RE: SSL backend via ProxyRemote (using CONNECT)
-Original Message- From: Yann Ylavic [mailto:ylavic@gmail.com] Sent: Donnerstag, 24. April 2014 15:05 To: httpd Subject: SSL backend via ProxyRemote (using CONNECT) Hello, with the following (chained) configuration : VirtualHost 127.0.0.1:80 ServerName reverse-proxy ProxyPass / https://backend:443/ ProxyRemote * http://proxy:8080 #ProxyRequests off /VirtualHost VirtualHost 127.0.0.1:8080 ServerName forward-proxy ProxyRequests on /VirtualHost VirtualHost 127.0.0.1:443 ServerName backend ## Whatever ### /VirtualHost Then, when the reverse-proxy receives a request-line like : GET /index.php HTTP/1.1 Host: reverse-proxy ... It forwards this one(s) to the backend : CONNECT backend:443 HTTP/1.0 HTTP/1.0 200 Established SSL stream now (note the full URL in the request-line) GET https://backend/index.php HTTP/1.1 Host: backend ... I agree that ProxyRemote is supposed to be a forward proxy (hence the full URL when requesting plain HTTP through it, with GET http://backend/index.php HTTP/1.1), but the final backend is not (and may even refuse full URLs, which is actually a case I'm facing). IMHO this is a flaw of the backend as IMHO full URL's are allowed also in non proxy cases by the RFC. Regards Rüdiger
Re: SSL backend via ProxyRemote (using CONNECT)
On Thu, Apr 24, 2014 at 3:29 PM, Plüm, Rüdiger, Vodafone Group ruediger.pl...@vodafone.com wrote: IMHO this is a flaw of the backend as IMHO full URL's are allowed also in non proxy cases by the RFC. I agree, but I can't do anything on the (broken) backend side, proxy only... I can live with my patch, but mod_proxy isn't doing the right thing either, IMHO. Regards, Yann.
Re: SSL backend via ProxyRemote (using CONNECT)
On Thu, Apr 24, 2014 at 3:37 PM, Yann Ylavic ylavic@gmail.com wrote: On Thu, Apr 24, 2014 at 3:29 PM, Plüm, Rüdiger, Vodafone Group ruediger.pl...@vodafone.com wrote: IMHO this is a flaw of the backend as IMHO full URL's are allowed also in non proxy cases by the RFC. I agree, but I can't do anything on the (broken) backend side, proxy only... I can live with my patch, but mod_proxy isn't doing the right thing either, IMHO. Moreover, in the case the backend handles full URLs, the host name from there has precedence, which makes the Host header ignored, and may break things like ProxyPreserveHost (suppose IP addresses are used in ProxyPass declarations)... Regards, Yann.