I'm trying to establish a proxy setup with apache that securely supports SSL all the way through:
Client <--> Proxy @ somehostname.com <--> Server @ 123.45.67.89
Note that my proxy server has a hostname, but the remote server does not. The SSL setup between clients and the proxy works fine with a letsencrypt setup. However, I am struggling to secure the connection between the proxy and the remote server.
Because the remote server doesn't have a hostname, and letsencrypt doesn't issue certificates for IPs only, my idea was to generate a self-signed certificate and copy the certificate over to the proxy for it to only trust that one. Unfortunately I don't know how.
If I just disable these certificate checks, the connection works, as the proxy just trusts every certificate:
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
While encryption will work fine, to my understanding authenticity is compromised and I am subject to MitM attacks during the handshake. This is not ideal.
Instead, I've instructed Apache to trust my self-signed certificate with
SSLProxyCACertificateFile /path/to/cert.pem
and then tried to enforce a valid certificate with
SSLProxyVerify require
but despite me explicitly listing the certificate, and the documentation of SSLProxyCACertificateFile
saying "These are used for Remote Server Authentication", it seems to not trust it.
Is there a way to make sure the connection between the proxy and remote server is safe, for example by enforcing Apache to always connect to the proxy using that specific certificate?