Turn off SSL on Apache server and just use ARRRSS

2 replies

Last post Jan 05, 2021 06:40 AM by Brucz

  • Turn off SSL on Apache server and just use ARR

    Jan 04, 2021 01:05 PM|JefffRozar|LINK

    I'm running ARR 3.0.1988 on Windows Server 2019, which runs IIS 10.

    I also have an Apache server on the internal network.

    I have a current SSL cert listed in IIS, and I also have an older SSL cert on the apache server.

    Accessing the website from externally, it is using the cert from IIS.

    The problem is if I turn off SSL on the apache server (and verify it's only running on port 80), I can get to the website on the apache host with http//localhost, but I can't get to it with IIS/ARR.

    Is there a setting in IIS/ARR to ignore SSL on Apache? Or should I be looking solely at the Apache web server?

  • Rovastar Rovastar

    5494 Posts

    MVP

    Moderator

    Re: Turn off SSL on Apache server and just use ARR

    Jan 05, 2021 03:23 AM|Rovastar|LINK

    How are you sending your traffic from ARR to the Apache Server? Via http or https?

    It sounds like you are making a new https connection from arr to apache and if you turn off https then it will understandably fail. 

    You should either use the same SSL cert on the apache box and send traffic https traffic to it or offload the SSL so it terminates completely on the ARR and communicate via http to the backend apache box

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: Turn off SSL on Apache server and just use ARR

    Jan 05, 2021 06:40 AM|Brucz|LINK

    Hi JefffRozar,

    When the client and server communicate using https connections, the purpose of using certificates is to ensure the security between the two. Because the issuing authority of the certificate is the same, the server confirms that the request is trustworthy through decryption. Therefore, there is a process of encryption and decryption during the use of the certificate.

    You use different certificates on ARR and apache, their private keys are different, and the decryption results are also different. When the https request arrives on ARR, ARR can be successfully decrypted, but it cannot be successfully decrypted when proxying to apache.

    Even if you cancel https on apache, the request from ARR proxy to apache still needs to be decrypted and does not become http.

    The correct approach is to use the same certificate for ARR and Apache. Or do not use certificates and communicate via http.

    Best regards,

    Brucz

    .NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.