Re: Masquerading requests as HTTPS

2005-09-16 Thread Damyan Ivanov
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mark Moseley wrote:
 Howdy. Actually, I don't need any actual SSL functionality. All I need
 to do is to trick everything from the transhandler phase downwards that
 the URL's scheme is 'https' so that redirects have https://, not
 http://, since anyone doing a mod_rewrite or scripted redirect whilst in
 SSL would get shunted back to HTTP otherwise -- and no doubt harass our
 customer support ;)

Wouldn't it be better to parse responses on BigIPs and replace 'http'
with 'https' if redirect is detected? I have no idea how to do this, though.


dam
- --
Damyan Ivanov  0x9725F63B  Creditreform Bulgaria
[EMAIL PROTECTED]  http://www.creditreform.bg/
phone: +359(2)928-2611, 929-3993fax: +359(2)920-0994
mob. +359(88)856-6067  ICQ 3028500  [EMAIL PROTECTED]/Gaim
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDKmO+Hqjlqpcl9jsRAjJsAJ9NTs21NvhER2ysYwsC4AXBrceaNACeIF5i
VnpHbJULu9LL5VSkR/dDmbg=
=AGvm
-END PGP SIGNATURE-


Re: Masquerading requests as HTTPS

2005-09-16 Thread Jeff


Wouldn't it be better to parse responses on BigIPs and replace 'http'
with 'https' if redirect is detected? I have no idea how to do this, though.



In your BigIPs Apache httpd.conf you might try:

# bounce to https only)
VirtualHost *
  ServerName  www.mywebsite.com
  Redirectpermanent / https://www.mywebsite.com/
/VirtualHost

Which tells your client browsers to use HTTPS for all requests for the 
relevant website.


Regards
Jeff


Re: Masquerading requests as HTTPS

2005-09-16 Thread Torsten Foertsch
On Friday 16 September 2005 02:05, Mark Moseley wrote:
 Greetings. I've been scouring the list and the net for a solution for this
 but my apologies in advance if I didn't get the search terms right and
 missed a RTFM answer.

 I work for a web hosting company and we recently purchased a pair of
 BigIPs. These have the ability to terminate SSL connections and then send
 regular HTTP to the backend servers (running Apache 1.3.29/mod_perl 1.29
 and making heavy use of transhandlers).

 My question for the list is this:
 Is there any mod_perl-ish to pretend that a request is coming through SSL?
 The main issue I'm facing is that I've got a couple hundred thousands
 users, many using mod_rewrite in .htaccess files (and a potentially very
 very large number and out of my control so modifying them is not an
 option). Since the BigIP is retransmitting the request as HTTP, the scheme
 that the backend server is using is 'http', not 'https'. So if a redirect
 is generated via mod_rewrite, it's redirecting to http://the/url/etc, not
 https://the/url/etc. Presumably people doing redirects via PHP would have
 the same issue. However the URL scheme looks to be somewhat inaccessible
 from $r and if I parse it with Apache::URI and use the scheme method there,
 I don't know of a $r method to set the URI to the modified URI object.

 I've tried setting $ENV{ HTTPS } to 'on', but that didn't help.

 Anybody know of a method I might be missing that would help me out?
 Basically what I'm trying to accomplish is if I see a request coming in on
 port 443, I want to set $r-method( https ) -- and I know there's no
 method called this, but for explanation sake ;)

Maybe in it is sufficient to set $r-subprocess_env(HTTPS='on') in a 
PostReadRequest handler. Maybe even PerlSetEnv outside any Location or 
Directory might help. This will also set environment variables very early. 
$ENV{HTTPS} is not good.

Torsten


pgpvmi7s0OCV7.pgp
Description: PGP signature


Re: Masquerading requests as HTTPS

2005-09-16 Thread Carl Johnstone


Can add my voice to the BigIP should do this school of thought. If it's 
effectively converting HTTPS into HTTP requests for you, then I would expect 
it should be able to rewrite redirects automatically for you too. Same way 
that apache does it in mod_proxy.


However can I also point out that even if you catch redirects, you've still 
potentially got broken HTML etc etc to fix.


Carl



Re: Masquerading requests as HTTPS

2005-09-16 Thread Mark Moseley
On 9/16/05, Torsten Foertsch [EMAIL PROTECTED] wrote:
Maybe in it is sufficient to set $r-subprocess_env(HTTPS='on') in aPostReadRequest handler. Maybe even PerlSetEnv outside any Location orDirectory might help. This will also set environment variables very early.
$ENV{HTTPS} is not good.
Ah, I'd neglected to mention that I was using subprocess_env as well in
the same spot. I just tried PerlSetEnv in the VirtualHost on the
backend server handling port 443 (as well as regular SetEnv for good
measure) but same story.

It's definitely getting set too, since I tacked the HTTPS env var onto
the redirected URL in mod_rewrite and ?on dutifully shows up.

So before the transhandling phase, is there any way to take the URL,
futz with it via Apache::URI, and then reinject that as the URL the
subsequent phases will see (assuming it's not just updating the URL in
modperl alone and that C-based modules can see the change as well, e.g.
mod_rewrite)? 



Re: Masquerading requests as HTTPS

2005-09-16 Thread Mark Moseley
On 9/16/05, Jeff [EMAIL PROTECTED] wrote:
In your BigIPs Apache httpd.conf you might try:# bounce to https only)VirtualHost * ServerNamewww.mywebsite.com Redirectpermanent / 
https://www.mywebsite.com//VirtualHostWhich tells your client browsers to use HTTPS for all requests for therelevant website.
Unfortunately, it doesn't have any configuration options like that.
It's basically a really fancy Layer 7-aware switch. It's got some neat
things like being able to use TCL to goof with the request, but it
doesn't offer much in the way of Apache-like configuration.

We also totally rely on transhandling to direct all Apache requests, so
we don't have separate vhosts for each user, since it's a shared
architecture and 200k+ vhosts would take some time to load ;) 


Re: Masquerading requests as HTTPS

2005-09-16 Thread Mark Moseley
On 9/16/05, Carl Johnstone [EMAIL PROTECTED] wrote:
Can add my voice to the BigIP should do this school of thought. If it'seffectively converting HTTPS into HTTP requests for you, then I would expectit should be able to rewrite redirects automatically for you too. Same way
that apache does it in mod_proxy.However can I also point out that even if you catch redirects, you've stillpotentially got broken HTML etc etc to fix.
That would be cool if it did, but I haven't seen or read about a
feature in it that does that. Even if it did, it might also incorrectly
change redirected URLs, i.e. where the user is explicitly redirecting
to a non-SSL absolute URL in the same domain, as opposed to my issue
where something like mod_rewrite is generating the full URL from part
of a URL, e.g.

RewriteRule test1.htm /test2.htm [R,L]


RE: Masquerading requests as HTTPS

2005-09-15 Thread Badai Aqrandista

Hi Mark,

From my limited knowledge, SSL handshake is processed prior doing the HTTP 
request-response. Therefore, when apache or mod_perl accepts HTTPS requests, 
it can't redirect it over HTTPS unless you create another HTTPS request with 
LWP or WWW::Mechanize, for example.


But if you want to connect to a backend server, why do you need a secure 
connection anyway?


However, other probably know better...

---
Badai Aqrandista
Cheepy (?)


From: Mark Moseley [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: modperl@perl.apache.org
Subject: Masquerading requests as HTTPS
Date: Thu, 15 Sep 2005 17:05:34 -0700

Greetings. I've been scouring the list and the net for a solution for this
but my apologies in advance if I didn't get the search terms right and
missed a RTFM answer.

I work for a web hosting company and we recently purchased a pair of 
BigIPs.

These have the ability to terminate SSL connections and then send regular
HTTP to the backend servers (running Apache 1.3.29/mod_perl 1.29 and making
heavy use of transhandlers).

My question for the list is this:
Is there any mod_perl-ish to pretend that a request is coming through SSL?
The main issue I'm facing is that I've got a couple hundred thousands 
users,
many using mod_rewrite in .htaccess files (and a potentially very very 
large

number and out of my control so modifying them is not an option). Since the
BigIP is retransmitting the request as HTTP, the scheme that the backend
server is using is 'http', not 'https'. So if a redirect is generated via
mod_rewrite, it's redirecting to http://the/url/etc, not 
https://the/url/etc.
Presumably people doing redirects via PHP would have the same issue. 
However

the URL scheme looks to be somewhat inaccessible from $r and if I parse it
with Apache::URI and use the scheme method there, I don't know of a $r
method to set the URI to the modified URI object.

I've tried setting $ENV{ HTTPS } to 'on', but that didn't help.

Anybody know of a method I might be missing that would help me out?
Basically what I'm trying to accomplish is if I see a request coming in on
port 443, I want to set $r-method( https ) -- and I know there's no
method called this, but for explanation sake ;)

Thanks!


_
Sell your car for $9 on carpoint.com.au   
http://www.carpoint.com.au/sellyourcar




Re: Masquerading requests as HTTPS

2005-09-15 Thread Mark Moseley
Howdy. Actually, I don't need any actual SSL functionality. All I need
to do is to trick everything from the transhandler phase downwards that
the URL's scheme is 'https' so that redirects have https://, not
http://, since anyone doing a mod_rewrite or scripted redirect whilst
in SSL would get shunted back to HTTP otherwise -- and no doubt harass
our customer support ;)

So nothing fancy and encrypted, since I'm doing the SSL offloading on
the BigIP (which is sweet). I want to keep the session between the
bigIP and the backend server in regular HTTP.