[Solved] SSL certificate pass-through
Added by bwechner over 6 years ago
I have a problem with an SSL certificate pass-through. Here's the setup:
1) an openWRT router that is running lighttpd (and firewall)
2) a webserver behind that router with a web site that has its own SSL certificate
Now if I do a 443 port forward from the router to the webserver all is good.
If however I do a proxy with:
$HTTP["host"] == "mydomain.tld" {
proxy.server = ( "" => ( ( "host" => "webserverip" ) ) )
}
then the router delivers not the webserver's certificate but one of its own!
It seems the SSL handshake and certificate handover happen before the proxy forward.
Is there a way to configure SSL certificate pass-through, so the request reaches the webserver and the webserver delivers its certificate. The webserver does so fine witha 443 port forward from the router, just not when lighttpd proxies.
Given ti works well it's probably not relevant, but the setup on the web server is:
$HTTP["host"] =~ "mydomain.tld" {
server.name = "mydomain.tld"
server.document-root = "/var/www/html/mydomain.tld"
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.ca-file = "/etc/letsencrypt/live/mydomain.tld/chain.pem"
ssl.pemfile = "/etc/letsencrypt/live/mydomain.tld/combined.pem"
ssl.honor-cipher-order = "enable"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
url.rewrite-once = ( "^/favicon\.ico$" => "/static/favicon.ico" )
$HTTP["url"] !~ "^/static/" {
scgi.protocol = "uwsgi"
scgi.server = ( "/" => (( "socket" => "/var/run/lighttpd/uwsgi.socket-0", "check-local" => "disable" )), )
}
}
I'm guessing I could configure lighttpd on the router to deliver the certificate but I'd rather keep the certificate config on the webserver for compartmentalization.
Is that possible?
Replies (4)
RE: SSL certicficate pass-through - Added by gstrauss over 6 years ago
Since you want to keep the certificate config on the web server (not the router), yes, you want to do what works, which is a port forward on the router. Why are you even considering anything else?
RE: SSL certicficate pass-through - Added by bwechner over 6 years ago
Simple, because I host a number of domains on the one IP address that's why. And lighttpd on the router forwards them to different LAN servers like yo:
$HTTP["host"] == "mydomain1" {
proxy.server = ( "" => ( ( "host" => "192.168.0.2" ) ) )
}
$HTTP["host"] == "mydomain2" {
proxy.server = ( "" => ( ( "host" => "192.168.0.3" ) ) )
}
$HTTP["host"] == "mydomain3" {
proxy.server = ( "" => ( ( "host" => "192.168.0.4" ) ) )
}
$HTTP["host"] == "mydomain4" {
proxy.server = ( "" => ( ( "host" => "192.168.0.5" ) ) )
}
$HTTP["host"] == "mydomain5" {
proxy.server = ( "" => ( ( "host" => "192.168.0.6" ) ) )
}
And so the router farms out requests to different webservers.
I have in the interim copied the certificate to the router and have it serving the certificate then proxying to the webserver. But it's not ideal, to my mind the certificate and responsibility for managing it and so on belongs with the website on the server responsible and not on the router. So in the interim I'll have to scrip a publisher to publish renewed certificates to the router again.
It would seem that certificate pass-through is a desirable feature and mentioned online a fair bit it seems with other servers.
I'd love to achieve it with lighttpd on this router.
An option of course is to have the router forward 80 and 443 to the webserver and have it do these proxy farmouts to other servers as needed. I'm slowly seeing plenty of options, but am surprised at how tricky it's been coming up with them after the (naive) assumption that certificate delivery passed through the proxy.server thing as does the rest of the website. But alas no.
RE: SSL certicficate pass-through - Added by gstrauss over 6 years ago
An option of course is to have the router forward 80 and 443 to the webserver and have it do these proxy farmouts to other servers as needed.
That's the only way it will work since you are serving multiple SSL sites from the same IP address.
When using the same IP address to serve multiple SSL/TLS sites (each with a potentially different certificate), lighttpd (or any other webserver) gets the Host via SNI extension (server name indication) to SSL/TLS, which occurs during the certificate exchange. You need a valid certificate (even if a wildcard cert) before you'll find out the precise Host in the request.
Also, please note that lighttpd does not currently proxy SSL to backend servers. lighttpd can terminate an SSL connection and will proxy the request to a backend server via HTTP, not HTTPS.
RE: [Solved] SSL certificate pass-through - Added by gstrauss over 6 years ago
I stand corrected. It is possible to get SNI hostname without the certificate.
https://serverfault.com/questions/625362/can-a-reverse-proxy-use-sni-with-ssl-pass-through#625364
This is not something currently supported in lighttpd.