Re: Masquerading requests as HTTPS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark Moseley wrote: Howdy. Actually, I don't need any actual SSL functionality. All I need to do is to trick everything from the transhandler phase downwards that the URL's scheme is 'https' so that redirects have https://, not http://, since anyone doing a mod_rewrite or scripted redirect whilst in SSL would get shunted back to HTTP otherwise -- and no doubt harass our customer support ;) Wouldn't it be better to parse responses on BigIPs and replace 'http' with 'https' if redirect is detected? I have no idea how to do this, though. dam - -- Damyan Ivanov 0x9725F63B Creditreform Bulgaria [EMAIL PROTECTED] http://www.creditreform.bg/ phone: +359(2)928-2611, 929-3993fax: +359(2)920-0994 mob. +359(88)856-6067 ICQ 3028500 [EMAIL PROTECTED]/Gaim -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDKmO+Hqjlqpcl9jsRAjJsAJ9NTs21NvhER2ysYwsC4AXBrceaNACeIF5i VnpHbJULu9LL5VSkR/dDmbg= =AGvm -END PGP SIGNATURE-
Re: Masquerading requests as HTTPS
Wouldn't it be better to parse responses on BigIPs and replace 'http' with 'https' if redirect is detected? I have no idea how to do this, though. In your BigIPs Apache httpd.conf you might try: # bounce to https only) VirtualHost * ServerName www.mywebsite.com Redirectpermanent / https://www.mywebsite.com/ /VirtualHost Which tells your client browsers to use HTTPS for all requests for the relevant website. Regards Jeff
Re: Masquerading requests as HTTPS
On Friday 16 September 2005 02:05, Mark Moseley wrote: Greetings. I've been scouring the list and the net for a solution for this but my apologies in advance if I didn't get the search terms right and missed a RTFM answer. I work for a web hosting company and we recently purchased a pair of BigIPs. These have the ability to terminate SSL connections and then send regular HTTP to the backend servers (running Apache 1.3.29/mod_perl 1.29 and making heavy use of transhandlers). My question for the list is this: Is there any mod_perl-ish to pretend that a request is coming through SSL? The main issue I'm facing is that I've got a couple hundred thousands users, many using mod_rewrite in .htaccess files (and a potentially very very large number and out of my control so modifying them is not an option). Since the BigIP is retransmitting the request as HTTP, the scheme that the backend server is using is 'http', not 'https'. So if a redirect is generated via mod_rewrite, it's redirecting to http://the/url/etc, not https://the/url/etc. Presumably people doing redirects via PHP would have the same issue. However the URL scheme looks to be somewhat inaccessible from $r and if I parse it with Apache::URI and use the scheme method there, I don't know of a $r method to set the URI to the modified URI object. I've tried setting $ENV{ HTTPS } to 'on', but that didn't help. Anybody know of a method I might be missing that would help me out? Basically what I'm trying to accomplish is if I see a request coming in on port 443, I want to set $r-method( https ) -- and I know there's no method called this, but for explanation sake ;) Maybe in it is sufficient to set $r-subprocess_env(HTTPS='on') in a PostReadRequest handler. Maybe even PerlSetEnv outside any Location or Directory might help. This will also set environment variables very early. $ENV{HTTPS} is not good. Torsten pgpvmi7s0OCV7.pgp Description: PGP signature
Re: Masquerading requests as HTTPS
Can add my voice to the BigIP should do this school of thought. If it's effectively converting HTTPS into HTTP requests for you, then I would expect it should be able to rewrite redirects automatically for you too. Same way that apache does it in mod_proxy. However can I also point out that even if you catch redirects, you've still potentially got broken HTML etc etc to fix. Carl
Re: Masquerading requests as HTTPS
On 9/16/05, Torsten Foertsch [EMAIL PROTECTED] wrote: Maybe in it is sufficient to set $r-subprocess_env(HTTPS='on') in aPostReadRequest handler. Maybe even PerlSetEnv outside any Location orDirectory might help. This will also set environment variables very early. $ENV{HTTPS} is not good. Ah, I'd neglected to mention that I was using subprocess_env as well in the same spot. I just tried PerlSetEnv in the VirtualHost on the backend server handling port 443 (as well as regular SetEnv for good measure) but same story. It's definitely getting set too, since I tacked the HTTPS env var onto the redirected URL in mod_rewrite and ?on dutifully shows up. So before the transhandling phase, is there any way to take the URL, futz with it via Apache::URI, and then reinject that as the URL the subsequent phases will see (assuming it's not just updating the URL in modperl alone and that C-based modules can see the change as well, e.g. mod_rewrite)?
Re: Masquerading requests as HTTPS
On 9/16/05, Jeff [EMAIL PROTECTED] wrote: In your BigIPs Apache httpd.conf you might try:# bounce to https only)VirtualHost * ServerNamewww.mywebsite.com Redirectpermanent / https://www.mywebsite.com//VirtualHostWhich tells your client browsers to use HTTPS for all requests for therelevant website. Unfortunately, it doesn't have any configuration options like that. It's basically a really fancy Layer 7-aware switch. It's got some neat things like being able to use TCL to goof with the request, but it doesn't offer much in the way of Apache-like configuration. We also totally rely on transhandling to direct all Apache requests, so we don't have separate vhosts for each user, since it's a shared architecture and 200k+ vhosts would take some time to load ;)
Re: Masquerading requests as HTTPS
On 9/16/05, Carl Johnstone [EMAIL PROTECTED] wrote: Can add my voice to the BigIP should do this school of thought. If it'seffectively converting HTTPS into HTTP requests for you, then I would expectit should be able to rewrite redirects automatically for you too. Same way that apache does it in mod_proxy.However can I also point out that even if you catch redirects, you've stillpotentially got broken HTML etc etc to fix. That would be cool if it did, but I haven't seen or read about a feature in it that does that. Even if it did, it might also incorrectly change redirected URLs, i.e. where the user is explicitly redirecting to a non-SSL absolute URL in the same domain, as opposed to my issue where something like mod_rewrite is generating the full URL from part of a URL, e.g. RewriteRule test1.htm /test2.htm [R,L]
RE: Masquerading requests as HTTPS
Hi Mark, From my limited knowledge, SSL handshake is processed prior doing the HTTP request-response. Therefore, when apache or mod_perl accepts HTTPS requests, it can't redirect it over HTTPS unless you create another HTTPS request with LWP or WWW::Mechanize, for example. But if you want to connect to a backend server, why do you need a secure connection anyway? However, other probably know better... --- Badai Aqrandista Cheepy (?) From: Mark Moseley [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: modperl@perl.apache.org Subject: Masquerading requests as HTTPS Date: Thu, 15 Sep 2005 17:05:34 -0700 Greetings. I've been scouring the list and the net for a solution for this but my apologies in advance if I didn't get the search terms right and missed a RTFM answer. I work for a web hosting company and we recently purchased a pair of BigIPs. These have the ability to terminate SSL connections and then send regular HTTP to the backend servers (running Apache 1.3.29/mod_perl 1.29 and making heavy use of transhandlers). My question for the list is this: Is there any mod_perl-ish to pretend that a request is coming through SSL? The main issue I'm facing is that I've got a couple hundred thousands users, many using mod_rewrite in .htaccess files (and a potentially very very large number and out of my control so modifying them is not an option). Since the BigIP is retransmitting the request as HTTP, the scheme that the backend server is using is 'http', not 'https'. So if a redirect is generated via mod_rewrite, it's redirecting to http://the/url/etc, not https://the/url/etc. Presumably people doing redirects via PHP would have the same issue. However the URL scheme looks to be somewhat inaccessible from $r and if I parse it with Apache::URI and use the scheme method there, I don't know of a $r method to set the URI to the modified URI object. I've tried setting $ENV{ HTTPS } to 'on', but that didn't help. Anybody know of a method I might be missing that would help me out? Basically what I'm trying to accomplish is if I see a request coming in on port 443, I want to set $r-method( https ) -- and I know there's no method called this, but for explanation sake ;) Thanks! _ Sell your car for $9 on carpoint.com.au http://www.carpoint.com.au/sellyourcar
Re: Masquerading requests as HTTPS
Howdy. Actually, I don't need any actual SSL functionality. All I need to do is to trick everything from the transhandler phase downwards that the URL's scheme is 'https' so that redirects have https://, not http://, since anyone doing a mod_rewrite or scripted redirect whilst in SSL would get shunted back to HTTP otherwise -- and no doubt harass our customer support ;) So nothing fancy and encrypted, since I'm doing the SSL offloading on the BigIP (which is sweet). I want to keep the session between the bigIP and the backend server in regular HTTP.