RE: Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)
> Cool..
> Can you please post the patch to the list, so that ppl can review the
> code,
> and give their comments.
> -Madhu
No problem!
Here is my short README describing the patch and its history form Apache
version 2.0.43 to 2.0.44:
Hello!
This is the distribution point for the Apache 2.0 as SSL Intermediary Patch.
Currently you need this patch to use Apache 2.0 as a trusted intermediary
in configuration with the SAP J2EE Engine.
The patch is subject to become part of the standard Apache 2.0 distribution.
Feedback welcome!
Maik ([EMAIL PROTECTED])
INSTRUCTIONS:
- extract the Apache 2.0.43 distribution (httpd-2.0.43.tar.gz)
- change directory to httpd-2.0.43
- apply the patch with -p1 (patch -p1 < Apache-2.0.43-SSLintermediary.patch)
- follow the Apache INSTALL instructions
HISTORY:
02-12-30 initial release (available SAP internal)
03-01-07 httpd-2.0.43-patched-as-SSLintermediary.zip added
In this ZIP archive the Apache-2.0.43-SSLintermediary.patch is
already applied. More convenient for users not so familiar with the
usage of diff & patch.
03-01-08 httpd-2.0.43-win32-src-patched-as-SSLintermediary.zip added
You cannot use the UNIX source to build the WIN32 binaries.
This ZIP archive contains the already patched version of
httpd-2.0.43-win32-src. Use it to build the WIN32 binaries.
If you want to apply Apache-2.0.43-SSLintermediary.patch to the
original httpd-2.0.43-win32-src be aware that you have to convert
CR-LFs in CR before applying the patch. In the successfully patched
files you can again expand CR to CR-LF.
03-01-20 Bug in base 64 padding found. The calculation of the number of
padding
characters ('=') needed computes wrong results in some cases.
03-02-07 Apache 2.0.44 Released
Apache-2.0.44-SSLintermediary.patch corresponds to
httpd-2.0.44.tar.gz
The documentation changes are NO longer part of the patch.
Download mod_headers_mai.html.en for proposed documentation
changes.
SSLproxy.conf is a good example for a proxy's mod_ssl
configuration.
The SAP proposed header names are use in the example added to the
mod_headers documentation (see mod_headers_mai.html.en).
And here follows the patch (My proposed changes to the HTML docu are now not
included in the patch. Please advice me if and how to post this changes to
mod_headers.html.en):
--- httpd-2.0.44.ori/modules/metadata/mod_headers.c Mon Nov 4 19:31:57 2002
+++ httpd-2.0.44/modules/metadata/mod_headers.c Fri Feb 7 18:00:18 2003
@@ -109,6 +109,7 @@
#include "apr_lib.h"
#include "apr_strings.h"
#include "apr_buckets.h"
+#include "apr_base64.h"
#include "apr_hash.h"
#define APR_WANT_STRFUNC
@@ -198,6 +199,62 @@
else
return "(null)";
}
+
+/* Base 64 encoded ASN.1 data is usually tagged with decorations of
+ * the following style:
+ * -BEGIN -
+ *
+ * -END -
+ * The defines are used to search for such decorations.
+ */
+#define DECORATION_MARKER_BEGIN "-BEGIN"
+#define DECORATION_MARKER_END "-END"
+#define DECORATION_EOF_MARKER "-"
+
+static const char *header_request_env_varB64(request_rec *r, char *a)
+{
+ const char *s = apr_table_get(r->subprocess_env,a);
+ char *pStartBody = NULL;
+ char *pBehindBody = NULL;
+ char *ptr;
+
+ if (s) {
+/* search for decorations marking encapsulated base64 encoded data */
+ptr = strstr((char *)s, DECORATION_MARKER_BEGIN);
+if (ptr) {
+ ptr = strstr(ptr + strlen(DECORATION_MARKER_BEGIN),
DECORATION_EOF_MARKER);
+ if (ptr && (ptr + strlen(DECORATION_EOF_MARKER) + 1) != '\0') {
+ /* explicit check that there are sitll chars in the string */
+ pStartBody = ptr + strlen(DECORATION_EOF_MARKER) + 1;
+
+ ptr = strstr(pStartBody, DECORATION_MARKER_END);
+ if (ptr && strstr(ptr, DECORATION_EOF_MARKER))
+ pBehindBody = ptr;
+ }
+}
+
+if (pStartBody && pBehindBody) {
+ /* encapsulated base64 encoded data found */
+ /* all except the body will be skipped */
+ *pBehindBody = '\0';
+ apr_base64_cleanB64(pStartBody);
+ return pStartBody;
+} else {
+ /* call apr_base64_encode() to encode the data */
+ int inlen = strlen(s);
+ int outsize = apr_base64_encode_len(inlen);
+ char *encoded = apr_palloc(r->pool, outsize);
+ int rc = apr_base64_encode(encoded, s, inlen);
+ if (rc > outsize)
+ return "(null)";
+ else
+ return encoded;
+}
+ }
+ else
+return "(null)";
+}
+
/*
* Config routines
*/
@@ -407,7 +464,7 @@
/* Handle the envclause on Header */
if (envclause != NULL) {
-if (inout != hdr_out) {
+if (inout != hdr_out && inout != hdr_in) {
return "error: envclause (env=...) only valid on Header
directive";
}
if (strncasecmp(envclause, "env=", 4) != 0) {
@@ -448,12 +505,23 @@
return head
Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)
Hello All,
I want to provide updated information to my earlier described scenario using
mod_ssl + mod_proxy + mod_headers:
Component: Web Browser --- Proxy (mod_proxy) --- Web Server
SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server
The following discussion focuses on Apache 2.0.43 and 2.0.44.
I have implemented a solution to transfer the Web browser's client
certificate (and other SSL information) to the backend Web server:
Component: Web Browser --- Proxy (mod_proxy) --- Web Server
SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server
Client Cert (and other SSL information) --> Transfer
as HTTP Headers
The problem was that mod_headers' RequestHeader directive didn't really
matched the requirements.
RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}e is not a practical
solution to
forward the client's certificate to the backend server for the
following reasons:
1. SSL_CLIENT_CERT produces multi-line output and the RequestHeader
directive isn't able to transfer it into a correct multi-line HTTP header.
2. The "decorations" (-BEGIN/END CERTIFICATE-) and the multi-line
format are not very useful in this scenario.
Therefore I have introduced the option "E" in addition to "e" for putting
environment variables in headers. The "E" has the following meaning:
%{FOOBAR}E The base64 encoded content of the environment variable FOOBAR.
If the environment variable already contains a base64 encoded body (e. g.
SSL_CLIENT_CERT) the body will be set as the value of the header variable.
The result is in any case a single line of base64 characters only.
This behavior serves two requirements:
1. There is no problem escaping special characters when putting other SSL
information in HTTP headers. In many cases, SSL_CLIENT_S_DN will probably
contain characters that have to be escaped.
2. Reduces the overhead produced by "decorations" and multi-line format.
Here is an example for forwarding the SSL Client Certificate and other SSL
information:
RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}E
env=SSL_CLIENT_S_DN
RequestHeader set SSL_CLIENT_CERT_CHAIN_0 %{SSL_CLIENT_CERT_CHAIN_0}E
env=SSL_CLIENT_CERT_CHAIN_0
RequestHeader set SSL_CLIENT_CERT_CHAIN_1 %{SSL_CLIENT_CERT_CHAIN_1}E
env=SSL_CLIENT_CERT_CHAIN_1
RequestHeader set SSL_CIPHER_USEKEYSIZE %{SSL_CIPHER_USEKEYSIZE}e
env=SSL_CIPHER_USEKEYSIZE
RequestHeader set SSL_CIPHER_SUITE%{SSL_CIPHER}e
env=SSL_CIPHER
To make this work I also patched two other things:
1. mod_headers' RequestHeader directive wasn't able to take an env clause as
a forth argument in contrast to the Header directive. I don't know the
reason
for that behavior, but env clause seams to work fine with the SSL
environment
variables for RequestHeaders. This was necessary to avoid an empty header if
the environment variable isn't present.
If there are objections, let me know.
2. SSL_CLIENT_CERT_CHAIN_n is broken. To me it seems that somebody has tried
to change SSL_CLIENT_CERT_CHAINn to SSL_CLIENT_CERT_CHAIN_n. However, the
introduction of the "_" wasn't quite consistent. I patched that and now I
can see the intermediate CAs as SSL_CLIENT_CERT_CHAIN_0 to
SSL_CLIENT_CERT_CHAIN_n in the environment.
Last but not least I have updated the mod_headers documentation with the new
option "E" and an example for forwarding the Web browser's client
certificate and some other SSL information.
I think the described patches and enhancements are quite reasonable and I
would like to make them part of the standard Apache distribution. I have
already produced a patch file that works for Apache 2.0.43 and 2.0.44. I
would appreciate guidance on how to proceed.
Comments welcome!
Regards,
Maik
Maik Mueller
Development Architect
SAP
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
mod_ssl & mod_proxy
This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the communitys help in resolving it. Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Heres the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c ProxyRequests off NoCache * AllowCONNECT 443,80 Order Allow,Deny Allow from All ProxyRemote * http://1.2.3.4:85 NameVirtualHost * Listen *:443 SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log Listen *:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid.
RE: mod_ssl & mod_proxy
Apache does get the requests in my case, as verified in log files created by CustomLog /usr/local/apache/logs/referer_log refererCustomLog /usr/local/apache/logs/agent_log agent in httpd.conf. BTW, my LDAP authentication is handled by the internal (iPlanet) web server. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of AlexandreSent: Thursday, December 05, 2002 8:53 AMTo: [EMAIL PROTECTED]Subject: Re: mod_ssl & mod_proxyoh my God i have the exactly the same problem ... the only diference is that my autentication is on Ldap directory in the internal net when a click on link http://host.myinternalnet.com nothing hapen only the loop and the apache dont get a request im sniffing the interfaces but the request dont send ok. any people can help us ??? thanks Alexandre HMajidy wrote: This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the community?s help in resolving it. urn:schemas-microsoft-com:office:office" /> Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Here?s the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c ProxyRequests off NoCache * AllowCONNECT 443,80 Order Allow,Deny Allow from All ProxyRemote * http://1.2.3.4:85 NameVirtualHost * Listen *:443 SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log Listen *:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid. PS. Please reply to [EMAIL PROTECTED] as well as to this list.
RE: mod_ssl & mod_proxy
Thanks for your reply. The behavior is the same with ProxyPass and ProxyPassReverse instead of ProxyRemote. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Christopher McCrory Sent: Thursday, December 05, 2002 10:29 AM To: [EMAIL PROTECTED] Subject: Re: mod_ssl & mod_proxy Hello... On Thu, 2002-12-05 at 10:12, HMajidy wrote: > This is to report a problem with Apache with mod_ssl and mod_proxy, > and to request the community’s help in resolving it. > > > > Objective: The objective is to set up Apache as a reverse proxy, to > receive encrypted HTTPS traffic over the Internet and to convert it to > HTTP and direct it to a web server through a firewall. > >From what I see, you don't have a proxypass directive, ala: ProxyPass/foohttp://cruella.pricegrabber.com/foo ProxyPassReverse /foohttp://cruella.pricegrabber.com/foo > > > Problem: Apache seems to be redirecting traffic to the virtual hosts > on the local filesystem correctly, but mod_proxy does not seem to send > requests to remote URL (as specified by ProxyRemote directive below). > SSL does display correct certificate from requesting browser. > > > > Troubleshooting Steps Taken: Experimenting with the target URL (IP and > hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) > I have not been able to establish that proxy is doing anything at all. > > Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well > as statically linked in modules. > > > > Here’s the system configuration: > > Linux version 2.2.16-22smp > > gcc version egcs-2.91.66 > > Server version: Apache/1.3.27 (Unix) > > Compiled-in modules: > > http_core.c > > mod_env.c > > mod_log_config.c > > mod_mime.c > > mod_negotiation.c > > mod_status.c > > mod_include.c > > mod_autoindex.c > > mod_dir.c > > mod_cgi.c > > mod_asis.c > > mod_imap.c > > mod_actions.c > > mod_userdir.c > > mod_alias.c > > mod_access.c > > mod_auth.c > > mod_proxy.c > > mod_setenvif.c > > mod_ssl.c > > OpenSSL 0.9.6g 9 August 2002 > > > > httpd.conf > > AddModule mod_proxy.c > > > > ProxyRequests off > > NoCache * > > AllowCONNECT 443,80 > > > > Order Allow,Deny > > Allow from All > > > > ProxyRemote * http://1.2.3.4:85 > > > > NameVirtualHost * > > Listen *:443 > > > > SSLEngine on > > ServerName www.mydomain.com > > DocumentRoot /usr/local/apache/htdocs > > ErrorLog logs/443-error_log > > > > Listen *:80 > > > > ServerAdmin [EMAIL PROTECTED] > > DocumentRoot /usr/local/apache/www > > ServerName www1.mydomain.com > > ErrorLog logs/80-error_log > > > > > > Can anyone see a conflict or omission in this configuration? Does > anyone have these two modules working together in a reverse proxy > scenario? Any help or suggestions would be appreciated. > > > > Regards, > > Hamid. > > > > PS. Please reply to [EMAIL PROTECTED] as well as to this list. -- Christopher McCrory <[EMAIL PROTECTED]> Pricegrabber __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl & mod_proxy
oh my God i have the exactly the same problem ... the only diference is that my autentication is on Ldap directory in the internal net when a click on link http://host.myinternalnet.com nothing hapen only the loop and the apache dont get a request im sniffing the interfaces but the request dont send ok. any people can help us ??? thanks Alexandre HMajidy wrote: This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the community?s help in resolving it. urn:schemas-microsoft-com:office:office" /> Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Here?s the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c ProxyRequests off NoCache * AllowCONNECT 443,80 Order Allow,Deny Allow from All ProxyRemote * http://1.2.3.4:85 NameVirtualHost * Listen *:443 SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log Listen *:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid. PS. Please reply to [EMAIL PROTECTED] as well as to this list. begin:vcard n:da Silva Augusto;Alexandre x-mozilla-html:FALSE org:Secretaria de Estado dos Negocios da Fazenda;DTI - Departamento de Tecnologia da Informacao adr:;; version:2.1 email;internet:[EMAIL PROTECTED] title:Administrador de Sistemas Unix x-mozilla-cpt:;3424 fn:Alexandre da Silva Augusto end:vcard
Re: mod_ssl & mod_proxy
Hello... On Thu, 2002-12-05 at 10:12, HMajidy wrote: > This is to report a problem with Apache with mod_ssl and mod_proxy, > and to request the communitys help in resolving it. > > > > Objective: The objective is to set up Apache as a reverse proxy, to > receive encrypted HTTPS traffic over the Internet and to convert it to > HTTP and direct it to a web server through a firewall. > >From what I see, you don't have a proxypass directive, ala: ProxyPass/foohttp://cruella.pricegrabber.com/foo ProxyPassReverse /foohttp://cruella.pricegrabber.com/foo > > > Problem: Apache seems to be redirecting traffic to the virtual hosts > on the local filesystem correctly, but mod_proxy does not seem to send > requests to remote URL (as specified by ProxyRemote directive below). > SSL does display correct certificate from requesting browser. > > > > Troubleshooting Steps Taken: Experimenting with the target URL (IP and > hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) > I have not been able to establish that proxy is doing anything at all. > > Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well > as statically linked in modules. > > > > Heres the system configuration: > > Linux version 2.2.16-22smp > > gcc version egcs-2.91.66 > > Server version: Apache/1.3.27 (Unix) > > Compiled-in modules: > > http_core.c > > mod_env.c > > mod_log_config.c > > mod_mime.c > > mod_negotiation.c > > mod_status.c > > mod_include.c > > mod_autoindex.c > > mod_dir.c > > mod_cgi.c > > mod_asis.c > > mod_imap.c > > mod_actions.c > > mod_userdir.c > > mod_alias.c > > mod_access.c > > mod_auth.c > > mod_proxy.c > > mod_setenvif.c > > mod_ssl.c > > OpenSSL 0.9.6g 9 August 2002 > > > > httpd.conf > > AddModule mod_proxy.c > > > > ProxyRequests off > > NoCache * > > AllowCONNECT 443,80 > > > > Order Allow,Deny > > Allow from All > > > > ProxyRemote * http://1.2.3.4:85 > > > > NameVirtualHost * > > Listen *:443 > > > > SSLEngine on > > ServerName www.mydomain.com > > DocumentRoot /usr/local/apache/htdocs > > ErrorLog logs/443-error_log > > > > Listen *:80 > > > > ServerAdmin [EMAIL PROTECTED] > > DocumentRoot /usr/local/apache/www > > ServerName www1.mydomain.com > > ErrorLog logs/80-error_log > > > > > > Can anyone see a conflict or omission in this configuration? Does > anyone have these two modules working together in a reverse proxy > scenario? Any help or suggestions would be appreciated. > > > > Regards, > > Hamid. > > > > PS. Please reply to [EMAIL PROTECTED] as well as to this list. -- Christopher McCrory <[EMAIL PROTECTED]> Pricegrabber __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl & mod_proxy
This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the communitys help in resolving it. Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Heres the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c ProxyRequests off NoCache * AllowCONNECT 443,80 Order Allow,Deny Allow from All ProxyRemote * http://1.2.3.4:85 NameVirtualHost * Listen *:443 SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log Listen *:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid. PS. Please reply to [EMAIL PROTECTED] as well as to this list.
SSLProxy* directives (mod_ssl + mod_proxy + mod_headers)
Hello all,
I want to share my latest experiences using mod_ssl + mod_proxy +
mod_headers with you.
We are talking about the following scenario:
Component: Web Browser --- Proxy (mod_proxy) --- Web Server
SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server
This works with Apache 1.3 (compiled with SSL_EXPERIMENTAL flag) and with
Apache 2.0.
A pitfall is that mod_proxy reads its private key AND its certificate from
the file referenced by SSLProxyMachineCertificateFile.
There seems to be no possibility to have separate files for private key and
certificate. I personally would prefer adding the option
SSLProxyMachineKeyFile.
Do you agree that that would make configuration easier?
The next problem was how to transfer the Web browser's Client Certificate to
the Web server:
Component: Web Browser --- Proxy (mod_proxy) --- Web Server
SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server
Client Cert --> transfer e. g. as HTTP Header
I tried to solve this problem using mod_headers, but I wasn't successful.
Apache 1.3 mod_headers seems to be unable to expand environment variables.
Apache 2.0 mod_headers can set Headers with variables like this:
Header set OriginalClientCert "%{SSL_CLIENT_CERT}e"'
But the Web server receives only the Request Headers set with
RequestHeader... and Apache 2.0 mod_headers seems to be unable to expand
environment variables in Request Headers.
Thus I come to the following conclusion (Correct me if I'm wrong!): There is
no way to transfer the Web browser's Client Certificate to the Web server
using mod_headers.
The Stronghold Web server has an enhanced mod_proxy functionality, like Joe
Orton told me. You can set Headers using the following command:
SSLProxyPassEnv MyHeaderName %{SSL_CLIENT_CERT}
IMHO the best solution for the Apache Web server would be to enhance
mod_proxy with the functionality to set Headers based on environment
variables like Stronghold did.
Have I overlooked something?
Is there an easy way to pass the Web browser's client certificate to the Web
server?
Any feedback welcome.
Regards,
Maik
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl / mod_proxy interaction
[EMAIL PROTECTED] wrote:
> Could you eloborate on why you say that reverse proxy with SSL won't work?
> We've been running it for years on our Exchange system here, although
> granted that uses 5.5 rather than 2000. Testing of access to OWA 2000 is on
> my to-do list.
Sure. Here's what I've come up with thus far:
Here's all four possible combinations of accessing exchange OWA. Options
1,2,4 all authenticate and load properly via using IE. Option 3 fails
IIS's auth challenge. This is all *without* SSL. Should {SetEnvIf
User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0} be set for the virual host (recommended for
mod_ssl), IE will only understand the apache reverse proxy when first
proxied through squid. ??? If not proxied first through squid, IE balks,
fails to load the pages (won't even load IIS's auth challenge), spitting
back it's generic "cannot find server" error. I've been trying to get
this thing working now for weeks and have been dealing with the
mod_proxy folks until just this AM when I determined that the above
SetEnvIf flag was causing the problem. I'm currently attempting to
figure out why IIS's auth challenge fails via the apache reverse proxy
but succeeds when proxied first through squid. Nonetheless, put all this
in with SSL (assuming you using the recommended above flag) and things
are broken. Period.
1) direct to exchange/iis
# wget --server-response ebe1.gc.nat/exchange
--11:01:28-- http://ebe1.gc.nat/exchange
=> `exchange'
Resolving ebe1.gc.nat... done.
Connecting to ebe1.gc.nat[10.10.11.23]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 401 Access Denied
2 Server: Microsoft-IIS/5.0
3 Date: Mon, 30 Sep 2002 15:01:28 GMT
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6 WWW-Authenticate: Basic realm="ebe1.gc.nat"
7 Content-Length: 24
8 Content-Type: text/html
Unknown authentication scheme.
2) exchange/iss via squid
# http_proxy="proxy.gactr.uga.edu:3128" wget --server-response
ebe1.gc.nat/exchange
--11:02:01-- http://ebe1.gc.nat/exchange
=> `exchange'
Resolving proxy.gactr.uga.edu... done.
Connecting to proxy.gactr.uga.edu[10.10.10.180]:3128... connected.
Proxy request sent, awaiting response...
1 HTTP/1.0 401 Unauthorized
2 Server: Microsoft-IIS/5.0
3 Date: Mon, 30 Sep 2002 15:02:01 GMT
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6 WWW-Authenticate: Basic realm="ebe1.gc.nat"
7 Content-Length: 24
8 Content-Type: text/html
9 X-Cache: MISS from proxy.gactr.uga.edu
10 Proxy-Connection: close
Unknown authentication scheme.
3) apache proxy
# wget --server-response webmail.gactr.uga.edu
--11:02:37-- http://webmail.gactr.uga.edu/
=> `index.html'
Resolving webmail.gactr.uga.edu... done.
Connecting to webmail.gactr.uga.edu[10.10.10.99]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 301 Moved Permanently
2 Date: Mon, 30 Sep 2002 15:02:37 GMT
3 Server: Apache/1.3.26 (Unix) mod_mp3/0.35 PHP/4.2.3 mod_perl/1.27
mod_ssl/2.8.10 OpenSSL/0.9.6g
4 Location: http://webmail.gactr.uga.edu/exchange/
5 Connection: close
6 Content-Type: text/html; charset=iso-8859-1
Location: http://webmail.gactr.uga.edu/exchange/ [following]
--11:02:37-- http://webmail.gactr.uga.edu/exchange/
=> `index.html'
Connecting to webmail.gactr.uga.edu[10.10.10.99]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 401 Access Denied
2 Date: Mon, 30 Sep 2002 15:02:37 GMT
3 Server: Microsoft-IIS/5.0
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6 WWW-Authenticate: Basic realm="webmail.gactr.uga.edu"
7 Content-Length: 24
8 Content-Type: text/html
9 Via: 1.1 webmail.gactr.uga.edu (Apache/1.3.26)
10 X-Cache: MISS from webmail.gactr.uga.edu
11 Keep-Alive: timeout=15, max=100
12 Connection: Keep-Alive
Unknown authentication scheme.
4) apache proxy via squid
# http_proxy="proxy.gactr.uga.edu:3128" wget --server-response
webmail.gactr.uga.edu
--11:03:06-- http://webmail.gactr.uga.edu/
=> `index.html'
Resolving proxy.gactr.uga.edu... done.
Connecting to proxy.gactr.uga.edu[10.10.10.180]:3128... connected.
Proxy request sent, awaiting response...
1 HTTP/1.0 301 Moved Permanently
2 Date: Mon, 30 Sep 2002 15:03:06 GMT
3 Server: Apache/1.3.26 (Unix) mod_mp3/0.35 PHP/4.2.3 mod_perl/1.27
mod_ssl/2.8.10 OpenSSL/0.9.6g
4 Location: http://webmail.gactr.uga.edu/exchange/
5 Content-Type: text/html; charset=iso-8859-1
6 X-Cache: MISS from proxy.gactr.uga.edu
7 Proxy-Connection: close
Location: http://webmail.gactr.uga.edu/exchange/ [following]
--11:03:06-- http://webmail.gactr.uga.edu/exchange/
=> `index.html'
Connecting to proxy.gactr.uga.edu[10.10.10.180]:3128... connected.
Proxy request sent, awaiting response...
1 HTTP/1.0 401 Unauthorized
2 Date: Mon, 30 Sep 2002 15:03:06 GMT
3 Server: Microsoft-IIS/5.0
4 WWW-Authenticate: Negotiate
5 WWW-Aut
RE: mod_ssl / mod_proxy interaction
Could you eloborate on why you say that reverse proxy with SSL won't work? We've been running it for years on our Exchange system here, although granted that uses 5.5 rather than 2000. Testing of access to OWA 2000 is on my to-do list. Thank you. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute > -Original Message- > From: Robin P. Blanchard [mailto:[EMAIL PROTECTED]] > Sent: 30 September 2002 14:29 > To: [EMAIL PROTECTED] > Subject: mod_ssl / mod_proxy interaction > > > > in effort to eventually setup a secure apache reverse proxy > for exchange > 2000's OWA, i've run into the following dilemma > > per the mod-ssl docs, i had the following declared globally: > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > downgrade-1.0 force-response-1.0 > > and realised after much wailing and gnashing of teeth that that line > caused the following (non-ssl) virtual host failed to operate > correctly > under IE: > > Listen 10.10.10.99:80 > >ServerName webmail.gactr.uga.edu >UseCanonicalNameOff >CustomLog /tmp/webmail-trans.log combined >ErrorLog/tmp/webmail-error.log > >RedirectPermanent / http://webmail.gactr.uga.edu/exchange/ >ProxyRequests Off >ProxyVia Full >ProxyPass /exchange/ http://webmail.gactr.uga.edu/exchange/ >ProxyPassReverse /exchange/ > http://webmail.gactr.uga.edu/exchange/ >ProxyPass /public/ http://webmail.gactr.uga.edu/public/ >ProxyPassReverse /public/ > http://webmail.gactr.uga.edu/public/ >ProxyPass /ex2k/ http://webmail.gactr.uga.edu/ex2k/ >ProxyPassReverse /ex2k/ http://webmail.gactr.uga.edu/ex2k/ >ProxyPass /exchweb/ http://webmail.gactr.uga.edu/exchweb/ >ProxyPassReverse /exchweb/ > http://webmail.gactr.uga.edu/exchweb/ > > > > So, I placed User-Agent config out of the global config and into each > SSL config. Now, the exchange 2000 proxy (currently non-SSL) is > correctly handled by IE. Obviously, though, I will be wanting to put > this proxy behind SSL, which I've already determined will not work > (using the mod_ssl recommended settings). Has anyone else run into a > similar situation? Is there a reasonable work-around for this? > > -- > > Robin P. Blanchard > Systems Integration Specialist > Georgia Center for Continuing Education > fon: 706.542.2404 <|> fax: 706.542.6546 > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl / mod_proxy interaction
in effort to eventually setup a secure apache reverse proxy for exchange 2000's OWA, i've run into the following dilemma per the mod-ssl docs, i had the following declared globally: SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 and realised after much wailing and gnashing of teeth that that line caused the following (non-ssl) virtual host failed to operate correctly under IE: Listen 10.10.10.99:80 ServerName webmail.gactr.uga.edu UseCanonicalNameOff CustomLog /tmp/webmail-trans.log combined ErrorLog/tmp/webmail-error.log RedirectPermanent / http://webmail.gactr.uga.edu/exchange/ ProxyRequests Off ProxyVia Full ProxyPass /exchange/ http://webmail.gactr.uga.edu/exchange/ ProxyPassReverse /exchange/ http://webmail.gactr.uga.edu/exchange/ ProxyPass /public/ http://webmail.gactr.uga.edu/public/ ProxyPassReverse /public/ http://webmail.gactr.uga.edu/public/ ProxyPass /ex2k/ http://webmail.gactr.uga.edu/ex2k/ ProxyPassReverse /ex2k/ http://webmail.gactr.uga.edu/ex2k/ ProxyPass /exchweb/ http://webmail.gactr.uga.edu/exchweb/ ProxyPassReverse /exchweb/ http://webmail.gactr.uga.edu/exchweb/ So, I placed User-Agent config out of the global config and into each SSL config. Now, the exchange 2000 proxy (currently non-SSL) is correctly handled by IE. Obviously, though, I will be wanting to put this proxy behind SSL, which I've already determined will not work (using the mod_ssl recommended settings). Has anyone else run into a similar situation? Is there a reasonable work-around for this? -- Robin P. Blanchard Systems Integration Specialist Georgia Center for Continuing Education fon: 706.542.2404 <|> fax: 706.542.6546 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
IBM HTTP/Mod_SSL/Mod_Proxy
Hello group, I have a question that I am at my wits end trying to figure out. I need to find out if it is possible to setup a proxy with SSL on both sides (client<-->proxy and proxy<-->server). I can get SSL from the browser to the proxy to work, but SSL from the proxy to the server does not seem to be working properly or I am not doing something right. I can get normal HTTP pages through the proxy w/o problems, so the proxy works. The only thing I can find is when I look in the logs and I notice that the GET commands are all in HTTP form, not HTTPS, so it would appear that that is the problem but I am not sure. Any testimonials saying if it will work or not would be helpful. Setup: Browser > Proxy >WWW Server SSLSSLNo SSL Proxy= AIX 4.3 running IBM HTTPServer with mod_ssl and mod_proxy loaded WWW Server =Win2k with IIS5 TIA! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl + mod_proxy + mod_auth
I've dredged through the archives, but can't find a reference to the problem I'm having. I've got the standard reverse proxy setup going with client connections via SSL to an apache server that proxies pages (via proxypass) from an internal http server. That works fine. I'd like to do authentication on the apache server as well, but can't get it to work. Here's part of the httpd.conf file: ProxyPass /corporate_rd/ http://sapling/corporate_rd/ ProxyPassReverse /corporate_rd/ http://sapling/corporate_rd/ And later, in the SSL virtual host section: http://sapling/corporate_rd/> AuthType Basic AuthUserFile /home/jayl/tmp/.htpasswd AuthName 'RD' require valid-user When I try to load this from netscape, I get an Error 407, Proxy Authentication Required without being prompted for a passwd. (IE just crashes. :) ) What am I doing wrong? thanks for the help, jay lyerly __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
