Update 10/31/2015 : I've republished with Ubuntu fixes up through to this date. Also removed RC4 from the cipher list.

Update 12/12/2014 : If you are using this or any other Apache proxy, disable RC4 in the SSLCipherSuite line (change from RC4 to !RC4) and restart Apache, that will get you back to an "A" on the SSL Labs test. Note RC4 is *NOT required* for XP and IE, you can do this with 3DES.....

Update 01/14/15 : Once you install the proxy, change the SSH Host Key as outlined here if-you-are-using-my-reverse-proxy-please-change-the-ssh-host-key.htm....


In an effort to help Domino customers mitigate the disaster that is the SSLv3 Poodle bug, I am providing the virtual machine linked at the bottom of this post. Note, you can also use the IBM HTTP Server bundled with R9 if you are on a Windows server....if that is the case, stop reading.

YOU USE THIS POST AT YOUR OWN RISK. For professional services related to this contact STS Sales.


Take backup copies of any files you change, including the Domino Directory. That way if you screw up......


Read this in it's entirety before you start.....it is not for the faint of heart. I take no responsibility for you screwing up your environment. None.


This VM is an Ubuntu 14 LTS server (patched as of Oct 15th 2014) with Apache installed in a way to allow easy integration as a reverse proxy for a Domino server. This allows the user to disable SSLv3 and utilize TLS 1.0, 1.1 and 1.2  thus mitigating Poodle. The apache server will use the best cipher for the client connecting to it, so it will prefer TLS 1.2 if the browser can support it.

No warranty is implied or provided. You use this VM at your own risk. There is no guarantee this will fix any and all security problems. It is suggested that after install you check your installation here https://www.ssllabs.com/ssltest/index.html (although at the time of writing the test site didn't indicate SSLv3 as an issue....IT IS).

OK, so what do you have to do to get this thing working.....

1) You need to be able to install OVF virtual machine templates. If you don't have a virtual infrastructure then this may not help
2) You have Domino working as a web server, or iNotes, or Quickr, or Traveler
3) You want to fix the Poodle bug and you can't or won't wait for IBM to address this properly
4) You don't need Windows XP with Internet Explorer support (this VM uses SNI, XP with IE can't do SNI although I believe Firefox and Chrome on XP can....). If you need XP support I may create another VM. You never know.
5) You don't mind changing the HTTP settings of your domino servers, including adding new DNS records to your internal DNS servers.
6) You want to address Poodle, SHA2 and/or add TLS to Domino.

If all of these are a check marked, continue reading....

The VM contains one Apache site capable of handling three different scenarios, iNotes, Quickr and Traveler.

1) Go download the VM here (there is no warranty, implied or given by use of this VM)
2) Install the VM on your virtual hardware
3) Power up and log in (default is root/root)
4) Change the default password using the passwd command
5) Change the IP address assigned to the machine with vi /etc/network/interfaces command (change all of the settings here to match your network). If you don't know vi then google it.
6) Reboot
7) Get an Apache compatible SSL certificate from your provider. If you need to create a new CSR do not use Domino to do this, but rather use OpenSSL (installed on this VM if you don't have an installation). Your SSL vendors site will have instructions on how to do this, here are GoDaddy's instuctions. When you have the key file and the signed certificate for your site, sites or wildcard copy them to the /etc/apache2/ssl folder (your provider will also give you a "bundle" certificate, copy that over too).
8) Use WinSCP to log into the VM and navigate to /etc/apache2/sites-enabled and double click on the combined.conf

Image:Here is a freely available VM to reverse proxy Domino - shoot the poodle
9) The first two virtual hosts (signified by the tag) are iNotes, the second two are Quickr, the third pair is Traveler. If you don't need a particular host (you don't use Quickr for example), simply delete everything between the two corresponding and tags (including the tags themselves). TAKE A BACKUP FIRST....you might do this wrong.

iNotes: Image:Here is a freely available VM to reverse proxy Domino - shoot the poodle

Quickr: Image:Here is a freely available VM to reverse proxy Domino - shoot the poodle


Traveler : Image:Here is a freely available VM to reverse proxy Domino - shoot the poodle


10) Edit the file changing at least anything with an IP in it, anything with a domain name in it, anything with a server name in it and anything with an SSL certificate in it. Here is what needs to be changed for iNotes:

a) Take a backup of the Domino Directory before you change anything.....I'm not going to outline the Domino part, I figured if you're reading this you know that part.
b) Our Domino server was called webmail.yourdomain.com. We are now moving this name to Apache and have changed the Domino HTTP server to domino1.yourdomain.com.  (if you don't know how to do this, stop and hire me via the link above)
c) Our Domino server was also using HTTPS, but now we've turned this off for Domino and only HTTP is in use on Domino.
d) There is also a new internal DNS entry pointing domino1.yourdomain.com to the Domino server IP (this is not an external DNS entry, only internal).
e) Externally, webmail.yourdomain.com points to Apache (in this case 10.6.69.69).
f) Make sure you can ping the new domino1.yourdomain.com address from both the Apache server and the Domino server.

Remember, there are two Apache virtual hosts per Domino server....one that maps to HTTP that in turn redirects to the second one that handles HTTPS....

Below are the iNotes HTTP virtual host changes:

a) The vitual host address needs to the be the IP address of this VM
b) The host name's should match whatever URL your users use to get to iNotes, in this case webmail.yourdomain.com

Image:Here is a freely available VM to reverse proxy Domino - shoot the poodle



Below are the iNotes HTTPS changes:

a) The vitual host address needs to the be the IP address of this VM
b) The host name's should match whatever URL your users use to get to iNotes, in this case webmail.yourdomain.com
c) The SSL certificates need to match the ones you copied to the SSL folder, also update SSLCertificateChainFile to your providers bundle
d) The iwaredir.nsf needs to be changed to match your web mail redirector NSF file name
e) The ProxyPass and ProsyReversePadd host names need to be changed to your new iNotes server internal name (note this is also now a HTTP link, not HTTPS)

Image:Here is a freely available VM to reverse proxy Domino - shoot the poodle



11) Save the file
12) Restart Apache with the command /etc/init.d/apache2 restart
13) If you get errors, double check everything......and make sure to delete the vitrual hosts you don't need....like Quickr and Traveler for instance. After any changes restart apache
14) If it still doesn't work check the error log at /var/log/apache/ and look at the iNotes files.
15) If it still doesn't work then revert back to your original setup (I did tell you to take backups) and hire me.
16) At some point in the future, prevent Domino HTTP from being accessed anywhere but from the VM IP address.

This proxy has several advantages to IBM's approach of bolting IHS in front of Domino:
1.        You can have one and only one SSL certificate. I have a single wild-card certificate installed on the proxy and all proxied connections use this single certificate. That makes changing to SHA2/256 really, really simple.
2.        You don't have to patch server after server after server. One proxy, one set of patches.....heartbleed and shellshock anyone?
3.         I have significantly reduced my surface area on the web. Now all web servers traffic, be it Domino, Traveler, IIS or any other server are no longer directly connected to the evil internet.

In case you missed the link above, download the VM here (there is no warranty, implied or given by use of this VM).

AGAIN, you do this at your own risk. Unless your paying me to do this for you. you are on your own.
Darren Duke   |   October 15 2014 08:00:27 AM   |    domino  apache  proxy  security  ssl    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (4)

Gravatar Image
1 - Thomas Duff    http://duffbert.com    10/15/2014 9:58:41 AM

So, Darren... can I blame you if this goes wrong? :)

Gravatar Image
2 - Dave       10/17/2014 1:50:51 PM

Thanks for the resource. One comment, I had to add "ProxyPreserveHost On" to the .conf file. Otherwise, I would be redirected to the internal URL set in the ProxyPass statements.

Gravatar Image
3 - Mat Newman    http://www.matnewman.com    10/18/2014 6:04:29 AM

Awesome work Daz, thanks mate.

Gravatar Image
4 - Mark Dudding    http://www.ibm.com    10/21/2014 11:46:17 AM

Thanks for your contribution. Here is a link to IBM official statement on direction: { http://www-01.ibm.com/support/docview.wss?uid=swg21687167 }