current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems. Join them; it only takes a minute:

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 2 down vote favorite

I have an Ubuntu 14 LTS / Apache 2.4 server with mod_proxy/mod_rewrite configured for use as a reverse proxy. One of the servers on the backside is too old to support TLS. I would like to disable SSL as an option for clients communicating with the proxy on the front side while still allowing the proxy to communicate with the old server using SSL on the back side.

Is this possible?

share|improve this question
up vote 0 down vote

The solution is actually embarrassingly simple.

The cipher/protocol settings for how clients can connect to the reverse proxy do not effect how the reverse proxy negotiates a connection to a back-end server.

In other words, I was able to disable SSL and harden the cipher's on the reverse proxy and the reverse proxy was still able to use the weaker protocols to connect to the old back-end server.

For the curious, these are the settings I used in the /etc/apache2/mods-enabled/ssl.conf file on my Ubuntu 14.04 LTS server running Apache 2.4.7 to disable SSL and harden the cipher's used:

SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLHonorCipherOrder On
SSLProtocol all -SSLv3
# NOTE: Do not add -SSLv2 as some sites suggest (It's already not supported)
share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.