When trying to proxy requests from an HTTP frontend to an HTTPS backend using Apache's ProxyPass, you might encounter this error:
[error] proxy: HTTPS: failed to enable ssl support for 4.3.2.1:443 (bar.com)
Apache's mod_proxy requires SSL support to be properly configured when proxying to HTTPS destinations. The error occurs because:
- The SSL module isn't properly loaded
- SSLProxyEngine isn't enabled
- Missing SSL certificates for the proxy handshake
Here's the correct configuration that works:
<VirtualHost 1.2.3.4:80>
ServerName foo.com
# Essential directives
SSLProxyEngine on
ProxyRequests Off
ProxyPreserveHost On
# The actual proxy pass
ProxyPass / https://bar.com/
ProxyPassReverse / https://bar.com/
# SSL verification (optional)
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
</VirtualHost>
SSLProxyEngine on - This is the critical directive that enables SSL support for the proxy module.
SSL verification directives - These are included to handle cases where you're proxying to sites with self-signed certificates or where certificate verification isn't required.
If you still encounter issues:
# Check if required modules are loaded
a2enmod proxy
a2enmod proxy_http
a2enmod ssl
a2enmod proxy_connect
# Then restart Apache
service apache2 restart
For more complex scenarios where you need to preserve original headers:
RequestHeader set X-Forwarded-Proto "http"
RequestHeader set X-Forwarded-Port "80"
When proxying HTTPS traffic through HTTP:
- Enable connection pooling with
ProxyPassparameters - Consider adding timeout settings
- Monitor SSL handshake performance
ProxyPass / https://bar.com/ connectiontimeout=5 timeout=30
When setting up reverse proxying with Apache's ProxyPass directive, a common challenge arises when trying to proxy HTTPS traffic through an HTTP frontend. The error message:
[error] proxy: HTTPS: failed to enable ssl support for 4.3.2.1:443 (bar.com)
typically indicates that Apache's SSL module isn't properly configured to handle the backend HTTPS connection, even when the frontend is HTTP.
To properly proxy HTTPS backends through HTTP frontends, you'll need these Apache modules enabled:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
The critical module here is mod_proxy_connect, which handles the CONNECT method needed for SSL tunneling.
Here's a proper VirtualHost configuration that works for HTTPS backends:
<VirtualHost 1.2.3.4:80>
ServerName foo.com
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://bar.com/
ProxyPassReverse / https://bar.com/
</VirtualHost>
SSLProxyEngine On: Enables SSL support for the proxy connection to the backend server.
SSLProxyVerify none: Disables certificate verification (use with caution in production).
ProxyPreserveHost On: Preserves the original Host header from the client request.
For production environments, you might want to add these security-related directives:
SSLProxyCACertificateFile /path/to/ca-bundle.crt
SSLProxyProtocol TLSv1.2
SSLProxyCipherSuite HIGH:!aNULL:!MD5
This ensures proper certificate verification and modern TLS protocols for the backend connection.
If you still encounter problems:
- Verify all required modules are loaded
- Check Apache error logs for specific SSL handshake failures
- Test the backend HTTPS connection manually with openssl:
openssl s_client -connect bar.com:443 -showcerts