Client SSL Proxy Configuration
Hello, I consume web services from an outside-of-my-firewall SSL server that requires clients to be SSL-authenticated (clients must pre-register). My application server resides inside of my firewall. I would like to access the aforementioned web services through a proxy in order to not expose my internal server hostname to the outside world. I have tried to setup my SSL connection (e.g., using my client certificate, trusting the web service provider) from within my internal application server w/ the client certificate generated for the proxy (as opposed to the hidden application) server but the SSL server would not fall for it. Assuming that my initial approach is not possible, I would like to use an apache http server as my proxy-server/SSL-client. My goal is to keep this apache server thin (i.e., only configuration, no extra java code). Is there a way to configure mod_proxy and (specially) mod_ssl to do this very thing? Here¹s my proxy.conf template: ProxyRequests On Proxy * Order deny,allow Deny from all Allow from internal_ip_address /Proxy Cheers, John.
Re: SSL proxy
[EMAIL PROTECTED] schrieb: I have several web servers currently that all have the same IP, but different host names, and I have an apache that uses mod_proxy to direct requests to the correct internal server to process the request. I would like to use my apache proxy server to provide SSL encryption and decryption, and not have to have each individual server do that. Is that possible? I have worked with virtual host configuration, and I have tried to set up the ssl stuff so that this will work, but so far I have not been successful. I have tried to search for this, but the closest I have come is proxy to an ssl server. I want to have the proxy server do the ssl stuff for me. Hi, you can not use SSL with virtual hosting, see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 You'll have to get a dedicated ip for every single ssl host. You could play around with one ssl proxy on your single ip with a common name and do some rewriting according to an url praefix matching the secure parts of your backend virtual hosts; decide yourself if this config work is worth it. Regards Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy
Eckard Wille a écrit : [EMAIL PROTECTED] schrieb: I have several web servers currently that all have the same IP, but different host names, and I have an apache that uses mod_proxy to direct requests to the correct internal server to process the request. I would like to use my apache proxy server to provide SSL encryption and decryption, and not have to have each individual server do that. Is that possible? I have worked with virtual host configuration, and I have tried to set up the ssl stuff so that this will work, but so far I have not been successful. I have tried to search for this, but the closest I have come is proxy to an ssl server. I want to have the proxy server do the ssl stuff for me. Hi, you can not use SSL with virtual hosting, see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 You'll have to get a dedicated ip for every single ssl host. You could play around with one ssl proxy on your single ip with a common name and do some rewriting according to an url praefix matching the secure parts of your backend virtual hosts; decide yourself if this config work is worth it. I thought that using wildcard or multi-cn certificates will work ? In this case, only one certificate is needeed for a range of Vhost -- Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: SSL proxy
Cuesta Gilles schrieb: I thought that using wildcard or multi-cn certificates will work ? No. In this case, only one certificate is needeed for a range of Vhost If you only have one ip this won't make things better because virtual hosting is still not possible. Wildcard certs do not enable vHosting because the ssl handshake still takes place before the http host header can be evaluated. They were offered by CAs to make it easier for admins so they wouldn't have to fiddle around with dozens of certs and their validity management in a masshosting environment or for subdomains. Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy
Eckard Wille a écrit : Cuesta Gilles schrieb: I thought that using wildcard or multi-cn certificates will work ? No. In this case, only one certificate is needeed for a range of Vhost If you only have one ip this won't make things better because virtual hosting is still not possible. Wildcard certs do not enable vHosting because the ssl handshake still takes place before the http host header can be evaluated. They were offered by CAs to make it easier for admins so they wouldn't have to fiddle around with dozens of certs and their validity management in a masshosting environment or for subdomains. So what about this ? *MULTIPLE CN (SAN) SERVER CERTIFICATES* This type of certificate (also called /Subject Alternative Name/ (SAN) ) enables to secure not only one website but a large number of sites (a list of sites) hosted on a shared infrastructure (server with multiple names, reverse proxy). Ideal to secure multiple brands of a corporation. One certificate per hardware is required. http://www.tbs-certificats.com/index.html.en -- Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: SSL proxy
Cuesta Gilles schrieb: *MULTIPLE CN (SAN) SERVER CERTIFICATES* This type of certificate (also called /Subject Alternative Name/ (SAN) ) enables to secure not only one website but a large number of sites (a list of sites) hosted on a shared infrastructure (server with multiple names, reverse proxy). Ideal to secure multiple brands of a corporation. One certificate per hardware is required. This only means that one host can have several names by configuring ServerName and ServerAlias, but does not enable virtual hosting. Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy
Eckard Wille schrieb: Cuesta Gilles schrieb: *MULTIPLE CN (SAN) SERVER CERTIFICATES* This type of certificate (also called /Subject Alternative Name/ (SAN) ) enables to secure not only one website but a large number of sites (a list of sites) hosted on a shared infrastructure (server with multiple names, reverse proxy). Ideal to secure multiple brands of a corporation. One certificate per hardware is required. This only means that one host can have several names by configuring ServerName and ServerAlias, but does not enable virtual hosting. Hi Cuesta, with some tricks you could achive your goal by using the preconditions of mod_rewrite rules. If your ssl proxy has one single host entry with such a multi-named cert, it may be possible to rewrite via proxy after a look at the host header: RewriteEngine on RewriteCond %{HTTP_HOST} www.vhost1.com RewriteRule ^/(.*) www.internal.http.vhost1.com/$1 [P] RewriteCond %{HTTP_HOST} www.vhost2.com RewriteRule ^/(.*) www.internal.http.vhost2.com/$1 [P] If this works for you depends also on the backend webapps, for example if they are capable of running behind a reverse proxy with a different http schema (HTTP-HTTPS, servername references in html, internal redirects...). Good luck Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy
It seem like you might be confusing shared infrastructure with single ip. As others have said, you need a distinct address for each SSL-enabled httpd or proxy, although they can reside on the same hardware. A good example of this is the typical configuration for larger server farms. You find multiple High Availability load balancers in the DMZ for both http and https using something like ha/keepalived for linux. These proxy the incoming request back into private address space. The SSL proxies terminate the SSL connection and broker the request on behalf of the user and everything goes to the private address space in plain http. This allows each of the _real_ webservers to achieve better performance since the SSL overhead is not present. While you can use Apache as an SSL-terminating proxy, I find I get better performance, lower memory utilization and easier configuration using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have multiple public IP addresses floating between several hosts and pound binds https to those addresses. Hope that adds a bit of additional clarity, Dave Cuesta Gilles sent forth: So what about this ? *MULTIPLE CN (SAN) SERVER CERTIFICATES* This type of certificate (also called /Subject Alternative Name/ (SAN) ) enables to secure not only one website but a large number of sites (a list of sites) hosted on a shared infrastructure (server with multiple names, reverse proxy). Ideal to secure multiple brands of a corporation. One certificate per hardware is required. http://www.tbs-certificats.com/index.html.en __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy issues
Hi, first time mailer but hoping for some good advice from experienced users. Basically Im looking to implement a solution that will redirect SSL requests coming into my apache server (listening on 443) and forward them on to a backend server. I have reverse proxying setup but I cant seem to get it to work for https connections. At the moment using the current configuration, below, an http connection coming into the server on port 80 can be redirected to the https site configured. But when I click on a login button on that site Im just getting a blank screen on Firefox, with no errors showing in the logs? Has anyone any ideas, cause Ive been looking into this for hours now? Listen 8080 Listen 443 ServerName F00311.eircom.ie IfModule ssl_module SSLRandomSeed startup builtin SSLRandomSeed connect builtin /IfModule SSLProxyEngine on ProxyPass / https://www.365online.com/ ProxyPassReverse / https://www.365online.com/ SSLSessionCache shmcb:d:/Apache2.2/logs/ssl_scache(512000) SSLSessionCacheTimeout 300 VirtualHost F00311.eircom.ie:443 SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateKeyFile D:\Apache2.2\conf\security\ca.key SSLCertificateFile D:\Apache2.2\conf\security\ca.crt ServerName F00311.eircom.ie SSLProxyEngine on ProxyPass / https://www.365online.com/ ProxyPassReverse / https://www.365online.com/ SSLProxyVerify none SSLProxyProtocol all SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL /VirtualHost *** The information contained in this e-mail and any files transmitted with it is confidential and may be subject to legal professional privilege. It is intended solely for the use of the addressee(s). If you are not the intended recipient of this e-mail, please note that any review, dissemination, disclosure, alteration, printing, copying or transmission of this e-mail and/or any file transmitted with it, is prohibited and may be unlawful. If you have received this e-mail by mistake, please promptly inform the sender by reply e-mail and delete the material. Whilst this e-mail message has been swept for the presence of computer viruses, eircom does not, except as required by law, represent, warrant and/or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors, viruses, interception or interference. eircom Limited. Private Company Limited by Shares. Registered in Dublin. Registration Number 98789. Registered Office - 114 St. Stephen's Green West, Dublin 2. ***
ssl proxy doco for nids/nips (quick howto)
Hey there, thought people might like to note this quick doco on setting up a ssl proxy / ssl accelerator to protect web servers, also allowing nips/nids to sniff http streams to 'https' servers, among many other benefits there wasn't much doco online so i thought i'd write something quick up http://miscname.com/public/ssl-proxy/ cheerz PHee Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)
Hello All, I want to provide updated information to my earlier described scenario using mod_ssl + mod_proxy + mod_headers: Component: Web Browser --- Proxy (mod_proxy) --- Web Server SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server The following discussion focuses on Apache 2.0.43 and 2.0.44. I have implemented a solution to transfer the Web browser's client certificate (and other SSL information) to the backend Web server: Component: Web Browser --- Proxy (mod_proxy) --- Web Server SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server Client Cert (and other SSL information) -- Transfer as HTTP Headers The problem was that mod_headers' RequestHeader directive didn't really matched the requirements. RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}e is not a practical solution to forward the client's certificate to the backend server for the following reasons: 1. SSL_CLIENT_CERT produces multi-line output and the RequestHeader directive isn't able to transfer it into a correct multi-line HTTP header. 2. The decorations (-BEGIN/END CERTIFICATE-) and the multi-line format are not very useful in this scenario. Therefore I have introduced the option E in addition to e for putting environment variables in headers. The E has the following meaning: %{FOOBAR}E The base64 encoded content of the environment variable FOOBAR. If the environment variable already contains a base64 encoded body (e. g. SSL_CLIENT_CERT) the body will be set as the value of the header variable. The result is in any case a single line of base64 characters only. This behavior serves two requirements: 1. There is no problem escaping special characters when putting other SSL information in HTTP headers. In many cases, SSL_CLIENT_S_DN will probably contain characters that have to be escaped. 2. Reduces the overhead produced by decorations and multi-line format. Here is an example for forwarding the SSL Client Certificate and other SSL information: RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}E env=SSL_CLIENT_S_DN RequestHeader set SSL_CLIENT_CERT_CHAIN_0 %{SSL_CLIENT_CERT_CHAIN_0}E env=SSL_CLIENT_CERT_CHAIN_0 RequestHeader set SSL_CLIENT_CERT_CHAIN_1 %{SSL_CLIENT_CERT_CHAIN_1}E env=SSL_CLIENT_CERT_CHAIN_1 RequestHeader set SSL_CIPHER_USEKEYSIZE %{SSL_CIPHER_USEKEYSIZE}e env=SSL_CIPHER_USEKEYSIZE RequestHeader set SSL_CIPHER_SUITE%{SSL_CIPHER}e env=SSL_CIPHER To make this work I also patched two other things: 1. mod_headers' RequestHeader directive wasn't able to take an env clause as a forth argument in contrast to the Header directive. I don't know the reason for that behavior, but env clause seams to work fine with the SSL environment variables for RequestHeaders. This was necessary to avoid an empty header if the environment variable isn't present. If there are objections, let me know. 2. SSL_CLIENT_CERT_CHAIN_n is broken. To me it seems that somebody has tried to change SSL_CLIENT_CERT_CHAINn to SSL_CLIENT_CERT_CHAIN_n. However, the introduction of the _ wasn't quite consistent. I patched that and now I can see the intermediate CAs as SSL_CLIENT_CERT_CHAIN_0 to SSL_CLIENT_CERT_CHAIN_n in the environment. Last but not least I have updated the mod_headers documentation with the new option E and an example for forwarding the Web browser's client certificate and some other SSL information. I think the described patches and enhancements are quite reasonable and I would like to make them part of the standard Apache distribution. I have already produced a patch file that works for Apache 2.0.43 and 2.0.44. I would appreciate guidance on how to proceed. Comments welcome! Regards, Maik Maik Mueller Development Architect SAP __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)
Cool.. Can you please post the patch to the list, so that ppl can review the code, and give their comments. -Madhu No problem! Here is my short README describing the patch and its history form Apache version 2.0.43 to 2.0.44: Hello! This is the distribution point for the Apache 2.0 as SSL Intermediary Patch. Currently you need this patch to use Apache 2.0 as a trusted intermediary in configuration with the SAP J2EE Engine. The patch is subject to become part of the standard Apache 2.0 distribution. Feedback welcome! Maik ([EMAIL PROTECTED]) INSTRUCTIONS: - extract the Apache 2.0.43 distribution (httpd-2.0.43.tar.gz) - change directory to httpd-2.0.43 - apply the patch with -p1 (patch -p1 Apache-2.0.43-SSLintermediary.patch) - follow the Apache INSTALL instructions HISTORY: 02-12-30 initial release (available SAP internal) 03-01-07 httpd-2.0.43-patched-as-SSLintermediary.zip added In this ZIP archive the Apache-2.0.43-SSLintermediary.patch is already applied. More convenient for users not so familiar with the usage of diff patch. 03-01-08 httpd-2.0.43-win32-src-patched-as-SSLintermediary.zip added You cannot use the UNIX source to build the WIN32 binaries. This ZIP archive contains the already patched version of httpd-2.0.43-win32-src. Use it to build the WIN32 binaries. If you want to apply Apache-2.0.43-SSLintermediary.patch to the original httpd-2.0.43-win32-src be aware that you have to convert CR-LFs in CR before applying the patch. In the successfully patched files you can again expand CR to CR-LF. 03-01-20 Bug in base 64 padding found. The calculation of the number of padding characters ('=') needed computes wrong results in some cases. 03-02-07 Apache 2.0.44 Released Apache-2.0.44-SSLintermediary.patch corresponds to httpd-2.0.44.tar.gz The documentation changes are NO longer part of the patch. Download mod_headers_mai.html.en for proposed documentation changes. SSLproxy.conf is a good example for a proxy's mod_ssl configuration. The SAP proposed header names are use in the example added to the mod_headers documentation (see mod_headers_mai.html.en). And here follows the patch (My proposed changes to the HTML docu are now not included in the patch. Please advice me if and how to post this changes to mod_headers.html.en): --- httpd-2.0.44.ori/modules/metadata/mod_headers.c Mon Nov 4 19:31:57 2002 +++ httpd-2.0.44/modules/metadata/mod_headers.c Fri Feb 7 18:00:18 2003 @@ -109,6 +109,7 @@ #include apr_lib.h #include apr_strings.h #include apr_buckets.h +#include apr_base64.h #include apr_hash.h #define APR_WANT_STRFUNC @@ -198,6 +199,62 @@ else return (null); } + +/* Base 64 encoded ASN.1 data is usually tagged with decorations of + * the following style: + * -BEGIN description- + * base64 encoded body + * -END description- + * The defines are used to search for such decorations. + */ +#define DECORATION_MARKER_BEGIN -BEGIN +#define DECORATION_MARKER_END -END +#define DECORATION_EOF_MARKER - + +static const char *header_request_env_varB64(request_rec *r, char *a) +{ + const char *s = apr_table_get(r-subprocess_env,a); + char *pStartBody = NULL; + char *pBehindBody = NULL; + char *ptr; + + if (s) { +/* search for decorations marking encapsulated base64 encoded data */ +ptr = strstr((char *)s, DECORATION_MARKER_BEGIN); +if (ptr) { + ptr = strstr(ptr + strlen(DECORATION_MARKER_BEGIN), DECORATION_EOF_MARKER); + if (ptr (ptr + strlen(DECORATION_EOF_MARKER) + 1) != '\0') { + /* explicit check that there are sitll chars in the string */ + pStartBody = ptr + strlen(DECORATION_EOF_MARKER) + 1; + + ptr = strstr(pStartBody, DECORATION_MARKER_END); + if (ptr strstr(ptr, DECORATION_EOF_MARKER)) + pBehindBody = ptr; + } +} + +if (pStartBody pBehindBody) { + /* encapsulated base64 encoded data found */ + /* all except the body will be skipped */ + *pBehindBody = '\0'; + apr_base64_cleanB64(pStartBody); + return pStartBody; +} else { + /* call apr_base64_encode() to encode the data */ + int inlen = strlen(s); + int outsize = apr_base64_encode_len(inlen); + char *encoded = apr_palloc(r-pool, outsize); + int rc = apr_base64_encode(encoded, s, inlen); + if (rc outsize) + return (null); + else + return encoded; +} + } + else +return (null); +} + /* * Config routines */ @@ -407,7 +464,7 @@ /* Handle the envclause on Header */ if (envclause != NULL) { -if (inout != hdr_out) { +if (inout != hdr_out inout != hdr_in) { return error: envclause (env=...) only valid on Header directive; } if (strncasecmp(envclause, env=, 4) != 0) { @@ -448,12 +505,23 @@ return
SSL proxy and session caching
Hi, I have the following problem. I configured Apache 2.0.40 + openssl 0.9.6g as a reverse proxy to a secure server (e.g. it receives http requests from clients and sends https requests to the server), and got some performance problems. I noticed that the https requests don't reuse SSL sessions, and so one can get reasonable performances only with pages made of few files. Does anybody know if there are simple workarounds to this problem? Thx in advance. Claudio Campetto __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl proxy
Tried ProxyPass and ProxyPassReverse on my proxy box and my test fails (even with just plain http) with 404. To test I use MSIE against the proxy host: http://www.myprox.com:8080/cgi-bin/myscript It does work when i point directly at the destination host: http://www.mydest.com:8080/cgi-bin/myscript so it does seem just the proxy is not set up right. Maybe I need some special settings on the destination host too? Oh and i get no access.log entries on the destination box at all. -Original Message- From: Aryeh Katz [mailto:[EMAIL PROTECTED]] Sent: Monday, May 27, 2002 9:11 AM To: [EMAIL PROTECTED] Subject: RE: ssl proxy As a followup to below, what directives would be needed to accomplish this proxy or tunnel or whatever i should call it? Incidentally, if it matters, the client here is not a browser - it's just a c-program that writes raw http-headered request messages directly. An illustrative example would be great! In either a virtual host, or whole server: ProxyPass / https://login.passport.com/ ProxyPassReverse / https://login.passport.com/ --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl proxy
Tried ProxyPass and ProxyPassReverse on my proxy box and my test fails (even with just plain http) with 404. To test I use MSIE against the proxy host: http://www.myprox.com:8080/cgi-bin/myscript It does work when i point directly at the destination host: http://www.mydest.com:8080/cgi-bin/myscript I thought you said that your destination host was ssl. shouldn't that be httpS://www.mydest.com? Anyway, make sure mod_ssl is loaded, and enabled (-DSSL) in your proxy, then it should be able to connect via ssl. --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl proxy
Owen, The browser is just for test to verify that proxy is working. My ultimate goal does not involve browsers at all - just an app pumping http messages into a proxy that converts to SSL and forwards to an https client. Anyway, for the test, the only settings i have changed from the default conf file (aside from domain names and emails) is : on the target: No change on the proxy:ProxyPass and ProxyPassReverse as was suggested to me by Aryeh. Also on the proxy: the Ifmodule Mod_proxy.c clause is uncommented, Proxy Reqeusts On is set, and httpd -l shows proxy.c module is compiled in. (And i'm not even trying this with HTTPS/SSL yet, though that is ultimately my goal - i just want to keep it as simple as i can for first test.) What i type in the browser is the url to myscript (see original note below). What i want displayed is simply the output of myscript (which i DO get successfully if i point directly at the destination, again, as i note below. -george -Original Message- From: Owen Boyle [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 28, 2002 11:18 AM To: [EMAIL PROTECTED] Subject: Re: ssl proxy Petryczka, George wrote: Tried ProxyPass and ProxyPassReverse on my proxy box and my test fails (even with just plain http) with 404. To test I use MSIE against the proxy host: http://www.myprox.com:8080/cgi-bin/myscript It does work when i point directly at the destination host: http://www.mydest.com:8080/cgi-bin/myscript What do you want to type in the browser? What do you want it to produce? What do your proxy directives look like? rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl proxy
What i type in the browser is the url to myscript (see original note below). What i want displayed is simply the output of myscript (which i DO get successfully if i point directly at the destination, again, as i note below. -george If you show us your exact proxy directive, it would help. You are probably missing the port. Thus, your ProxyPass (and ProxyPassReverse) should say: ProxyPass / http://my.dest.com:8080/ Aryeh --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl proxy
As a followup to below, what directives would be needed to accomplish this proxy or tunnel or whatever i should call it? Incidentally, if it matters, the client here is not a browser - it's just a c-program that writes raw http-headered request messages directly. An illustrative example would be great! In either a virtual host, or whole server: ProxyPass / https://login.passport.com/ ProxyPassReverse / https://login.passport.com/ --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl proxy
As a followup to below, what directives would be needed to accomplish this proxy or tunnel or whatever i should call it? Incidentally, if it matters, the client here is not a browser - it's just a c-program that writes raw http-headered request messages directly. An illustrative example would be great! Can a httpd be set up as a secure proxy? Ie.: forward requests from a client (a client that doesn't get involved with any ssl stuff itself) on to an HTTPS site? Yes. With Apache 1.3 / mod_ssl 2.8.x, you _might_ have to enable SSL_EXPERIMENTAL or something like that, I'm not sure. But it can be done. No special compile flags are necessary in 1.3.22+ and mod_ssl 2.8 Aryeh --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ssl proxy
Can a httpd be set up as a secure proxy? Ie.: forward requests from a client (a client that doesn't get involved with any ssl stuff itself) on to an HTTPS site? Yes. With Apache 1.3 / mod_ssl 2.8.x, you _might_ have to enable SSL_EXPERIMENTAL or something like that, I'm not sure. But it can be done. No special compile flags are necessary in 1.3.22+ and mod_ssl 2.8 Aryeh --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ssl proxy
Hello, Can a httpd be set up as a secure proxy? Ie.: forward requests from a client (a client that doesn't get involved with any ssl stuff itself) on to an HTTPS site? -george __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ssl proxy
On Fri, 17 May 2002, Petryczka, George wrote: Can a httpd be set up as a secure proxy? Ie.: forward requests from a client (a client that doesn't get involved with any ssl stuff itself) on to an HTTPS site? Yes. With Apache 1.3 / mod_ssl 2.8.x, you _might_ have to enable SSL_EXPERIMENTAL or something like that, I'm not sure. But it can be done. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
R: SSL Proxy with Strong Authentication
I don't think client cerificates are a strong mean of authentication but You should create one virtual host per reverse-proxy (don't forget the Listen xxx directives...) and put these lines in your httpd.conf: VirtualHost _default_:xxx SSLEngine on SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt SSLVerifyClient require SSLVerifyDepth 4 SSLOptions +FakeBasicAuth +StdEnvVars ProxyPass / http://your.destinatiom.host/ ProxyPassReverse/ http://your.destination.host/ # # Restrict access with Certificates # Directory proxy:* SSLRequireSSL AuthName OpenSCEP AuthType Basic AuthUserFile /usr/local/apache/auth/proxy1 require valid-user Order allow,deny Allow from all /Directory /VirtualHost In the file /usr/local/apache/auth/proxy1 you put one line per client certificate as this: CompleteDistinguishedNameInCertificate:xxj31ZMTZzkVA If you need only to verify that the client has a certificate (from you) you can omit the lines 2, 3, 4 and 5 after Directory proxy:* and be sure that you have ONLY your CA certficate in ca-bundle.crt Regards Alberto Guglielmo [EMAIL PROTECTED] Key Fingerprint:7EAF 9E34 2838 7C6B EE47 E8F0 FFC5 3CBC 90AA 5EEE PGP Keys at: http://pgpkeys.mit.edu:11371 -Messaggio originale- Da: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Per conto di Mike Murray Inviato: venerdì 25 gennaio 2002 0.49 A: [EMAIL PROTECTED]; [EMAIL PROTECTED] Oggetto: SSL Proxy with Strong Authentication *** PGP Signature Status: unknown *** Signer: Unknown, Key ID = 0xE7BB55BE *** Signed: 25/01/2002 0.48.38 *** Verified: 25/01/2002 10.27.05 *** BEGIN PGP VERIFIED MESSAGE *** Hi all, I'm investigating using Apache and SSL for (reverse) proxying HTTPS requests; however, one of the requirements of the task is to have a strong auth mechanism in place. I had two ideas, both of which have lead me to a dead end: 1. Use the ProxyPass and ProxyPassReverse directives to authorize connections, and requiring client certs to authenticate to the server. 2. Using a normal SSL page to authenticate via client certs, and using an .htaccess file in the DocRoot of the proxy server to auth IP addresses. Both seemed likely, and both have failed. The first because the directives don't work as I had hoped, and the second because I can't find anywhere to put an .htaccess file that makes sense to the Directory proxy section. So, this is a two-part question: first, does anybody have any idea on how to use .htaccess to control access to the proxy, and/or, does anybody have any ideas on what will accomplish this task? Thanks, Mike -- | Mike Murray[EMAIL PROTECTED] | Scientific Technologist http://www.nCircle.com | nCircle Network Security *** END PGP VERIFIED MESSAGE *** __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL Proxy with Strong Authentication
This is the kind of thing within the virtual host configuration on the machine you are proxying to: LocationMatch / Order deny,allow Deny from all Allow from 10. AuthType Basic AuthName Outside users AuthDBUserFile /path/to/dbuserfile require valid-user satisfy any /LocationMatch This assumes that your internal network is a class A network starting with 10. as defined in RFC1918. Internal users get in immediately. You have to use dbmmanage to manage the dbuserfile. It is a good idea to ensure that the web server has only read-only access to this file. This works because / appears in every single web request, so will match all requests under your secure site. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Agnostic (Greek) = Ignoramus (Latin) -Original Message- From: Mike Murray [mailto:[EMAIL PROTECTED]] Sent: 24 January 2002 23:49 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: SSL Proxy with Strong Authentication -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I'm investigating using Apache and SSL for (reverse) proxying HTTPS requests; however, one of the requirements of the task is to have a strong auth mechanism in place. I had two ideas, both of which have lead me to a dead end: 1. Use the ProxyPass and ProxyPassReverse directives to authorize connections, and requiring client certs to authenticate to the server. 2. Using a normal SSL page to authenticate via client certs, and using an .htaccess file in the DocRoot of the proxy server to auth IP addresses. Both seemed likely, and both have failed. The first because the directives don't work as I had hoped, and the second because I can't find anywhere to put an .htaccess file that makes sense to the Directory proxy section. So, this is a two-part question: first, does anybody have any idea on how to use .htaccess to control access to the proxy, and/or, does anybody have any ideas on what will accomplish this task? Thanks, Mike - -- | Mike Murray[EMAIL PROTECTED] | Scientific Technologist http://www.nCircle.com | nCircle Network Security -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8UJ1WSZ6Dtue7Vb4RAsDDAJwMg0CCcY70/0ombK2ryyN7LkF1ugCfQHsy 42fEW4GwPOUph+5Jo8tQPBo= =gyM/ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL Proxy with Strong Authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I'm investigating using Apache and SSL for (reverse) proxying HTTPS requests; however, one of the requirements of the task is to have a strong auth mechanism in place. I had two ideas, both of which have lead me to a dead end: 1. Use the ProxyPass and ProxyPassReverse directives to authorize connections, and requiring client certs to authenticate to the server. 2. Using a normal SSL page to authenticate via client certs, and using an .htaccess file in the DocRoot of the proxy server to auth IP addresses. Both seemed likely, and both have failed. The first because the directives don't work as I had hoped, and the second because I can't find anywhere to put an .htaccess file that makes sense to the Directory proxy section. So, this is a two-part question: first, does anybody have any idea on how to use .htaccess to control access to the proxy, and/or, does anybody have any ideas on what will accomplish this task? Thanks, Mike - -- | Mike Murray[EMAIL PROTECTED] | Scientific Technologist http://www.nCircle.com | nCircle Network Security -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8UJ1WSZ6Dtue7Vb4RAsDDAJwMg0CCcY70/0ombK2ryyN7LkF1ugCfQHsy 42fEW4GwPOUph+5Jo8tQPBo= =gyM/ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: filtering SSL proxy?
To answer your first question: I did modify a mod-ssl (2.6.3), mod-proxy enabled Apache Web Server (1.3.12) to intercept HTTPS requests. It worked by intercepting CONNECT requests and then performing the SSL handshaking and proxying the request. It turned out to be a pretty trivial code change, SO FAR. The project was cancelled before extensive testing and before any filtering code was added. As you know, intercepting the requests causes certificate warnings. My code changes are not at all ready for distribution. Essentially, all I did was "proof of concept". If you configured your browser to use my web server as your HTTPS proxy, it would intercept it, send you a certificate warning and then proxy your request (via HTTPS). I haven't given a great deal of thought to where and how I'd implement filtering, but I think that given that I intercept CONNECT requests, I'd have to do all the filtering and processing in the proxy connect handler. Other filtering modules wouldn't get a chance at it. There are probably ways around this, and I think that one could intercept the request earlier, change it, and let Apache handle it like any other proxy request, I just didn't do it that way in this instance. If you want more details, I'll try to dig up my code and refresh my memory. Philosophical Thoughts Follow: I'm sure there are those who hold strong opinions toward this type of "man-in-the-middle" hack and can add to my list of pros and cons. But, yes, you can do this. Our project had in mind protecting our internal network by filtering out "dangerous" content while allowing our users to surf any site. (Currently we manually control what HTTPS sites are opened through our proxy.) The cons are: 1) You train your users to ignore certificate warnings. (although I'll admit to considering hacking our corporate browsers to stop that as well) 2) You open yourself up to potential liability issues( i.e. if your users access their bank accounts and then claim a change was made that they didn't do, who did it? Your administrators have access to some pretty sensitive information. 3). You now have code that you have to update and modify yourself. 4) And, plainly. Is this the RIGHT thing to do? The pros are: 1) I'm sure you have your own reasons. Our project was cancelled because of resource issues, but I think it will be back. Furthermore, I'm sure if I don't do it here someone somewhere else will do it. Maybe you? Deb -Original Message- From: Scott Miles [mailto:[EMAIL PROTECTED]] Sent: September 14, 2000 9:01 PM To: [EMAIL PROTECTED] Subject: filtering SSL proxy? This may sound like a strange request (and a kludge), but I need to find a way to perform in-transit authentication and filtering based on the content of SSL requests, along with potential dynamic modification of the SSL request. Could modssl be used as a basis to create a type of filtering SSL proxy? Basically I have two questions: - Would it be possible (and even better, does anyone know if this has already been done somewhere), to use modssl to encrypt/decrypt ssl proxy requests so that filtering can be performed on the content? I do realize that this would trigger browser alerts for certificate mismatches. - Is it possible to use apache-modssl as a transparent proxy/firewall, such that it transparently filters all connections to port 443 and proxys them? This isn't critical, as browsers could be reconfigured to specifically point to the proxy, but it would be helpful. I would appreciate any comments on the level of effort it might take to modify modssl in this way, or if there is any other code package that may be more suited to do this type of work. For those interested (and I'm sure some are), the intent here is to provide access to various 3rd party web services where our support personnel need to enter customer account numbers. Rather than have our staff handle account numbers, we'd like to be able to let them use virtual account ids that are dynamically replaced with the customer's actual account numbers when transacting with the destination web site. Thanks Scott [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
filtering SSL proxy?
This may sound like astrange request (and a kludge), but I need to find a way to perform in-transitauthentication and filtering based on the content of SSL requests, along with potential dynamic modification of the SSL request. Could modssl be used as a basis to create a type of filtering SSL proxy? Basically I have two questions: - Would it be possible (and even better, does anyone know if this has already been done somewhere), to use modssl to encrypt/decrypt ssl proxy requests so that filtering can be performed on the content? I do realize that this would trigger browser alerts for certificate mismatches. - Is it possible to use apache-modssl as a transparent proxy/firewall, such that it transparently filters all connections to port 443 and proxys them? This isn't critical, as browsers could be reconfigured to specifically point to the proxy, but it would be helpful. I would appreciate any comments on the level of effort it might take to modify modssl in this way, or if there is any other code package that may be more suited to do this type of work. For those interested (and I'm sure some are), the intent here is to provide access to various 3rd party web services where our support personnel need to enter customer account numbers. Rather than have our staff handle account numbers, we'd like to be able to let them use virtual account ids that are dynamically replaced with the customer's actual account numbers when transacting with the destination web site. Thanks Scott [EMAIL PROTECTED]
Re: Apache SSL-Proxy with mod_ssl:bad mac decode
On Fri, Sep 01, 2000, Lars Steinke wrote: the problem with the bad mac decode error message I posted here earlier seems to be connected with the broken SSL implementation in Netscape Enterprise Server 3.5. As there was no resonance at all, I had to switch to SSL Proxy from http://www.obdev.at/Products/sslproxy.html which features the possibility of enabling some sort of compatibility mode in OpenSSL that gets rid of the bad mac decode message. As there seems to be no mention of this in the mod_ssl documentation my simple question now is: How to enable the OpenSSL compatibility mode for NS Enterprise Server 3.5 in mod_ssl (no, +SSLv2 does not seem to do the trick...) ? What you're speaking about is sslproxy's -C option which internally does: SSL_CTX_set_options(sslContext, SSL_OP_ALL); But mod_ssl actually does the same (see ssl_engine_init.c). So I'm surprised that OpenSSL should behave differently with sslproxy. Can you give more details on how you actually run sslproxy? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache SSL-Proxy with mod_ssl:bad mac decode
On Fri, Sep 01, 2000 at 11:08:51AM +0200, Ralf S. Engelschall wrote: What you're speaking about is sslproxy's -C option which internally does: SSL_CTX_set_options(sslContext, SSL_OP_ALL); But mod_ssl actually does the same (see ssl_engine_init.c). So I'm surprised that OpenSSL should behave differently with sslproxy. Can you give more details on how you actually run sslproxy? Just the way you would expect it: sslproxy -L 10.129.0.182 -l 8000 -C -R secure.domain.com -r 443 Accessed via http://10.129.0.182:8000. By the way, when not using -C, sslproxy complains about the bad mac decode just the same... Regards, -- Lars Steinke Technical Support Engineer abaXX TECHNOLOGY GMBH [Address] Forststraße 7, 70174 Stuttgart, Germany [Phone] +49-(711)-61 41 6 - 274 [Facsimile] +49-(711)-61 41 6 - 180 [E-Mail]mailto:[EMAIL PROTECTED] [Internet] http://www.abaXX.de PGP signature
SSL Proxy support - backend through a proxy?
Hi all, After switching on the experimental code in mod_ssl, it becomes possible to connect to an SSL webserver on the backend using mod_proxy and ProxyPass. I need though to connect to a backend SSL server through an HTTP proxy - is mod_ssl's mod_proxy integration capable of using the CONNECT method? An example: ProxyRemote connect http://s-proxy.somewhere.com:3128 ProxyPass / https://www.webserver.com:443/ Is this possible? Regards, Graham -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: setting up non-ssl proxy for https use
Could you give me a configuration example of web client --HTTPS-- proxy (apache) --HTTPS-- httpd internal If you have this working already please? I've not been able to make it work. The Apache documentation appears to say that ProxyPass only supports http. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 09 February 2000 20:24 To: [EMAIL PROTECTED] Subject: Re: setting up non-ssl proxy for https use Hi, Regarding my experience it is impossible to run HTTPS server (including proxy server) without SSL support. The problem is that you server is receiving not http request but HTTPS request. To work with this you have to run SSL enabled HTTPD. There is no need you internal HTTPD to be SSL enabled. If the scheme is: web client --HTTPS-- proxy (apache) --HTTP-- httpd internal then you proxy server have to be SSL enabled. There is no need for you internal one. If the scheme is: web client --HTTPS-- proxy (apache) --HTTPS-- httpd internal then both your servers have to be SSL enabled. If the scheme is: web client --HTTP-- proxy (apache) --HTTPS-- httpd internal Then only you internal server have to be SSL enabled, but I do not see reason to one to use scheme like the last one (to protect yourself from his local network, but not from the Internet ;) Rossen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: setting up non-ssl proxy for https use
Dear Rossen, Thanx for these clear words. From an older thread, which I found in the archives, I thought the scheme web client --HTTPS-- proxy (apache) --HTTPS-- httpd internal should work WITHOUT ssl enabled on the proxy, because http,ftp and connect are just passed by the proxy without additional things to do and the https is in first instance just a connect request. So, it seems, I did understand something wrong. I will now try to solve my problem enabling ssl. But this lets the task unsolved how I could convince our firewall admin to enable ssl on his proxy to allow us to offer a secure connection, but this is not your problem ;-) Thanx for all the help and your patience, Oli [EMAIL PROTECTED] wrote: Hi, Regarding my experience it is impossible to run HTTPS server (including proxy server) without SSL support. The problem is that you server is receiving not http request but HTTPS request. To work with this you have to run SSL enabled HTTPD. There is no need you internal HTTPD to be SSL enabled. If the scheme is: web client --HTTPS-- proxy (apache) --HTTP-- httpd internal then you proxy server have to be SSL enabled. There is no need for you internal one. If the scheme is: web client --HTTPS-- proxy (apache) --HTTPS-- httpd internal then both your servers have to be SSL enabled. If the scheme is: web client --HTTP-- proxy (apache) --HTTPS-- httpd internal Then only you internal server have to be SSL enabled, but I do not see reason to one to use scheme like the last one (to protect yourself from his local network, but not from the Internet ;) Rossen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: setting up non-ssl proxy for https use
Hi, It still does not work. I still get "Invalid method in request F" at the proxy's log. Perhaps it is still not clear enough what I like to do so I explain it in other words: I have the following configuration of hosts and requests: Client-Host/Browser(Netscape4.7) requests https://proxy/html_root/ and I have nothing setup in the netscape proxy preferences (Direct connection to the internet). The proxy-server(firewall) does not know mod-ssl but mod-proxy and should pass all requests to the internal web-server. The internal web-server has mod-ssl and installed. With the following http.conf at the proxy-server: VirtualHost proxy_name:443 ProxyVia Block ProxyRequests Off ProxyPass /html_root/ https://my_server/html_root ProxyPassReverse /html_root/ https://my_server/html_root /VirtualHost and https://proxy/html_root/ as browser URL I get in the proxy server log the message: Invalid method in request F which indicates that https is spoken on port 443 which is not understood (clear, because the proxy does not know about ssl). When I use VirtualHost proxy_name:443 ProxyVia Block ProxyRequests Off ProxyPass /html_root/ http://my_server/html_root ProxyPassReverse /html_root/ http://my_server/html_root /VirtualHost (changed https to http) and the URL: http://proxy:443/html_root/ it works fine: the request is passed to my_server. What I do not understand is why are in the first configuration the requests not passed by the proxy to the internal server. That's what I expected regarding the statement of Ralf Engelschall according to the CONNECT method. Using an additional AllowCONNECT 443 does not help (ok, because it is anyway the default). Also using the NameVirtualHost,ServerName,ServerAlias statements does not change the behaviour. What makes me crazy is that reading all the help and docs and archives does indicate that it is just trivial to do the setup and it should just work out "naturally" and after trying and trying I can't get it to work. It is exasperating. How can I get a request like https://proxy/html_root/ passed from a NON-ssl proxy to a mod-ssl internal server? It is kind of painful to ask the question over and over again but I have still hope that someone could show me what I have missed. Thanx, Oli [EMAIL PROTECTED] wrote: Hi, I believed all that you need are the following directives: ... ProxyVia Block # removes Via: headers (not necessary) to hide that the request was proxied ProxyRequests Off # do not work as proxy server but just retrieve and forward the requested URLs ProxyPass /html_root https://my_server/html_root# tree substitution ProxyPassReverse /html_root https://my_server/html_root# adjust the URL in the Location header on HTTP redirect responses (useful some times) ... Rossen -- Oliver Heil Deutsches Krebsforschungszentrum DKFZ Molekulare Genomanalyse (H0600) Im Neuenheimer Feld 506 69120 Heidelberg Germany Tel. +49 6221 / 42 4701 Fax+49 6221 / 42 4704 Email [EMAIL PROTECTED] -BEGIN PGP PUBLIC KEY BLOCK- Version: PGP 6.5.1i mQGiBDgUYPYRBADU3koMZwVCtF+5gOa+jvc1Ee5qGjARaTB7jfRp+FoexUKDRUxr 5pXgR37eahJiE0aIcanz7mhuzIgkTbJA9UoihrCBXTQlxjs7207H3/Uye5M5CvDy nlK8FPfjjxuVV30riBqWutoWGp/qxfG8/7ItayAetxp/LdZLkt/GcJG99wCg/z+t Tnu4wJnYdeP64G65jY/Aj98EAJlVror6GmSfj2UL2qS5YhLPNMFfz6RIFRtb7PMA FP8viIs58/WiBhRCa+kJFBPcsCiELBjQjzjkwGQFqAsfoXqN32yWerDkqABqc9rZ a981L5kPieo+5coRdkm14IYxRsiSyCq6cz5UKrcjUzU9OPLcnjRu8iN0Hmq9/Gdf CiEJA/44rTf9/Tfb5IWLF2TZSv6ZaYrjyThJ1IV7l1G9J7JtmLHO3H0ifumied/k GlLtXL9VRHHftq3VFlaQNgzzVLwlMQPAD8IHJ1UAivwQ8HsQ7tVE8utHVOw/BjXv t1AbXL2Obkp6SMqv8ce4OHtRnN/ce9MjYQpuoyvPGFMlU9v2ebQnT2xpdmVyIEhl aWwgPG8uaGVpbEBka2Z6LWhlaWRlbGJlcmcuZGU+iQBMBBARAgAMBQI4FGD2AgsB AhkBAAoJEA39eR4I2AaMTooAnRLEIVCbVpCU+rPG3G3ZsOetG+KTAKC0d6UY13rI RuUbDzdDL9USQCOy3LkCDQQ4FGD2EAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bx brlLOCDaAadWoxTpj0BV89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJP PT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrU GvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVb GI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcp esqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwACAggAsFh5 H8ybAtfElTLHNAniEShIOE6SITzsygtTCQCFv1GHRqFupc0S277ZzRvzhTzEUpFf MgPh4B7QqVi3hAnQeUwdnR2YrjkSHMsE7AubhrMWdO+lujfpKAaH+GnkGWHHn3Ic 0XVVNF/OCnyQY9X3YmGXgv4UjwNS+S8TOm2vzbKpvQjs+Nq2D+IdhjEFl+/STk6b Yh84YzLHWvF6YYnFCcsIhDluee/8Gv8Ja1N+Emh0D6yTqQUqYCImO+7tSNXEcbVh YT/81t5BQdgndlhc38oOd8nDEhu3lfNvn6UvbDvawYa0ejCUyriOPL2pz6nR2Ckf Ko8CGvv4t69Md0crnYkARgQYEQIABgUCOBRg9gAKCRAN/XkeCNgGjJEHAJ9R0uOc swumsNZZiJnZufPMU3XnyQCfaQkIeIM6Nn4CkX+qkqqCp3DdcBg= =xWz7 -END
Re: setting up non-ssl proxy for https use
Hi, Regarding my experience it is impossible to run HTTPS server (including proxy server) without SSL support. The problem is that you server is receiving not http request but HTTPS request. To work with this you have to run SSL enabled HTTPD. There is no need you internal HTTPD to be SSL enabled. If the scheme is: web client --HTTPS-- proxy (apache) --HTTP-- httpd internal then you proxy server have to be SSL enabled. There is no need for you internal one. If the scheme is: web client --HTTPS-- proxy (apache) --HTTPS-- httpd internal then both your servers have to be SSL enabled. If the scheme is: web client --HTTP-- proxy (apache) --HTTPS-- httpd internal Then only you internal server have to be SSL enabled, but I do not see reason to one to use scheme like the last one (to protect yourself from his local network, but not from the Internet ;) Rossen Oliver Heil [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/09/00 06:19 AM Please respond to modssl-users To: [EMAIL PROTECTED] cc: Subject:Re: setting up non-ssl proxy for https use Hi, It still does not work. I still get "Invalid method in request F" at the proxy's log. Perhaps it is still not clear enough what I like to do so I explain it in other words: I have the following configuration of hosts and requests: Client-Host/Browser(Netscape4.7) requests https://proxy/html_root/ and I have nothing setup in the netscape proxy preferences (Direct connection to the internet). The proxy-server(firewall) does not know mod-ssl but mod-proxy and should pass all requests to the internal web-server. The internal web-server has mod-ssl and installed. With the following http.conf at the proxy-server: VirtualHost proxy_name:443 ProxyVia Block ProxyRequests Off ProxyPass /html_root/ https://my_server/html_root ProxyPassReverse /html_root/ https://my_server/html_root /VirtualHost and https://proxy/html_root/ as browser URL I get in the proxy server log the message: Invalid method in request F which indicates that https is spoken on port 443 which is not understood (clear, because the proxy does not know about ssl). When I use VirtualHost proxy_name:443 ProxyVia Block ProxyRequests Off ProxyPass /html_root/ http://my_server/html_root ProxyPassReverse /html_root/ http://my_server/html_root /VirtualHost (changed https to http) and the URL: http://proxy:443/html_root/ it works fine: the request is passed to my_server. What I do not understand is why are in the first configuration the requests not passed by the proxy to the internal server. That's what I expected regarding the statement of Ralf Engelschall according to the CONNECT method. Using an additional AllowCONNECT 443 does not help (ok, because it is anyway the default). Also using the NameVirtualHost,ServerName,ServerAlias statements does not change the behaviour. What makes me crazy is that reading all the help and docs and archives does indicate that it is just trivial to do the setup and it should just work out "naturally" and after trying and trying I can't get it to work. It is exasperating. How can I get a request like https://proxy/html_root/ passed from a NON-ssl proxy to a mod-ssl internal server? It is kind of painful to ask the question over and over again but I have still hope that someone could show me what I have missed. Thanx, Oli [EMAIL PROTECTED] wrote: Hi, I believed all that you need are the following directives: ... ProxyVia Block # removes Via: headers (not necessary) to hide that the request was proxied ProxyRequests Off # do not work as proxy server but just retrieve and forward the requested URLs ProxyPass /html_root https://my_server/html_root# tree substitution ProxyPassReverse /html_root https://my_server/html_root# adjust the URL in the Location header on HTTP redirect responses (useful some times) ... Rossen -- Oliver Heil Deutsches Krebsforschungszentrum DKFZ Molekulare Genomanalyse (H0600) Im Neuenheimer Feld 506 69120 Heidelberg Germany Tel. +49 6221 / 42 4701 Fax+49 6221 / 42 4704 Email [EMAIL PROTECTED] -BEGIN PGP PUBLIC KEY BLOCK- Version: PGP 6.5.1i mQGiBDgUYPYRBADU3koMZwVCtF+5gOa+jvc1Ee5qGjARaTB7jfRp+FoexUKDRUxr 5pXgR37eahJiE0aIcanz7mhuzIgkTbJA9UoihrCBXTQlxjs7207H3/Uye5M5CvDy nlK8FPfjjxuVV30riBqWutoWGp/qxfG8/7ItayAetxp/LdZLkt/GcJG99wCg/z+t Tnu4wJnYdeP64G65jY/Aj98EAJlVror6GmSfj2UL2qS5YhLPNMFfz6RIFRtb7PMA FP8viIs58/WiBhRCa+kJFBPcsCiELBjQjzjkwGQFqAsfoXqN32yWerDkqABqc9rZ a981L5kPieo+5coRdkm14IYxRsiSyCq6cz5UKrcjUzU9OPLcnjRu8iN0Hmq9/Gdf CiEJA/44rTf9/Tfb5IWLF2TZSv6ZaYrjyThJ1IV7l1G9J7JtmLHO3H0ifumied/k GlLtXL9VRHHftq3VFlaQNgzzVLwlMQPAD8IHJ1UAivwQ8HsQ7tVE8utHVOw/BjXv t1AbXL2Obkp6SMqv8ce4OHtRnN/ce9MjYQpuoyvPGFMl
Re: setting up non-ssl proxy for https use
Hi, I believed all that you need are the following directives: ... ProxyVia Block # removes Via: headers (not necessary) to hide that the request was proxied ProxyRequests Off # do not work as proxy server but just retrieve and forward the requested URLs ProxyPass /html_root https://my_server/html_root# tree substitution ProxyPassReverse /html_root https://my_server/html_root# adjust the URL in the Location header on HTTP redirect responses (useful some times) ... Rossen Oliver Heil [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02/07/00 10:13 AM Please respond to modssl-users To: [EMAIL PROTECTED] cc: Subject:Re: setting up non-ssl proxy for https use Dear Ralf, Thanx for the prompt answer but it still does not help me any further. A year ago you answered to a similar problem the following: For the plain HTTPS proxy functionality you don't need mod_ssl, because that's done with the standard HTTP CONNECT method. So all you need is mod_proxy. mod_ssl is only needed when you want to establish a _gateway_, for instance a HTTP-to-HTTPS or HTTPS-to-HTTP gateway or even a HTTPS-to-HTTPS gateway which maps URL trees. But what you're asking about seems to be just the plain HTTPS proxy functionality. It seems that I just can't get this "plain HTTPS proxy functionality" to run, because the SSL-server works just fine. On the proxy the last directives I tried are: ... Listen 80 Listen 443 ... VirtualHost my_proxy:443 NameVirtualHost my_proxy_ip ServerName my_proxy_FQDN ServerAlias my_proxy_a1 my_proxy_a2 ProxyRequests On ProxyPass /html_root https://my_server/html_root /VirtualHost Thanx, Oli "Ralf S. Engelschall" wrote: On Fri, Feb 04, 2000, Oliver Heil wrote: [...] I always get "connection refused" from the browser. The access log on (P) shows "[04/Feb/2000:10:42:23 +0100] "F" 501 365". The access log on (S) shows "[04/Feb/2000:10:42:23 +0100] "F / HTTP/1.0" 501 365". The error log on (S) shows "Invalid method in request F / HTTP/1.0". Accessing (S) direct works well with either http and https. Accessing (S) via (P) over http works also fine. The apache versions are 1.3.9. Can someone point me to a solution of how to setup the proxy server or send me a example configuration? The error messages indicate that you're speaking HTTPS to a port where no HTTPS is spoken. There only HTTP is spoken which leads to those errors. Make sure your Listen and VirtualHost sections match and that "SSLEngine on" is present in the VirtualHost for HTTPS. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: setting up non-ssl proxy for https use
Dear Ralf, Thanx for the prompt answer but it still does not help me any further. A year ago you answered to a similar problem the following: For the plain HTTPS proxy functionality you don't need mod_ssl, because that's done with the standard HTTP CONNECT method. So all you need is mod_proxy. mod_ssl is only needed when you want to establish a _gateway_, for instance a HTTP-to-HTTPS or HTTPS-to-HTTP gateway or even a HTTPS-to-HTTPS gateway which maps URL trees. But what you're asking about seems to be just the plain HTTPS proxy functionality. It seems that I just can't get this "plain HTTPS proxy functionality" to run, because the SSL-server works just fine. On the proxy the last directives I tried are: ... Listen 80 Listen 443 ... VirtualHost my_proxy:443 NameVirtualHost my_proxy_ip ServerName my_proxy_FQDN ServerAlias my_proxy_a1 my_proxy_a2 ProxyRequests On ProxyPass /html_root https://my_server/html_root /VirtualHost Thanx, Oli "Ralf S. Engelschall" wrote: On Fri, Feb 04, 2000, Oliver Heil wrote: [...] I always get "connection refused" from the browser. The access log on (P) shows "[04/Feb/2000:10:42:23 +0100] "F" 501 365". The access log on (S) shows "[04/Feb/2000:10:42:23 +0100] "F / HTTP/1.0" 501 365". The error log on (S) shows "Invalid method in request F / HTTP/1.0". Accessing (S) direct works well with either http and https. Accessing (S) via (P) over http works also fine. The apache versions are 1.3.9. Can someone point me to a solution of how to setup the proxy server or send me a example configuration? The error messages indicate that you're speaking HTTPS to a port where no HTTPS is spoken. There only HTTP is spoken which leads to those errors. Make sure your Listen and VirtualHost sections match and that "SSLEngine on" is present in the VirtualHost for HTTPS. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
setting up non-ssl proxy for https use
Hi, I am trying to set up a proxy server (P) without mod-ssl to proxy also https-requests to another machine/server (S) with mod-ssl. Searching through the docs and list-archives the only hint I found is that it should work naturaly with the HTTP CONNECT method, which I figured out, is used for the https protocol. So, it seems that it should be trivial but I have no clue anymore after trying several setups. I always get "connection refused" from the browser. The access log on (P) shows "[04/Feb/2000:10:42:23 +0100] "F" 501 365". The access log on (S) shows "[04/Feb/2000:10:42:23 +0100] "F / HTTP/1.0" 501 365". The error log on (S) shows "Invalid method in request F / HTTP/1.0". Accessing (S) direct works well with either http and https. Accessing (S) via (P) over http works also fine. The apache versions are 1.3.9. Can someone point me to a solution of how to setup the proxy server or send me a example configuration? Thanx in advance, Oliver Heil __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: setting up non-ssl proxy for https use
On Fri, Feb 04, 2000, Oliver Heil wrote: [...] I always get "connection refused" from the browser. The access log on (P) shows "[04/Feb/2000:10:42:23 +0100] "F" 501 365". The access log on (S) shows "[04/Feb/2000:10:42:23 +0100] "F / HTTP/1.0" 501 365". The error log on (S) shows "Invalid method in request F / HTTP/1.0". Accessing (S) direct works well with either http and https. Accessing (S) via (P) over http works also fine. The apache versions are 1.3.9. Can someone point me to a solution of how to setup the proxy server or send me a example configuration? The error messages indicate that you're speaking HTTPS to a port where no HTTPS is spoken. There only HTTP is spoken which leads to those errors. Make sure your Listen and VirtualHost sections match and that "SSLEngine on" is present in the VirtualHost for HTTPS. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl proxy .. again
I use the following virtual host configuration to connect certain users over the Internet (real names of systems and IPs have been changed) # Proxy to security (security measure) VirtualHost security:443 ServerAdmin [EMAIL PROTECTED] ServerName security.rnib.org.uk SSL Stuff here ... Auth Stuff here ... ErrorLog /var/log/httpd/security-error_log TransferLog /var/log/httpd/security-access_log ProxyPass / http://real-security/ This takes a secure connection to the virtual host "security", and proxies all requests to the host "real-security" via http. In this case, the proxy is on the internal network and passwords are encrypted over the 'net. (I've missed out the SSL and Auth bits). In fact, the proxied host "real-security" cannot be contacted directly. The logging is useful for checking that it works. I believe this is the best you can do, unless another program can "proxy" https. Whereas http is effectively plain text (purists will obviously point out that iso-8859-1 isn't exactly plain text, but I know that!), https is encrypted end to end. To pass data from one https connection to another would make the security next to useless. (Actually I'd like to authenticate users via TACACS+, but that's another question altogether). John -Original Message- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: 19/01/00 16:57 Subject: ssl proxy .. again Hi there, in the mail archive I found a discussion about using a https connection from browser to proxy, regardless of the request type. ( browser - ssl - proxy - whatever - server). Actually, I am trying to set this up myself, without success so far, and would like to ask, if it can be done somehow. The reason for doing this is, that I want my users to authenticate against apache through some module ( mod_auth_nds, actually, but it could be any auth module ) and by their authentication / authorization define, how ca use which Internet resources. I do not want their NDS password going over the net in plain text, though. Does anybody know, if / how this can be accomplished? regards, Andreas [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: AW: ssl proxy .. again
Actually I am using scheme like this one for redirecting public SSL connection to my internal none SSL network: internet -- HTTPS -- apache proxy -- HTTP -- internal network web server My SSL Proxy related directives are: ProxyVia Block IfDefine SSL AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl /IfDefine IfModule mod_ssl.c SSLSessionCache dbm:/some_where/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/somew_here/ssl_mutex SSLRandomSeed startup builtin SSLLog /http_dlog_place/ssl_engine_log SSLLogLevel info /IfModule Listen x.x.x.x:y VirtualHost x.x.x.x:y ServerName x.x.x.x IfDefine SSL SSLEngine on SSLCertificateFile /some_where/my.crt SSLCertificateKeyFile /some_where/my.key /IfDefine Location / IfDefine SSL SSLRequireSSL /IfDefine Order allow,deny Allow from c.c.c.c/m mydoman.com /Location ProxyRequests Off ProxyPass / http://z.z.z.z/path/ /VirtualHost My clients are enabled for specific network (c.c.c.c/m) and domains (mydomain.com). They have to point to https:/x.x.x.x:y/ You cam miss y if you are running SSL enabled HTTPD on port 443 Rossen [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/20/00 02:53 AM Please respond to modssl-users To: [EMAIL PROTECTED] cc: Subject:AW: ssl proxy .. again .. could you please tell me how you configured your apache? Im using the same versions, and SSL is running. How do you configure your clients? Thanx, Andreas -Urspr üngliche Nachricht- Von: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] Gesendet am: Mittwoch, 19. Januar 2000 22:48 An:[EMAIL PROTECTED] Betreff: Re: ssl proxy .. again Hi, Is you apache SSL enabled? I've configuration like this one but without usage of authorization an it works fine for me. I am using apache 1.3.9, mod_ssl 2.4.10 and openssl 0.9.4. Rossen [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/19/00 11:57 AM Please respond to modssl-users To: [EMAIL PROTECTED] cc: Subject:ssl proxy .. again Hi there, in the mail archive I found a discussion about using a https connection from browser to proxy, regardless of the request type. ( browser - ssl - proxy - whatever - server). Actually, I am trying to set this up myself, without success so far, and would like to ask, if it can be done somehow. The reason for doing this is, that I want my users to authenticate against apache through some module ( mod_auth_nds, actually, but it could be any auth module ) and by their authentication / authorization define, how ca use which Internet resources. I do not want their NDS password going over the net in plain text, though. Does anybody know, if / how this can be accomplished? regards, Andreas [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
AW: ssl proxy .. again
.. could you please tell me how you configured your apache? Im using the same versions, and SSL is running. How do you configure your clients? Thanx, Andreas -Urspr üngliche Nachricht- Von: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] Gesendet am: Mittwoch, 19. Januar 2000 22:48 An: [EMAIL PROTECTED] Betreff: Re: ssl proxy .. again Hi, Is you apache SSL enabled? I've configuration like this one but without usage of authorization an it works fine for me. I am using apache 1.3.9, mod_ssl 2.4.10 and openssl 0.9.4. Rossen [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/19/00 11:57 AM Please respond to modssl-users To: [EMAIL PROTECTED] cc: Subject:ssl proxy .. again Hi there, in the mail archive I found a discussion about using a https connection from browser to proxy, regardless of the request type. ( browser - ssl - proxy - whatever - server). Actually, I am trying to set this up myself, without success so far, and would like to ask, if it can be done somehow. The reason for doing this is, that I want my users to authenticate against apache through some module ( mod_auth_nds, actually, but it could be any auth module ) and by their authentication / authorization define, how ca use which Internet resources. I do not want their NDS password going over the net in plain text, though. Does anybody know, if / how this can be accomplished? regards, Andreas [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
AW: ssl proxy .. again
.. well, I got this running for local pages. But what I want is doing the same thing for proxy requests. - user is configured to use internet access by proxy - user wants to surf to www.example.net - user needs to log into my server - the authentication should be SSL encrypted - my server looks up in its config, where this user is allowed to serve to - server returns page or error my problem is, that I cannot get the browser to do that.. -Urspr üngliche Nachricht- Von: Cliff Woolley [SMTP:[EMAIL PROTECTED]] Gesendet am: Mittwoch, 19. Januar 2000 21:32 An: [EMAIL PROTECTED] Betreff: Re: ssl proxy .. again [EMAIL PROTECTED] 01/19/00 11:57AM The reason for doing this is, that I want my users to authenticate against apache through some module ( mod_auth_nds, actually, but it could be any auth module ) and by their authentication / authorization define, how ca use which Internet resources. I do not want their NDS password going over the net in plain text, though. If I understand what you're wanting, it's straightforward... All you have to do is set it up so that the browser connects to your server with HTTPS to get to the authorization-required pages. At that point, both the request (including the username/password header) and the response (the page itself) are encrypted. Does that make sense? I can explain further... --Cliff Cliff Woolley Central Systems Software Administrator Washington and Lee University http://www.wlu.edu/~jwoolley/ Work: (540) 463-8089 Pager: (540) 462-2303 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ssl proxy .. again
Hi there, in the mail archive I found a discussion about using a https connection from browser to proxy, regardless of the request type. ( browser - ssl - proxy - whatever - server). Actually, I am trying to set this up myself, without success so far, and would like to ask, if it can be done somehow. The reason for doing this is, that I want my users to authenticate against apache through some module ( mod_auth_nds, actually, but it could be any auth module ) and by their authentication / authorization define, how ca use which Internet resources. I do not want their NDS password going over the net in plain text, though. Does anybody know, if / how this can be accomplished? regards, Andreas [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ssl proxy .. again
[EMAIL PROTECTED] 01/19/00 11:57AM The reason for doing this is, that I want my users to authenticate against apache through some module ( mod_auth_nds, actually, but it could be any auth module ) and by their authentication / authorization define, how ca use which Internet resources. I do not want their NDS password going over the net in plain text, though. If I understand what you're wanting, it's straightforward... All you have to do is set it up so that the browser connects to your server with HTTPS to get to the authorization-required pages. At that point, both the request (including the username/password header) and the response (the page itself) are encrypted. Does that make sense? I can explain further... --Cliff Cliff Woolley Central Systems Software Administrator Washington and Lee University http://www.wlu.edu/~jwoolley/ Work: (540) 463-8089 Pager: (540) 462-2303 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]