Today I have faced a challenging situation. I needed to strip SSL from HTTP request to on of our servers platform and send it to another server without SSL. We use little tip as using Apache mod_proxy to implement this functionality.
We need to have apache with:
1. DSO support compiled (with mod_proxy support)
2. SSL certificate
3. configuration for Virtual Hosting
4. configuration for mod_proxy
By default our apache installations are with version 2.2.3 and we have support for DSO, this means if we have mod_proxy compiled for Apache 2.2.3 we can use without recompiling Apache from source and just put it in /usr/local/apache2/modules . If you need to compile new Apache instance we need to use configure options as follow:
./configure —enable–mods–shared=all —enable–so —enable–ssl —enable–proxy–connect —enable–proxy–http \
Next step is to generate a new SSL certificate. If you are not sure what you are doing I would recommend that you read these two articles first.
Anyway briefly this is what you need to do:
openssl req –new > new.cert.csr
openssl rsa –in privkey.pem –out new.cert.key
openssl x509 –in new.cert.csr –out new.cert.cert –req –signkey new.cert.key –days 365
cp new.cert.cert /usr/local/apache2/conf/ssl/server.crt
cp new.cert.key /usr/local/apache2/conf/ssl/server.key
We need to make some minor changes in httpd configuration before apache we go with with SSL support.
Open up Apache config file with your favorite editor.
You need to uncomment the line
# Include conf/extra/httpd-ssl.conf
Then we can start with httpd.conf and httpd-ssl.conf configurations.
By default we need to have at least 2 virtual hosts one for HTTP and second for HTTPS.
So, in httpd.conf after line
At the end of httpd.conf we need to add a a Virtual Host configuration which will process HTTP requests. You can use something like this:
ServerName # after ServerName we need to add some server name here usualy IP address or hostname
This is the end of part one of Strip SSL with Apache mod_proxy tutorial. Part two is available here: Strip SSL with Apache mod_proxy part two