Home > Net >  Configure IBM HTTP Server as reverse proxy with SSL for the proxy only
Configure IBM HTTP Server as reverse proxy with SSL for the proxy only

Time:11-12

(This SO thread seems to be very similar, but does not answer my problem)

I have a loadbalancer listening on https://loadbalancerurl:443/ which terminates SSL and forwards requests to the IHS (IBM HTTP Server) on port 80. I need to configure the IHS as a reverse proxy, such that requests get forwarded to https://targeturl:443/

browser --443--> loadbalancer --80--> IHS --443--> target

The reason we need to do this on the IHS, is because on that server we have direct and quick access to change the target url on demand, whereas the loadbalancer is out of our control.

This means, that i need to activate SSL in the IHS, but only for the outgoing requests to the targeturl, but not for the incoming requests.

Pages like this from IBM or this blog post assume that SSL is incoming and outgoing.

Here is the relevant code block of the httpd.conf file:

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
SSLProxyEngine on
<VirtualHost *:80>
  # ServerName webserverhostname # not needed so far
  SSLEnable # without this i get "SSL0263W: SSL Connection attempted when SSL did not initialize."
  KeyFile store.kdb # without this i get "SSL0170E: GSK could not initialize, no keyfile specified."
  SSLStashFile store.sth
  ProxyPass / https://targeturl/
  ProxyPassReverse / https://targeturl/
</VirtualHost>
SSLDisable

where the store.kdb contains the CA certificates of the targeturl, as indicated in the SO thread

However, the server continuously spits out the following error message:

SSL0227E: SSL Handshake Failed, Specified label could not be found in the key file, or the specified label is not a 'personal certificate' (no private key). Label='(null)'

As far as i understand, this means that IHS is failing to handle incoming https traffic, which should not happen. It should not happen because the <VirtualHost *:80> specifies port 80, and also because any traffic that reaches the IHS has the SSL terminated by the loadbalancer.

Am i misunderstanding the error message? If not, how can i get this working?


edit to show working solution:

LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
SSLProxyEngine on
<VirtualHost *:80>
  # ServerName webserverhostname # not needed so far
  # SSLEnable # this would activate SSL for incoming traffic
  KeyFile store.kdb # this contains the CA certificates of the target server
  # SSLStashFile store.sth # would only be needed for incoming SSL
  ProxyPass / https://targeturl/
  ProxyPassReverse / https://targeturl/
</VirtualHost>
# SSLDisable

CodePudding user response:

SSLEnable should not be present in a virtual host that doesn't actually handle inbound SSL.

SSLStashFile is also not needed. It is unfortunately named.

You should deep dive on the error_log entries you get in the config without these two. There is likely an early SSL error that does not fail startup. The only necessary config even without frontend SSL is just:

SSLProxyEngine on
ProxyPass / https://example.com/
KeyFile /path/to/key.kdb
  • Related