IIS 7 and Above
Application Request Routing (ARR)
Turn off SSL on Apache server and just use ARR
Last post Jan 05, 2021 06:40 AM by Brucz
Jan 04, 2021 01:05 PM|JefffRozar|LINK
I'm running ARR 3.0.1988 on Windows Server 2019, which runs IIS 10.
I also have an Apache server on the internal network.
I have a current SSL cert listed in IIS, and I also have an older SSL cert on the apache server.
Accessing the website from externally, it is using the cert from IIS.
The problem is if I turn off SSL on the apache server (and verify it's only running on port 80), I can get to the website on the apache host with http//localhost, but I can't get to it with IIS/ARR.
Is there a setting in IIS/ARR to ignore SSL on Apache? Or should I be looking solely at the Apache web server?
Jan 05, 2021 03:23 AM|Rovastar|LINK
How are you sending your traffic from ARR to the Apache Server? Via http or https?
It sounds like you are making a new https connection from arr to apache and if you turn off https then it will understandably fail.
You should either use the same SSL cert on the apache box and send traffic https traffic to it or offload the SSL so it terminates completely on the ARR and communicate via http to the backend apache box
Jan 05, 2021 06:40 AM|Brucz|LINK
When the client and server communicate using https connections, the purpose of using certificates is to ensure the security between the two. Because the issuing authority of the certificate is the same, the server confirms that the request is trustworthy
through decryption. Therefore, there is a process of encryption and decryption during the use of the certificate.
You use different certificates on ARR and apache, their private keys are different, and the decryption results are also different. When the https request arrives on ARR, ARR can be successfully decrypted, but it cannot be successfully decrypted when proxying
Even if you cancel https on apache, the request from ARR proxy to apache still needs to be decrypted and does not become http.
The correct approach is to use the same certificate for ARR and Apache. Or do not use certificates and communicate via http.