Apache reverse-proxy to Nginx

I had a Nginx webserver that was behind a firewall, at the same time some external developers needed to access the website. I already had an Apache webserver exposed to Internet, so I thought I could just easily set up a reverse-proxy on the Apache server towards the Nginx webserver.

My first vhost was like this:

<VirtualHost my-apache.server.no:443>
    ServerName my-apache.server.no
    SSLProxyEngine on
    ProxyPass / https://nginx-server.no/
    ProxyPassReverse / https://nginx-server.no/
    Include conf.d/ssl.inc
</VirtualHost>

But this just ended with the following error:

SSL Proxy requested for my-apache.server.no:443 but not enabled
Error during SSL Handshake with remote server

I looked into error log files both on the Apache and Nginx server, but couldn’t really find anything. After searching online and some help from ChatGPT, I found the solution. Adding some few lines to the vhost solved it:

<VirtualHost my-apache.server.no:443>
    ServerName my-apache.server.no
    SSLProxyEngine on

    ProxyPreserveHost Off
    SSLProxyVerify none
    SSLProxyCheckPeerName off
    ProxyRequests Off

    ProxyPass / https://nginx-server.no/
    ProxyPassReverse / https://nginx-server.no/
    Include conf.d/ssl.inc
</VirtualHost>

And it breaks down to this explanation:

  • .SSLProxyEngine on: Enables SSL proxy support for the virtual host.
  • ProxyPreserveHost Off: Disables preserving the original host header in proxied requests. This is useful when the backend server expects requests to have its own host header.
  • SSLProxyVerify none: Disables SSL certificate verification for the upstream server. Use with caution as it disables SSL security checks.
  • SSLProxyCheckPeerName off: Disables checking the peer’s SSL certificate name against the hostname being requested. Use with caution as it can potentially expose you to security risks.
  • ProxyRequests Off: Disables the ability to forward requests using the proxy.

One thought on “Apache reverse-proxy to Nginx

Leave a Reply

Your email address will not be published. Required fields are marked *