SSL for proxy-reverse server


#1

Hello people.

I would like to ask a question that we work here in my company with DMZ, we have a reverse proxy server, I would like to create a single ssl for all the sites behind this server, will I have to create an ssl by subdomains?

or only 1 for everyone is already good?

Sorry, I used google translate


#2

Hi,

It depend on your need… And how many site you need to cover on that server…

Are all sites on one root domain? (If so, you could take advantage on leus Encrypt’s wildcard certificate…)

If not all sites on the same root domain, you could just issue one (wildcard) certificate for each dedicated root domain, to save time renewing & protect privacy…

Thank you


#3

Thank you,

Example,

s.site.com ip: 192.168.1.220 httpD
p.site.com ip 192.168.1.158 TomCat

with the wildcard certificate, can I protect both cases?

<VirtualHost *:443>
ServerName s.site.com
SSLProxyEngine On
SSLEngine On
SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile
ProxyPreserveHost On
ProxyPass / http://192.168.1.220:443
ProxyPassReverse / https://s.site.com/

<VirtualHost *:443>
ServerName p.site.com
SSLProxyEngine On
SSLEngine On
SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile
ProxyPreserveHost On
ProxyPass / http://192.168.1.158:443
ProxyPassReverse / https://p.site.com/


#4

Of course, you could use one single wildcard certificate to cover all subdomains. (*.site.com)

But, please note that the only way to get the certificate is via DNS validation, which means you would need to use a competable DNS provider in order to automate the process.

(Try acme.sh or certbot… In Unix system, acme.sh usually covers more DNS provider than certbot…)

Thank you


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.