Re: mod_ssl mod_proxy
Hello... On Thu, 2002-12-05 at 10:12, HMajidy wrote: This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the communitys help in resolving it. Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. From what I see, you don't have a proxypass directive, ala: ProxyPass/foohttp://cruella.pricegrabber.com/foo ProxyPassReverse /foohttp://cruella.pricegrabber.com/foo Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Heres the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c IfModule mod_proxy.c ProxyRequests off NoCache * AllowCONNECT 443,80 Directory / Order Allow,Deny Allow from All /Directory ProxyRemote * http://1.2.3.4:85 /IfModule NameVirtualHost * Listen *:443 VirtualHost _default_:443 SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log /VirtualHost Listen *:80 VirtualHost *:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log /VirtualHost Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid. PS. Please reply to [EMAIL PROTECTED] as well as to this list. -- Christopher McCrory [EMAIL PROTECTED] Pricegrabber __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl mod_proxy
oh my God i have the exactly the same problem ... the only diference is that my autentication is on Ldap directory in the internal net when a click on link http://host.myinternalnet.com nothing hapen only the loop and the apache dont get a request im sniffing the interfaces but the request dont send ok. any people can help us ??? thanks Alexandre HMajidy wrote: This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the community?s help in resolving it. ?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Here?s the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c IfModule mod_proxy.c> ProxyRequests off NoCache * AllowCONNECT 443,80 Directory /> Order Allow,Deny Allow from All /Directory> ProxyRemote * http://1.2.3.4:85 /IfModule> NameVirtualHost * Listen *:443 VirtualHost _default_:443> SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log /VirtualHost> Listen *:80 VirtualHost *:80> ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log /VirtualHost> Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid. PS. Please reply to [EMAIL PROTECTED] as well as to this list. begin:vcard n:da Silva Augusto;Alexandre x-mozilla-html:FALSE org:Secretaria de Estado dos Negocios da Fazenda;DTI - Departamento de Tecnologia da Informacao adr:;; version:2.1 email;internet:[EMAIL PROTECTED] title:Administrador de Sistemas Unix x-mozilla-cpt:;3424 fn:Alexandre da Silva Augusto end:vcard
RE: mod_ssl mod_proxy
Apache does get the requests in my case, as verified in log files created by CustomLog /usr/local/apache/logs/referer_log refererCustomLog /usr/local/apache/logs/agent_log agent in httpd.conf. BTW, my LDAP authentication is handled by the internal (iPlanet) web server. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of AlexandreSent: Thursday, December 05, 2002 8:53 AMTo: [EMAIL PROTECTED]Subject: Re: mod_ssl mod_proxyoh my God i have the exactly the same problem ... the only diference is that my autentication is on Ldap directory in the internal net when a click on link http://host.myinternalnet.com nothing hapen only the loop and the apache dont get a request im sniffing the interfaces but the request dont send ok. any people can help us ??? thanks Alexandre HMajidy wrote: This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the community?s help in resolving it. ?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" / Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Here?s the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c IfModule mod_proxy.c ProxyRequests off NoCache * AllowCONNECT 443,80 Directory / Order Allow,Deny Allow from All /Directory ProxyRemote * http://1.2.3.4:85 /IfModule NameVirtualHost * Listen *:443 VirtualHost _default_:443 SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log /VirtualHost Listen *:80 VirtualHost *:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log /VirtualHost Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid. PS. Please reply to [EMAIL PROTECTED] as well as to this list.
RE: mod_ssl / mod_proxy interaction
Could you eloborate on why you say that reverse proxy with SSL won't work? We've been running it for years on our Exchange system here, although granted that uses 5.5 rather than 2000. Testing of access to OWA 2000 is on my to-do list. Thank you. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Robin P. Blanchard [mailto:[EMAIL PROTECTED]] Sent: 30 September 2002 14:29 To: [EMAIL PROTECTED] Subject: mod_ssl / mod_proxy interaction in effort to eventually setup a secure apache reverse proxy for exchange 2000's OWA, i've run into the following dilemma per the mod-ssl docs, i had the following declared globally: SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 and realised after much wailing and gnashing of teeth that that line caused the following (non-ssl) virtual host failed to operate correctly under IE: Listen 10.10.10.99:80 VirtualHost 10.10.10.99:80 ServerName webmail.gactr.uga.edu UseCanonicalNameOff CustomLog /tmp/webmail-trans.log combined ErrorLog/tmp/webmail-error.log RedirectPermanent / http://webmail.gactr.uga.edu/exchange/ ProxyRequests Off ProxyVia Full ProxyPass /exchange/ http://webmail.gactr.uga.edu/exchange/ ProxyPassReverse /exchange/ http://webmail.gactr.uga.edu/exchange/ ProxyPass /public/ http://webmail.gactr.uga.edu/public/ ProxyPassReverse /public/ http://webmail.gactr.uga.edu/public/ ProxyPass /ex2k/ http://webmail.gactr.uga.edu/ex2k/ ProxyPassReverse /ex2k/ http://webmail.gactr.uga.edu/ex2k/ ProxyPass /exchweb/ http://webmail.gactr.uga.edu/exchweb/ ProxyPassReverse /exchweb/ http://webmail.gactr.uga.edu/exchweb/ /VirtualHost So, I placed User-Agent config out of the global config and into each SSL config. Now, the exchange 2000 proxy (currently non-SSL) is correctly handled by IE. Obviously, though, I will be wanting to put this proxy behind SSL, which I've already determined will not work (using the mod_ssl recommended settings). Has anyone else run into a similar situation? Is there a reasonable work-around for this? -- Robin P. Blanchard Systems Integration Specialist Georgia Center for Continuing Education fon: 706.542.2404 | fax: 706.542.6546 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl / mod_proxy interaction
[EMAIL PROTECTED] wrote:
Could you eloborate on why you say that reverse proxy with SSL won't work?
We've been running it for years on our Exchange system here, although
granted that uses 5.5 rather than 2000. Testing of access to OWA 2000 is on
my to-do list.
Sure. Here's what I've come up with thus far:
Here's all four possible combinations of accessing exchange OWA. Options
1,2,4 all authenticate and load properly via using IE. Option 3 fails
IIS's auth challenge. This is all *without* SSL. Should {SetEnvIf
User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0} be set for the virual host (recommended for
mod_ssl), IE will only understand the apache reverse proxy when first
proxied through squid. ??? If not proxied first through squid, IE balks,
fails to load the pages (won't even load IIS's auth challenge), spitting
back it's generic cannot find server error. I've been trying to get
this thing working now for weeks and have been dealing with the
mod_proxy folks until just this AM when I determined that the above
SetEnvIf flag was causing the problem. I'm currently attempting to
figure out why IIS's auth challenge fails via the apache reverse proxy
but succeeds when proxied first through squid. Nonetheless, put all this
in with SSL (assuming you using the recommended above flag) and things
are broken. Period.
1) direct to exchange/iis
# wget --server-response ebe1.gc.nat/exchange
--11:01:28-- http://ebe1.gc.nat/exchange
= `exchange'
Resolving ebe1.gc.nat... done.
Connecting to ebe1.gc.nat[10.10.11.23]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 401 Access Denied
2 Server: Microsoft-IIS/5.0
3 Date: Mon, 30 Sep 2002 15:01:28 GMT
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6 WWW-Authenticate: Basic realm=ebe1.gc.nat
7 Content-Length: 24
8 Content-Type: text/html
Unknown authentication scheme.
2) exchange/iss via squid
# http_proxy=proxy.gactr.uga.edu:3128 wget --server-response
ebe1.gc.nat/exchange
--11:02:01-- http://ebe1.gc.nat/exchange
= `exchange'
Resolving proxy.gactr.uga.edu... done.
Connecting to proxy.gactr.uga.edu[10.10.10.180]:3128... connected.
Proxy request sent, awaiting response...
1 HTTP/1.0 401 Unauthorized
2 Server: Microsoft-IIS/5.0
3 Date: Mon, 30 Sep 2002 15:02:01 GMT
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6 WWW-Authenticate: Basic realm=ebe1.gc.nat
7 Content-Length: 24
8 Content-Type: text/html
9 X-Cache: MISS from proxy.gactr.uga.edu
10 Proxy-Connection: close
Unknown authentication scheme.
3) apache proxy
# wget --server-response webmail.gactr.uga.edu
--11:02:37-- http://webmail.gactr.uga.edu/
= `index.html'
Resolving webmail.gactr.uga.edu... done.
Connecting to webmail.gactr.uga.edu[10.10.10.99]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 301 Moved Permanently
2 Date: Mon, 30 Sep 2002 15:02:37 GMT
3 Server: Apache/1.3.26 (Unix) mod_mp3/0.35 PHP/4.2.3 mod_perl/1.27
mod_ssl/2.8.10 OpenSSL/0.9.6g
4 Location: http://webmail.gactr.uga.edu/exchange/
5 Connection: close
6 Content-Type: text/html; charset=iso-8859-1
Location: http://webmail.gactr.uga.edu/exchange/ [following]
--11:02:37-- http://webmail.gactr.uga.edu/exchange/
= `index.html'
Connecting to webmail.gactr.uga.edu[10.10.10.99]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 401 Access Denied
2 Date: Mon, 30 Sep 2002 15:02:37 GMT
3 Server: Microsoft-IIS/5.0
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6 WWW-Authenticate: Basic realm=webmail.gactr.uga.edu
7 Content-Length: 24
8 Content-Type: text/html
9 Via: 1.1 webmail.gactr.uga.edu (Apache/1.3.26)
10 X-Cache: MISS from webmail.gactr.uga.edu
11 Keep-Alive: timeout=15, max=100
12 Connection: Keep-Alive
Unknown authentication scheme.
4) apache proxy via squid
# http_proxy=proxy.gactr.uga.edu:3128 wget --server-response
webmail.gactr.uga.edu
--11:03:06-- http://webmail.gactr.uga.edu/
= `index.html'
Resolving proxy.gactr.uga.edu... done.
Connecting to proxy.gactr.uga.edu[10.10.10.180]:3128... connected.
Proxy request sent, awaiting response...
1 HTTP/1.0 301 Moved Permanently
2 Date: Mon, 30 Sep 2002 15:03:06 GMT
3 Server: Apache/1.3.26 (Unix) mod_mp3/0.35 PHP/4.2.3 mod_perl/1.27
mod_ssl/2.8.10 OpenSSL/0.9.6g
4 Location: http://webmail.gactr.uga.edu/exchange/
5 Content-Type: text/html; charset=iso-8859-1
6 X-Cache: MISS from proxy.gactr.uga.edu
7 Proxy-Connection: close
Location: http://webmail.gactr.uga.edu/exchange/ [following]
--11:03:06-- http://webmail.gactr.uga.edu/exchange/
= `index.html'
Connecting to proxy.gactr.uga.edu[10.10.10.180]:3128... connected.
Proxy request sent, awaiting response...
1 HTTP/1.0 401 Unauthorized
2 Date: Mon, 30 Sep 2002 15:03:06 GMT
3 Server: Microsoft-IIS/5.0
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6
