work on the proxy even while it's proxying all other requests to the backends.

The proxy will forward other requests - including requests from the validation server - to the backends as you described, so they should be able to correctly respond to challenges too.

You might want to add the option --preferred-challenges http to ensure that it doesn't try to use the deprecated tls-sni-01 challenge for renewals, as that wouldn't work with this proxy setup.

You'll need port 80 open on the proxy. You can forward it to the backends as you've done with 443, or you can set up a 301 redirect to HTTPS directly on the proxy server; either should work.

You can test it with certbot renew --dry-run.

Watch out for the rate limits.

sgvfr · July 23, 2018, 8:29pm

Thank you, I will test this out and let you know how it works. Thank you!

system · August 22, 2018, 8:29pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to get LetsEncrypt on apache reverseproxy and the webhost behind it? Server	3	2586	December 3, 2016
Apache Reverse Proxy Server	2	2697	April 16, 2017
Lets Encrypt and reverse proxy Help	5	1398	May 3, 2018
Lets Encrypt Certificate on 2 Apache Servers via Round Robin Help	18	1422	March 19, 2021
How to configure letsencrypt and a reverse proxy Server	8	25076	July 28, 2016

Letsencrypt noob.. Apache reverse proxy + SSL on backend

Related topics