Forum

Hi Hugo,
I am going trough the https://www.hiawatha-webserver.org/howto/bindings on how to deal with TLS certificate and I have a 3 question..
Q1:
When generating a self sign serverkey.pem, we need to follow the order

-----BEGIN RSA PRIVATE KEY-----
[webserver private key]
-----END RSA PRIVATE KEY----- 

-----BEGIN CERTIFICATE-----
[webserver certificate]
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
[optional intermediate CA certificate]
-----END CERTIFICATE-----

How can we controle this order when the certificate is issue by comodo? DOes it still matter then?

Q2:
I use Hiawatha as a proxy on one server to redirect www to another server

VirtualHost {
   Hostname = www.firstdomain.com, firstdomain.com, *.firstdomain.com
   ReverseProxy .* https://10.20.72.27/
   AccessLogfile = /var/log/hiawatha/firstdomain.access.log
   ErrorLogfile = /var/log/hiawatha/firstdomain.error.log
   WebsiteRoot = /var/www/empty
}

VirtualHost {
   Hostname = www.secondomain.com, secondomain.com, *.secondomain.com
   ReverseProxy .* https://10.20.72.29/
   AccessLogfile = /var/log/hiawatha/secondomain.access.log
   ErrorLogfile = /var/log/hiawatha/secondomain.error.log
   WebsiteRoot = /var/www/empty
}

if I want to use

VirtualHost {
    ...
    RequireTLS = yes
}

Do I put this code on the proxy VirtualHost config or the actual web server that has the webroot?

Q3: Do I need to have a TLScertFile for the proxy in order to be able to https: to the other domain?

I hope I explained myself well enough

Hi Hugo,

Managed to answer my Q1 above but would really appreciate some help for Q2 and Q3
Thank you

Q2: The proxy is the one the client connects to. If you want that connection to be secure, the proxy should offer HTTPS. All TLS configuration should be done at the proxy.

Q3: If you want the connection between the proxy and the final webserver also to be secure, the final webserver should also have a TLS certificate.

Hugo,

At the moment the proxy has a self sign certificate

Binding {
        Port = 443
        Interface = MyIPv4
        MaxKeepAlive = 100
        TimeForRequest = 5,30
        TLScertFile = /usr/local/etc/hiawatha/ssl/serverkey.pem
        MaxRequestSize = 512
        #MaxRequestSize = 2000
        #MaxUploadSize = 2
}

Do I need to add all my domain certificate on the the 443 Binding ?
or just adding the

VirtualHost {
    ...
    RequireTLS = yes
    TLScertFile = /usr/local/etc/hiawatha/ssl/myserver.key
}

to all the VirtualHost in the proxy be enough?

I cannot seem to understand how I can tell the proxy where to find the certificate on the bindin section of the proxy

At the proxy, you have to add the certificate (via the TLScertFile option) to the virtual host section (where the ReverseProxy option is).

Hi Hugo,

Ok I am starting to understand more of this ssl business..
I managed to get it working by setting up all the ssl setting at the proxy level...
Now you said that
So I added this code to the web server (not proxy) and restarted hiawatha

Binding {
        Port = 443
        Interface = MyIPv4
        MaxKeepAlive = 100
        TimeForRequest = 5,30
        TLScertFile = /usr/local/etc/hiawatha/ssl/serverkey.pem
        MaxRequestSize = 512
}

VirtualHost {
    ...
    RequireTLS = yes
    TLScertFile = /usr/local/etc/hiawatha/ssl/myserver.key
    ...
}

When I tried to access the https:// , the page doesn't load.
Have I misunderstood you?

Does the final webserver have the right TLS settings? What if you connect to the final webserver directly, thus without the reverse proxy?

Hi Hugo,
Direct connexion to the web server on port 80 is all good but port 443 is not bring the page at all..
I tried to compare the setting of the proxy server with the setting of the end webserver but I couldn't see the problem.
Would you mind taking a look?
Proxy setting:

set LOCALHOST = 127.0.0.0/8
set MyIPv4 = 81.514.xx.xx
set TrustedIP_1 = 91.6.xx.xxx           # Headquater
set TrustedIP_2 = 82.34.xxx.xxx # Office


# GENERAL SETTINGS
#
ServerString = Hiawatha
ServerId = www:www
ConnectionsTotal = 4096
ConnectionsPerIP = 25
ThreadPoolSize = 128
ThreadKillRate = 8
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
CacheSize = 512
CacheMaxFilesize = 512
CacheRProxyExtensions = css, eot, gif, html, htm, ico, jpg, jpeg, js, otf, png, svg, swf, ttf, txt, woff, woff2
MaxUrlLength = 1200
MinTLSversion = 1.2
DHsize = 4096
SocketSendTimeout = 30

LogfileMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2
RequestLimitMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2

# BANNING SETTINGS
# Deny service to clients who misbehave.
#
BanOnGarbage = 300
BanOnMaxPerIP = 60
BanOnMaxReqSize = 300
BanOnWrongPassword = 6:900
BanOnSQLi = 3600
KickOnBan = yes
RebanDuringBan = yes
BanlistMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2


# COMMON GATEWAY INTERFACE (CGI) SETTINGS
# These settings can be used to run CGI applications.
#
#CGIhandler = /usr/local/bin/perl:pl
#CGIhandler = /usr/local/bin/php-cgi:php
#CGIhandler = /usr/local/bin/python:py
#CGIhandler = /usr/local/bin/ruby:rb
#CGIhandler = /usr/local/bin/ssi-cgi:shtml
#CGIextension = cgi
#
#FastCGIserver {
#       FastCGIid = PHP5
#       ConnectTo = 127.0.0.1:2005
#       Extension = php
#}


# DEFAULT WEBSITE
# It is wise to use your IP address as the hostname of the default website
# and give it a blank webpage. By doing so, automated webscanners won't find
# your possible vulnerable website.
#
Hostname = 127.0.0.1
WebsiteRoot = /usr/local/www/hiawatha
StartFile = index.html
CustomHeader = X-Frame-Options: DENY
AccessLogfile = /var/log/hiawatha/access.log
ErrorLogfile = /var/log/hiawatha/error.log
ErrorHandler = 404:/error.cgi

Binding {
        Port = 80
        #Interface = MyIPv4
        MaxKeepAlive = 32
        TimeForRequest = 3,10
        MaxRequestSize = 16000
        MaxUploadSize = 16
}
Binding {
        Port = 443
        Interface = MyIPv4
        MaxKeepAlive = 100
        TimeForRequest = 5,30
        TLScertFile = /usr/local/etc/hiawatha/ssl/serverkey.pem
        MaxRequestSize = 512
        #MaxRequestSize = 2000
        #MaxUploadSize = 2
}

VirtualHost {
   Hostname = www.mydomain.co.uk, mydomain.co.uk, *.mydomain.co.uk
   WebsiteRoot = /var/www/empty
   StartFile = index.shtml
   #RequireTLS = yes,31536000
   TLScertFile = /usr/local/etc/hiawatha/ssl/mydomain.key
   ExecuteCGI = yes
   PreventXSS = yes
   PreventCSRF = yes
   PreventSQLi = yes
   RandomHeader = 512
   ReverseProxy .* http://10.20.72.27:80 30 keep-alive
   #LoginMessage = scanner.example.tld
   #PasswordFile = digest:/srv/www/digest/scanner.digest
   AccessLogfile = /var/log/hiawatha/mydomain.access.log
   ErrorLogfile = /var/log/hiawatha/mydomain.error.log
}

Note: serverkey.pem is a self sign cert
mydomain server setting:

set LOCALHOST = 127.0.0.0/8
set MyIPv4 = 10.20.72.27
set TrustedIP_1 = 91.6.xx.xxx           # Headquater
set TrustedIP_2 = 82.34.xxx.xxx # Office
set TrustedIP_3 = 81.514.xx.xx         # proxy server

# GENERAL SETTINGS
#
ServerString = Hiawatha
ServerId = www:www
ConnectionsTotal = 4096
ConnectionsPerIP = 32 
SystemLogfile = /var/log/hiawatha/system.log
GarbageLogfile = /var/log/hiawatha/garbage.log
ThreadKillRate = 10
CacheSize = 8 
CacheMaxFilesize = 512 
MaxUrlLength = 1000
MinTLSversion = 1.2
DHsize = 4096
SocketSendTimeout = 30

LogfileMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2, deny TrustedIP_3
RequestLimitMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2, deny TrustedIP_3

Binding {
        Port = 80
        Interface = MyIPv4
        MaxKeepAlive = 100
        TimeForRequest = 5,15
        MaxRequestSize = 2000
        MaxUploadSize = 2
}

Binding {
        Port = 443
        Interface = MyIPv4
        MaxKeepAlive = 100
        TimeForRequest = 5,15
        TLScertFile = /usr/local/etc/hiawatha/ssl/mydomain.key
        MaxRequestSize = 2000
        MaxUploadSize = 2
}

# BANNING SETTINGS
# Deny service to clients who misbehave.
#
BanOnGarbage = 300
BanOnInvalidURL = 60
BanOnMaxPerIP = 15
BanOnMaxReqSize = 300
BanOnWrongPassword = 3:900
BanOnSQLi = 3600
KickOnBan = yes
RebanDuringBan = yes
BanlistMask = deny LOCALHOST, deny MyIPv4, deny TrustedIP_1, deny TrustedIP_2, deny TrustedIP_3
ChallengeClient = 768, javascript, 15

# COMMON GATEWAY INTERFACE (CGI) SETTINGS
#
CGIhandler = /usr/local/bin/ssi-cgi:shtml

# DEFAULT WEBSITE
# Use IP address as the hostname of the default website and give it a blank webpage.
# By doing so, automated webscanners won't find the possible vulnerable website.
#
Hostname = 127.0.0.1
WebsiteRoot = /usr/local/www/hiawatha
StartFile = index.html
AccessLogfile = /usr/local/www/default/logs/default.access.log
ErrorLogfile = /usr/local/www/default/logs/default.error.log
#ErrorHandler = 404:/error.cgi

VirtualHost {
   Hostname = mydomain.co.uk, www.mydomain.co.uk
   WebsiteRoot = /usr/local/www/development/httpdocs
   StartFile = index.shtml
   #RequireTLS = yes
   TLScertFile = /usr/local/etc/hiawatha/ssl/mydomain.key
   AccessLogfile = /usr/local/www/development/logs/default.access.log
   ErrorLogfile = /usr/local/www/development/logs/default.error.log
   TimeForCGI = 15
   DenyBody = ^.*%3Cscript.*%3C%2Fscript%3E.*$
   ExecuteCGI = yes
   PreventCSRF = yes
   PreventSQLi = yes
   PreventXSS = yes
}

Note: mydomain.key is a proper certificate issued by ca

Thank you in advance

So, the problem is not the reverse proxy, but the application at your final webserver. I think you should fix that one first before dealing with the reverse proxy.

Hi,
This is what I am trying to do..
I am not using the proxy at the mement.
I am connected directly to the mydomain.co.uk server..
I cannot see where the problem is as the same on mydomain.co.uk server are same as proxy.
please look setting in previous post.
Really stuck here and need second pair of eye

What happens when connecting to port 443? The browser must give some kind of (error) message.

Micrsoft Explorer

Hmm, we can't reach this page.

Try this
•Make sure you’ve got the right web address: https://mydomain.co.uk
•Refresh the page
•Search for what you want

Firefox

The connection has timed out

The server at mydomain.co.uk is taking too long to respond.

    The site could be temporarily unavailable or too busy. Try again in a few moments.
    If you are unable to load any pages, check your computer's network connection.
    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

The Hiawatha default.error.log and the default.access.log hasn't had any entry since the proxy has been removed.
I don't really know why as traffic via port 80 is working so I would expect the access file to be updated

Firewall issue? Try a simple telnet or netcat to that port.

... you are a genius
Redirection issue with pf thank you very much

last question...
in whish part (order) does the root certificate go?
Is it aftert the intermediate CA certificate

I know. Good to hear it's solved now.

The root certificate is not required in the PEM file, because it should already be present in the browser.

Thank you Hugo, great support as usual