RE: Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)
> Cool.. > Can you please post the patch to the list, so that ppl can review the > code, > and give their comments. > -Madhu No problem! Here is my short README describing the patch and its history form Apache version 2.0.43 to 2.0.44: Hello! This is the distribution point for the Apache 2.0 as SSL Intermediary Patch. Currently you need this patch to use Apache 2.0 as a trusted intermediary in configuration with the SAP J2EE Engine. The patch is subject to become part of the standard Apache 2.0 distribution. Feedback welcome! Maik ([EMAIL PROTECTED]) INSTRUCTIONS: - extract the Apache 2.0.43 distribution (httpd-2.0.43.tar.gz) - change directory to httpd-2.0.43 - apply the patch with -p1 (patch -p1 < Apache-2.0.43-SSLintermediary.patch) - follow the Apache INSTALL instructions HISTORY: 02-12-30 initial release (available SAP internal) 03-01-07 httpd-2.0.43-patched-as-SSLintermediary.zip added In this ZIP archive the Apache-2.0.43-SSLintermediary.patch is already applied. More convenient for users not so familiar with the usage of diff & patch. 03-01-08 httpd-2.0.43-win32-src-patched-as-SSLintermediary.zip added You cannot use the UNIX source to build the WIN32 binaries. This ZIP archive contains the already patched version of httpd-2.0.43-win32-src. Use it to build the WIN32 binaries. If you want to apply Apache-2.0.43-SSLintermediary.patch to the original httpd-2.0.43-win32-src be aware that you have to convert CR-LFs in CR before applying the patch. In the successfully patched files you can again expand CR to CR-LF. 03-01-20 Bug in base 64 padding found. The calculation of the number of padding characters ('=') needed computes wrong results in some cases. 03-02-07 Apache 2.0.44 Released Apache-2.0.44-SSLintermediary.patch corresponds to httpd-2.0.44.tar.gz The documentation changes are NO longer part of the patch. Download mod_headers_mai.html.en for proposed documentation changes. SSLproxy.conf is a good example for a proxy's mod_ssl configuration. The SAP proposed header names are use in the example added to the mod_headers documentation (see mod_headers_mai.html.en). And here follows the patch (My proposed changes to the HTML docu are now not included in the patch. Please advice me if and how to post this changes to mod_headers.html.en): --- httpd-2.0.44.ori/modules/metadata/mod_headers.c Mon Nov 4 19:31:57 2002 +++ httpd-2.0.44/modules/metadata/mod_headers.c Fri Feb 7 18:00:18 2003 @@ -109,6 +109,7 @@ #include "apr_lib.h" #include "apr_strings.h" #include "apr_buckets.h" +#include "apr_base64.h" #include "apr_hash.h" #define APR_WANT_STRFUNC @@ -198,6 +199,62 @@ else return "(null)"; } + +/* Base 64 encoded ASN.1 data is usually tagged with decorations of + * the following style: + * -BEGIN - + * + * -END - + * The defines are used to search for such decorations. + */ +#define DECORATION_MARKER_BEGIN "-BEGIN" +#define DECORATION_MARKER_END "-END" +#define DECORATION_EOF_MARKER "-" + +static const char *header_request_env_varB64(request_rec *r, char *a) +{ + const char *s = apr_table_get(r->subprocess_env,a); + char *pStartBody = NULL; + char *pBehindBody = NULL; + char *ptr; + + if (s) { +/* search for decorations marking encapsulated base64 encoded data */ +ptr = strstr((char *)s, DECORATION_MARKER_BEGIN); +if (ptr) { + ptr = strstr(ptr + strlen(DECORATION_MARKER_BEGIN), DECORATION_EOF_MARKER); + if (ptr && (ptr + strlen(DECORATION_EOF_MARKER) + 1) != '\0') { + /* explicit check that there are sitll chars in the string */ + pStartBody = ptr + strlen(DECORATION_EOF_MARKER) + 1; + + ptr = strstr(pStartBody, DECORATION_MARKER_END); + if (ptr && strstr(ptr, DECORATION_EOF_MARKER)) + pBehindBody = ptr; + } +} + +if (pStartBody && pBehindBody) { + /* encapsulated base64 encoded data found */ + /* all except the body will be skipped */ + *pBehindBody = '\0'; + apr_base64_cleanB64(pStartBody); + return pStartBody; +} else { + /* call apr_base64_encode() to encode the data */ + int inlen = strlen(s); + int outsize = apr_base64_encode_len(inlen); + char *encoded = apr_palloc(r->pool, outsize); + int rc = apr_base64_encode(encoded, s, inlen); + if (rc > outsize) + return "(null)"; + else + return encoded; +} + } + else +return "(null)"; +} + /* * Config routines */ @@ -407,7 +464,7 @@ /* Handle the envclause on Header */ if (envclause != NULL) { -if (inout != hdr_out) { +if (inout != hdr_out && inout != hdr_in) { return "error: envclause (env=...) only valid on Header directive"; } if (strncasecmp(envclause, "env=", 4) != 0) { @@ -448,12 +505,23 @@ return head
Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)
Hello All, I want to provide updated information to my earlier described scenario using mod_ssl + mod_proxy + mod_headers: Component: Web Browser --- Proxy (mod_proxy) --- Web Server SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server The following discussion focuses on Apache 2.0.43 and 2.0.44. I have implemented a solution to transfer the Web browser's client certificate (and other SSL information) to the backend Web server: Component: Web Browser --- Proxy (mod_proxy) --- Web Server SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server Client Cert (and other SSL information) --> Transfer as HTTP Headers The problem was that mod_headers' RequestHeader directive didn't really matched the requirements. RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}e is not a practical solution to forward the client's certificate to the backend server for the following reasons: 1. SSL_CLIENT_CERT produces multi-line output and the RequestHeader directive isn't able to transfer it into a correct multi-line HTTP header. 2. The "decorations" (-BEGIN/END CERTIFICATE-) and the multi-line format are not very useful in this scenario. Therefore I have introduced the option "E" in addition to "e" for putting environment variables in headers. The "E" has the following meaning: %{FOOBAR}E The base64 encoded content of the environment variable FOOBAR. If the environment variable already contains a base64 encoded body (e. g. SSL_CLIENT_CERT) the body will be set as the value of the header variable. The result is in any case a single line of base64 characters only. This behavior serves two requirements: 1. There is no problem escaping special characters when putting other SSL information in HTTP headers. In many cases, SSL_CLIENT_S_DN will probably contain characters that have to be escaped. 2. Reduces the overhead produced by "decorations" and multi-line format. Here is an example for forwarding the SSL Client Certificate and other SSL information: RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}E env=SSL_CLIENT_S_DN RequestHeader set SSL_CLIENT_CERT_CHAIN_0 %{SSL_CLIENT_CERT_CHAIN_0}E env=SSL_CLIENT_CERT_CHAIN_0 RequestHeader set SSL_CLIENT_CERT_CHAIN_1 %{SSL_CLIENT_CERT_CHAIN_1}E env=SSL_CLIENT_CERT_CHAIN_1 RequestHeader set SSL_CIPHER_USEKEYSIZE %{SSL_CIPHER_USEKEYSIZE}e env=SSL_CIPHER_USEKEYSIZE RequestHeader set SSL_CIPHER_SUITE%{SSL_CIPHER}e env=SSL_CIPHER To make this work I also patched two other things: 1. mod_headers' RequestHeader directive wasn't able to take an env clause as a forth argument in contrast to the Header directive. I don't know the reason for that behavior, but env clause seams to work fine with the SSL environment variables for RequestHeaders. This was necessary to avoid an empty header if the environment variable isn't present. If there are objections, let me know. 2. SSL_CLIENT_CERT_CHAIN_n is broken. To me it seems that somebody has tried to change SSL_CLIENT_CERT_CHAINn to SSL_CLIENT_CERT_CHAIN_n. However, the introduction of the "_" wasn't quite consistent. I patched that and now I can see the intermediate CAs as SSL_CLIENT_CERT_CHAIN_0 to SSL_CLIENT_CERT_CHAIN_n in the environment. Last but not least I have updated the mod_headers documentation with the new option "E" and an example for forwarding the Web browser's client certificate and some other SSL information. I think the described patches and enhancements are quite reasonable and I would like to make them part of the standard Apache distribution. I have already produced a patch file that works for Apache 2.0.43 and 2.0.44. I would appreciate guidance on how to proceed. Comments welcome! Regards, Maik Maik Mueller Development Architect SAP __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl & mod_proxy
This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the communitys help in resolving it. Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Heres the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c ProxyRequests off NoCache * AllowCONNECT 443,80 Order Allow,Deny Allow from All ProxyRemote * http://1.2.3.4:85 NameVirtualHost * Listen *:443 SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log Listen *:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid.
RE: mod_ssl & mod_proxy
Apache does get the requests in my case, as verified in log files created by CustomLog /usr/local/apache/logs/referer_log refererCustomLog /usr/local/apache/logs/agent_log agent in httpd.conf. BTW, my LDAP authentication is handled by the internal (iPlanet) web server. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of AlexandreSent: Thursday, December 05, 2002 8:53 AMTo: [EMAIL PROTECTED]Subject: Re: mod_ssl & mod_proxyoh my God i have the exactly the same problem ... the only diference is that my autentication is on Ldap directory in the internal net when a click on link http://host.myinternalnet.com nothing hapen only the loop and the apache dont get a request im sniffing the interfaces but the request dont send ok. any people can help us ??? thanks Alexandre HMajidy wrote: This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the community?s help in resolving it. urn:schemas-microsoft-com:office:office" /> Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Here?s the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c ProxyRequests off NoCache * AllowCONNECT 443,80 Order Allow,Deny Allow from All ProxyRemote * http://1.2.3.4:85 NameVirtualHost * Listen *:443 SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log Listen *:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid. PS. Please reply to [EMAIL PROTECTED] as well as to this list.
RE: mod_ssl & mod_proxy
Thanks for your reply. The behavior is the same with ProxyPass and ProxyPassReverse instead of ProxyRemote. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Christopher McCrory Sent: Thursday, December 05, 2002 10:29 AM To: [EMAIL PROTECTED] Subject: Re: mod_ssl & mod_proxy Hello... On Thu, 2002-12-05 at 10:12, HMajidy wrote: > This is to report a problem with Apache with mod_ssl and mod_proxy, > and to request the community’s help in resolving it. > > > > Objective: The objective is to set up Apache as a reverse proxy, to > receive encrypted HTTPS traffic over the Internet and to convert it to > HTTP and direct it to a web server through a firewall. > >From what I see, you don't have a proxypass directive, ala: ProxyPass/foohttp://cruella.pricegrabber.com/foo ProxyPassReverse /foohttp://cruella.pricegrabber.com/foo > > > Problem: Apache seems to be redirecting traffic to the virtual hosts > on the local filesystem correctly, but mod_proxy does not seem to send > requests to remote URL (as specified by ProxyRemote directive below). > SSL does display correct certificate from requesting browser. > > > > Troubleshooting Steps Taken: Experimenting with the target URL (IP and > hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) > I have not been able to establish that proxy is doing anything at all. > > Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well > as statically linked in modules. > > > > Here’s the system configuration: > > Linux version 2.2.16-22smp > > gcc version egcs-2.91.66 > > Server version: Apache/1.3.27 (Unix) > > Compiled-in modules: > > http_core.c > > mod_env.c > > mod_log_config.c > > mod_mime.c > > mod_negotiation.c > > mod_status.c > > mod_include.c > > mod_autoindex.c > > mod_dir.c > > mod_cgi.c > > mod_asis.c > > mod_imap.c > > mod_actions.c > > mod_userdir.c > > mod_alias.c > > mod_access.c > > mod_auth.c > > mod_proxy.c > > mod_setenvif.c > > mod_ssl.c > > OpenSSL 0.9.6g 9 August 2002 > > > > httpd.conf > > AddModule mod_proxy.c > > > > ProxyRequests off > > NoCache * > > AllowCONNECT 443,80 > > > > Order Allow,Deny > > Allow from All > > > > ProxyRemote * http://1.2.3.4:85 > > > > NameVirtualHost * > > Listen *:443 > > > > SSLEngine on > > ServerName www.mydomain.com > > DocumentRoot /usr/local/apache/htdocs > > ErrorLog logs/443-error_log > > > > Listen *:80 > > > > ServerAdmin [EMAIL PROTECTED] > > DocumentRoot /usr/local/apache/www > > ServerName www1.mydomain.com > > ErrorLog logs/80-error_log > > > > > > Can anyone see a conflict or omission in this configuration? Does > anyone have these two modules working together in a reverse proxy > scenario? Any help or suggestions would be appreciated. > > > > Regards, > > Hamid. > > > > PS. Please reply to [EMAIL PROTECTED] as well as to this list. -- Christopher McCrory <[EMAIL PROTECTED]> Pricegrabber __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl & mod_proxy
oh my God i have the exactly the same problem ... the only diference is that my autentication is on Ldap directory in the internal net when a click on link http://host.myinternalnet.com nothing hapen only the loop and the apache dont get a request im sniffing the interfaces but the request dont send ok. any people can help us ??? thanks Alexandre HMajidy wrote: This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the community?s help in resolving it. urn:schemas-microsoft-com:office:office" /> Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Here?s the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c ProxyRequests off NoCache * AllowCONNECT 443,80 Order Allow,Deny Allow from All ProxyRemote * http://1.2.3.4:85 NameVirtualHost * Listen *:443 SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log Listen *:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid. PS. Please reply to [EMAIL PROTECTED] as well as to this list. begin:vcard n:da Silva Augusto;Alexandre x-mozilla-html:FALSE org:Secretaria de Estado dos Negocios da Fazenda;DTI - Departamento de Tecnologia da Informacao adr:;; version:2.1 email;internet:[EMAIL PROTECTED] title:Administrador de Sistemas Unix x-mozilla-cpt:;3424 fn:Alexandre da Silva Augusto end:vcard
Re: mod_ssl & mod_proxy
Hello... On Thu, 2002-12-05 at 10:12, HMajidy wrote: > This is to report a problem with Apache with mod_ssl and mod_proxy, > and to request the communitys help in resolving it. > > > > Objective: The objective is to set up Apache as a reverse proxy, to > receive encrypted HTTPS traffic over the Internet and to convert it to > HTTP and direct it to a web server through a firewall. > >From what I see, you don't have a proxypass directive, ala: ProxyPass/foohttp://cruella.pricegrabber.com/foo ProxyPassReverse /foohttp://cruella.pricegrabber.com/foo > > > Problem: Apache seems to be redirecting traffic to the virtual hosts > on the local filesystem correctly, but mod_proxy does not seem to send > requests to remote URL (as specified by ProxyRemote directive below). > SSL does display correct certificate from requesting browser. > > > > Troubleshooting Steps Taken: Experimenting with the target URL (IP and > hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) > I have not been able to establish that proxy is doing anything at all. > > Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well > as statically linked in modules. > > > > Heres the system configuration: > > Linux version 2.2.16-22smp > > gcc version egcs-2.91.66 > > Server version: Apache/1.3.27 (Unix) > > Compiled-in modules: > > http_core.c > > mod_env.c > > mod_log_config.c > > mod_mime.c > > mod_negotiation.c > > mod_status.c > > mod_include.c > > mod_autoindex.c > > mod_dir.c > > mod_cgi.c > > mod_asis.c > > mod_imap.c > > mod_actions.c > > mod_userdir.c > > mod_alias.c > > mod_access.c > > mod_auth.c > > mod_proxy.c > > mod_setenvif.c > > mod_ssl.c > > OpenSSL 0.9.6g 9 August 2002 > > > > httpd.conf > > AddModule mod_proxy.c > > > > ProxyRequests off > > NoCache * > > AllowCONNECT 443,80 > > > > Order Allow,Deny > > Allow from All > > > > ProxyRemote * http://1.2.3.4:85 > > > > NameVirtualHost * > > Listen *:443 > > > > SSLEngine on > > ServerName www.mydomain.com > > DocumentRoot /usr/local/apache/htdocs > > ErrorLog logs/443-error_log > > > > Listen *:80 > > > > ServerAdmin [EMAIL PROTECTED] > > DocumentRoot /usr/local/apache/www > > ServerName www1.mydomain.com > > ErrorLog logs/80-error_log > > > > > > Can anyone see a conflict or omission in this configuration? Does > anyone have these two modules working together in a reverse proxy > scenario? Any help or suggestions would be appreciated. > > > > Regards, > > Hamid. > > > > PS. Please reply to [EMAIL PROTECTED] as well as to this list. -- Christopher McCrory <[EMAIL PROTECTED]> Pricegrabber __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl & mod_proxy
This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the communitys help in resolving it. Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Heres the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c ProxyRequests off NoCache * AllowCONNECT 443,80 Order Allow,Deny Allow from All ProxyRemote * http://1.2.3.4:85 NameVirtualHost * Listen *:443 SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log Listen *:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid. PS. Please reply to [EMAIL PROTECTED] as well as to this list.
SSLProxy* directives (mod_ssl + mod_proxy + mod_headers)
Hello all, I want to share my latest experiences using mod_ssl + mod_proxy + mod_headers with you. We are talking about the following scenario: Component: Web Browser --- Proxy (mod_proxy) --- Web Server SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server This works with Apache 1.3 (compiled with SSL_EXPERIMENTAL flag) and with Apache 2.0. A pitfall is that mod_proxy reads its private key AND its certificate from the file referenced by SSLProxyMachineCertificateFile. There seems to be no possibility to have separate files for private key and certificate. I personally would prefer adding the option SSLProxyMachineKeyFile. Do you agree that that would make configuration easier? The next problem was how to transfer the Web browser's Client Certificate to the Web server: Component: Web Browser --- Proxy (mod_proxy) --- Web Server SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server Client Cert --> transfer e. g. as HTTP Header I tried to solve this problem using mod_headers, but I wasn't successful. Apache 1.3 mod_headers seems to be unable to expand environment variables. Apache 2.0 mod_headers can set Headers with variables like this: Header set OriginalClientCert "%{SSL_CLIENT_CERT}e"' But the Web server receives only the Request Headers set with RequestHeader... and Apache 2.0 mod_headers seems to be unable to expand environment variables in Request Headers. Thus I come to the following conclusion (Correct me if I'm wrong!): There is no way to transfer the Web browser's Client Certificate to the Web server using mod_headers. The Stronghold Web server has an enhanced mod_proxy functionality, like Joe Orton told me. You can set Headers using the following command: SSLProxyPassEnv MyHeaderName %{SSL_CLIENT_CERT} IMHO the best solution for the Apache Web server would be to enhance mod_proxy with the functionality to set Headers based on environment variables like Stronghold did. Have I overlooked something? Is there an easy way to pass the Web browser's client certificate to the Web server? Any feedback welcome. Regards, Maik __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl / mod_proxy interaction
[EMAIL PROTECTED] wrote: > Could you eloborate on why you say that reverse proxy with SSL won't work? > We've been running it for years on our Exchange system here, although > granted that uses 5.5 rather than 2000. Testing of access to OWA 2000 is on > my to-do list. Sure. Here's what I've come up with thus far: Here's all four possible combinations of accessing exchange OWA. Options 1,2,4 all authenticate and load properly via using IE. Option 3 fails IIS's auth challenge. This is all *without* SSL. Should {SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0} be set for the virual host (recommended for mod_ssl), IE will only understand the apache reverse proxy when first proxied through squid. ??? If not proxied first through squid, IE balks, fails to load the pages (won't even load IIS's auth challenge), spitting back it's generic "cannot find server" error. I've been trying to get this thing working now for weeks and have been dealing with the mod_proxy folks until just this AM when I determined that the above SetEnvIf flag was causing the problem. I'm currently attempting to figure out why IIS's auth challenge fails via the apache reverse proxy but succeeds when proxied first through squid. Nonetheless, put all this in with SSL (assuming you using the recommended above flag) and things are broken. Period. 1) direct to exchange/iis # wget --server-response ebe1.gc.nat/exchange --11:01:28-- http://ebe1.gc.nat/exchange => `exchange' Resolving ebe1.gc.nat... done. Connecting to ebe1.gc.nat[10.10.11.23]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 401 Access Denied 2 Server: Microsoft-IIS/5.0 3 Date: Mon, 30 Sep 2002 15:01:28 GMT 4 WWW-Authenticate: Negotiate 5 WWW-Authenticate: NTLM 6 WWW-Authenticate: Basic realm="ebe1.gc.nat" 7 Content-Length: 24 8 Content-Type: text/html Unknown authentication scheme. 2) exchange/iss via squid # http_proxy="proxy.gactr.uga.edu:3128" wget --server-response ebe1.gc.nat/exchange --11:02:01-- http://ebe1.gc.nat/exchange => `exchange' Resolving proxy.gactr.uga.edu... done. Connecting to proxy.gactr.uga.edu[10.10.10.180]:3128... connected. Proxy request sent, awaiting response... 1 HTTP/1.0 401 Unauthorized 2 Server: Microsoft-IIS/5.0 3 Date: Mon, 30 Sep 2002 15:02:01 GMT 4 WWW-Authenticate: Negotiate 5 WWW-Authenticate: NTLM 6 WWW-Authenticate: Basic realm="ebe1.gc.nat" 7 Content-Length: 24 8 Content-Type: text/html 9 X-Cache: MISS from proxy.gactr.uga.edu 10 Proxy-Connection: close Unknown authentication scheme. 3) apache proxy # wget --server-response webmail.gactr.uga.edu --11:02:37-- http://webmail.gactr.uga.edu/ => `index.html' Resolving webmail.gactr.uga.edu... done. Connecting to webmail.gactr.uga.edu[10.10.10.99]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 301 Moved Permanently 2 Date: Mon, 30 Sep 2002 15:02:37 GMT 3 Server: Apache/1.3.26 (Unix) mod_mp3/0.35 PHP/4.2.3 mod_perl/1.27 mod_ssl/2.8.10 OpenSSL/0.9.6g 4 Location: http://webmail.gactr.uga.edu/exchange/ 5 Connection: close 6 Content-Type: text/html; charset=iso-8859-1 Location: http://webmail.gactr.uga.edu/exchange/ [following] --11:02:37-- http://webmail.gactr.uga.edu/exchange/ => `index.html' Connecting to webmail.gactr.uga.edu[10.10.10.99]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 401 Access Denied 2 Date: Mon, 30 Sep 2002 15:02:37 GMT 3 Server: Microsoft-IIS/5.0 4 WWW-Authenticate: Negotiate 5 WWW-Authenticate: NTLM 6 WWW-Authenticate: Basic realm="webmail.gactr.uga.edu" 7 Content-Length: 24 8 Content-Type: text/html 9 Via: 1.1 webmail.gactr.uga.edu (Apache/1.3.26) 10 X-Cache: MISS from webmail.gactr.uga.edu 11 Keep-Alive: timeout=15, max=100 12 Connection: Keep-Alive Unknown authentication scheme. 4) apache proxy via squid # http_proxy="proxy.gactr.uga.edu:3128" wget --server-response webmail.gactr.uga.edu --11:03:06-- http://webmail.gactr.uga.edu/ => `index.html' Resolving proxy.gactr.uga.edu... done. Connecting to proxy.gactr.uga.edu[10.10.10.180]:3128... connected. Proxy request sent, awaiting response... 1 HTTP/1.0 301 Moved Permanently 2 Date: Mon, 30 Sep 2002 15:03:06 GMT 3 Server: Apache/1.3.26 (Unix) mod_mp3/0.35 PHP/4.2.3 mod_perl/1.27 mod_ssl/2.8.10 OpenSSL/0.9.6g 4 Location: http://webmail.gactr.uga.edu/exchange/ 5 Content-Type: text/html; charset=iso-8859-1 6 X-Cache: MISS from proxy.gactr.uga.edu 7 Proxy-Connection: close Location: http://webmail.gactr.uga.edu/exchange/ [following] --11:03:06-- http://webmail.gactr.uga.edu/exchange/ => `index.html' Connecting to proxy.gactr.uga.edu[10.10.10.180]:3128... connected. Proxy request sent, awaiting response... 1 HTTP/1.0 401 Unauthorized 2 Date: Mon, 30 Sep 2002 15:03:06 GMT 3 Server: Microsoft-IIS/5.0 4 WWW-Authenticate: Negotiate 5 WWW-Aut
RE: mod_ssl / mod_proxy interaction
Could you eloborate on why you say that reverse proxy with SSL won't work? We've been running it for years on our Exchange system here, although granted that uses 5.5 rather than 2000. Testing of access to OWA 2000 is on my to-do list. Thank you. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute > -Original Message- > From: Robin P. Blanchard [mailto:[EMAIL PROTECTED]] > Sent: 30 September 2002 14:29 > To: [EMAIL PROTECTED] > Subject: mod_ssl / mod_proxy interaction > > > > in effort to eventually setup a secure apache reverse proxy > for exchange > 2000's OWA, i've run into the following dilemma > > per the mod-ssl docs, i had the following declared globally: > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > downgrade-1.0 force-response-1.0 > > and realised after much wailing and gnashing of teeth that that line > caused the following (non-ssl) virtual host failed to operate > correctly > under IE: > > Listen 10.10.10.99:80 > >ServerName webmail.gactr.uga.edu >UseCanonicalNameOff >CustomLog /tmp/webmail-trans.log combined >ErrorLog/tmp/webmail-error.log > >RedirectPermanent / http://webmail.gactr.uga.edu/exchange/ >ProxyRequests Off >ProxyVia Full >ProxyPass /exchange/ http://webmail.gactr.uga.edu/exchange/ >ProxyPassReverse /exchange/ > http://webmail.gactr.uga.edu/exchange/ >ProxyPass /public/ http://webmail.gactr.uga.edu/public/ >ProxyPassReverse /public/ > http://webmail.gactr.uga.edu/public/ >ProxyPass /ex2k/ http://webmail.gactr.uga.edu/ex2k/ >ProxyPassReverse /ex2k/ http://webmail.gactr.uga.edu/ex2k/ >ProxyPass /exchweb/ http://webmail.gactr.uga.edu/exchweb/ >ProxyPassReverse /exchweb/ > http://webmail.gactr.uga.edu/exchweb/ > > > > So, I placed User-Agent config out of the global config and into each > SSL config. Now, the exchange 2000 proxy (currently non-SSL) is > correctly handled by IE. Obviously, though, I will be wanting to put > this proxy behind SSL, which I've already determined will not work > (using the mod_ssl recommended settings). Has anyone else run into a > similar situation? Is there a reasonable work-around for this? > > -- > > Robin P. Blanchard > Systems Integration Specialist > Georgia Center for Continuing Education > fon: 706.542.2404 <|> fax: 706.542.6546 > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl / mod_proxy interaction
in effort to eventually setup a secure apache reverse proxy for exchange 2000's OWA, i've run into the following dilemma per the mod-ssl docs, i had the following declared globally: SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 and realised after much wailing and gnashing of teeth that that line caused the following (non-ssl) virtual host failed to operate correctly under IE: Listen 10.10.10.99:80 ServerName webmail.gactr.uga.edu UseCanonicalNameOff CustomLog /tmp/webmail-trans.log combined ErrorLog/tmp/webmail-error.log RedirectPermanent / http://webmail.gactr.uga.edu/exchange/ ProxyRequests Off ProxyVia Full ProxyPass /exchange/ http://webmail.gactr.uga.edu/exchange/ ProxyPassReverse /exchange/ http://webmail.gactr.uga.edu/exchange/ ProxyPass /public/ http://webmail.gactr.uga.edu/public/ ProxyPassReverse /public/ http://webmail.gactr.uga.edu/public/ ProxyPass /ex2k/ http://webmail.gactr.uga.edu/ex2k/ ProxyPassReverse /ex2k/ http://webmail.gactr.uga.edu/ex2k/ ProxyPass /exchweb/ http://webmail.gactr.uga.edu/exchweb/ ProxyPassReverse /exchweb/ http://webmail.gactr.uga.edu/exchweb/ So, I placed User-Agent config out of the global config and into each SSL config. Now, the exchange 2000 proxy (currently non-SSL) is correctly handled by IE. Obviously, though, I will be wanting to put this proxy behind SSL, which I've already determined will not work (using the mod_ssl recommended settings). Has anyone else run into a similar situation? Is there a reasonable work-around for this? -- Robin P. Blanchard Systems Integration Specialist Georgia Center for Continuing Education fon: 706.542.2404 <|> fax: 706.542.6546 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
IBM HTTP/Mod_SSL/Mod_Proxy
Hello group, I have a question that I am at my wits end trying to figure out. I need to find out if it is possible to setup a proxy with SSL on both sides (client<-->proxy and proxy<-->server). I can get SSL from the browser to the proxy to work, but SSL from the proxy to the server does not seem to be working properly or I am not doing something right. I can get normal HTTP pages through the proxy w/o problems, so the proxy works. The only thing I can find is when I look in the logs and I notice that the GET commands are all in HTTP form, not HTTPS, so it would appear that that is the problem but I am not sure. Any testimonials saying if it will work or not would be helpful. Setup: Browser > Proxy >WWW Server SSLSSLNo SSL Proxy= AIX 4.3 running IBM HTTPServer with mod_ssl and mod_proxy loaded WWW Server =Win2k with IIS5 TIA! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl + mod_proxy + mod_auth
I've dredged through the archives, but can't find a reference to the problem I'm having. I've got the standard reverse proxy setup going with client connections via SSL to an apache server that proxies pages (via proxypass) from an internal http server. That works fine. I'd like to do authentication on the apache server as well, but can't get it to work. Here's part of the httpd.conf file: ProxyPass /corporate_rd/ http://sapling/corporate_rd/ ProxyPassReverse /corporate_rd/ http://sapling/corporate_rd/ And later, in the SSL virtual host section: http://sapling/corporate_rd/> AuthType Basic AuthUserFile /home/jayl/tmp/.htpasswd AuthName 'RD' require valid-user When I try to load this from netscape, I get an Error 407, Proxy Authentication Required without being prompted for a passwd. (IE just crashes. :) ) What am I doing wrong? thanks for the help, jay lyerly __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]