Julian Gilbey wrote: > On Wed, Jun 01, 2011 at 07:02:26PM -0400, Jim Paris wrote: > > > I've just tried it, but it doesn't work for me. I presume this is > > > because the host I'm going through only accepts SSL traffic on port > > > 443 and only accepts non-SSL traffic on port 80. Do you have Apache > > > setup so that it can accept either SSL or non-SSL on the same port? > > > > > > Julian > > > > I have Apache set up to require SSL on port 443, but the Apache bug > > means that it stops using SSL (and switches to plaintext) as soon as > > mod_proxy takes over. My config is roughly > > > > <VirtualHost *:443> > > SSLEngine on > > ProxyRequests on > > AllowCONNECT 22 > > ProxyVia on > > <Proxy *> > > Order deny,allow > > Deny from all > > </Proxy> > > <Proxy destination-ssh-host.example.com> > > Order allow,deny > > Allow from all > > </Proxy> > > </VirtualHost> > > Ah, I think I see the difference in my config: I have SSLRequireSSL in > my setup, so that port 443 will refuse to convert to plain text.
SSLRequireSSL can only go in directory or .htaccess context -- neither applies to proxying as far as I can tell. Also, if it's true that your Apache is not switching over to plain text, doesn't that mean that normal "-e" will work fine and you don't need this workaround? For the record, my .ssh/config looks like this: Host=proxytest HostName=host.example.com ProxyCommand=proxytunnel -v -p host.example.com:443 -d host.example.com:22 -B With "-e" at the end, I see: $ ssh proxytest SSL enabled Local proxy host.example.com resolves to 1.2.3.4 Connected to host.example.com:443 (local proxy) Tunneling to host.example.com:22 (destination) Communication with local proxy: -> CONNECT host.example.com:22 HTTP/1.0 -> Proxy-Connection: Keep-Alive analyze_HTTP: readline failed: Connection closed by remote host ssh_exchange_identification: Connection closed by remote host With "-B", it's $ ssh proxytest SSL client to proxy enabled, only until CONNECT Local proxy host.example.com resolves to 1.2.3.4 Connected to host.example.com:443 (local proxy) Tunneling to host.example.com:22 (destination) Communication with local proxy: -> CONNECT host.example.com:22 HTTP/1.0 -> Proxy-Connection: Keep-Alive Switching to non-SSL communication <- HTTP/1.0 200 Connection Established <- Proxy-agent: Apache/2.2.17 (Debian) Tunnel established. Last login... > Incidentally, apache 2.4 will have the mod-proxy patch included as > part of the main distribution. The first beta was released about a > week ago (see http://httpd.apache.org/). That's good news. -jim -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
