Using Apache to simulate an SSL Load balancer

Posted by gvgvasgvsz vgzavzAvv on Monday, April 11, 2011

The numbers indicate the TCP port used on the server side. All of the red lines are HTTP. The green line (from OHS to the OAM Server) is the OAM NAP protocol.

1. SSLProxyEngine on
2.
3. Order deny,allow
4. Allow from all
5.
6.
7. RewriteEngine on
8. ProxyPreserveHost on


9.
10. NameVirtualHost *:443
11.
12.
13. ServerName login.oracledemo.com
14.
15. SSLEngine on
16. SSLProtocol all -SSLv2
17. SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
18. SSLCertificateFile /home/oracle/simpleCA/login.oracledemo.com.crt
19. SSLCertificateKeyFile /home/oracle/simpleCA/login.oracledemo.com.key
20.
21. ProxyPass / http://localhost:14100/
22. ProxyPassReverse / http://localhost:14100/
23.
24.
25.
26. ServerName idm11g.oracledemo.com
27.
28. SSLEngine on
29. SSLProtocol all -SSLv2
30. SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
31. SSLCertificateFile /home/oracle/simpleCA/idm11g.oracledemo.com.crt
32. SSLCertificateKeyFile /home/oracle/simpleCA/idm11g.oracledemo.com.key
33.
34. RequestHeader set IS_SSL ssl
35.
36. ProxyPass / http://localhost:7777/
37. ProxyPassReverse / http://localhost:7777/
38.

SSLProxyEngine on

Order deny,allow
Allow from all

RewriteEngine on
ProxyPreserveHost on

NameVirtualHost *:443


ServerName login.oracledemo.com

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /home/oracle/simpleCA/login.oracledemo.com.crt
SSLCertificateKeyFile /home/oracle/simpleCA/login.oracledemo.com.key

ProxyPass / http://localhost:14100/
ProxyPassReverse / http://localhost:14100/


ServerName idm11g.oracledemo.com

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /home/oracle/simpleCA/idm11g.oracledemo.com.crt
SSLCertificateKeyFile /home/oracle/simpleCA/idm11g.oracledemo.com.key

RequestHeader set IS_SSL ssl

ProxyPass / http://localhost:7777/
ProxyPassReverse / http://localhost:7777/

There are a couple of interesting bits in that configuration...

First is that when you use mod_proxy Apache will use the host name in the URL specified in ProxyPass when it talks to the back end server. In this case that means that the OHS server would see a request with a host header that said "localhost:7777". Which can confuse the application and isn't at all what a conventional load balancer would do. Adding "ProxyPreserveHost on" to the configuration makes mod_proxy use the same name when it talks to the backend server (again OHS in my case) as the browser sent in the original request.

More Here

Courtesy:http://fusionsecurity.blogspot.com/2011/04/using-apache-to-simulate-ssl-load.html

{ 0 comments... read them below or add one }

Post a Comment