Apache reverse proxy preserving ssl

ssl reverse-proxy apache-2.4

Solution 1:

If I understood you correctly "endpoint" means the browser client? ("endpoint" usually means a web service endpoint, not the service consumer...)

"Classic" HTTPS would not even allow the scenario you wish to happen. The hostname gets translated via DNS into ip:port(443) of the webserver and then TLS happens, which in early days did completely encrypt the hostname. So your apache, as a man-in-the-middle, would not be able to ever find out which hostname/domainname was requested without owning the certificate and decrypting the TLS traffic.

However. As so often happens, costs (limited public ip ranges) trump principal security. So TLS grew an extension called SNI (codified in 2003 rfc), which many people now rely on, that allows the server to select the right server certificate.

My recommendation

...would be, since you already mentioned that everything works with HTTP, to set up an nginx in front of Apache as an https endpoint...

endpoint <-- front_nginx signed --> front_nginx <-- HTTP --> Apache <-- HTTP --> target_nginx

... and do the SSL migration as a last step from the front-nginx to the target-nginx, derezzing Apache afterwards.

Using SNI

If you want to rely on SNI (which, admittedly, you are probably already doing by your virtual host setup), it might be enough to enable mod_proxy_connect and Disable SSLProxyEngine. Best remove the SSL certificates from apache just to be sure it passes through connections transparently for testing.

Here is this scenario documented usinng haproxy: Can a Reverse Proxy use SNI with SSL pass through?

I have never tried this, so I have no details. Maybe the links I provided help you further.

[Edit:] addendum

(Sorry for the many edits!) Thank you for this question, it made me stumble upon this: https://github.com/Lochnair/xt_tls

which might solve your problem and enable some tricks for me...

Related

Programmatically detect Chrony time sync events
What is the number of different magic properties that a hellfire ring can have? [duplicate]
How can I get Create A World to find my game data?
Transfer steam app data (TF2) from Mac to PC
What abilities can be blocked by sivir's/nocturne's spell shield?
How much gold do champion kills give on Proving Grounds?
Is it possible to play Scrolls offline?
How much memory is needed to run a Minecraft Server in 1.6.2? [duplicate]
Is there a way to break through bosses' "flash block"?
How do you get free garages with Rockstar Social Club?
How can a Mechromancer be optimized for Ultimate Vault Hunter Mode
How does XP bonus from Ruby socketed on helms interact with XP bonus from Torment level? [duplicate]