Re: [us...@httpd] Reverse Proxy https to http
On Thu, Apr 22, 2010 at 4:31 PM, GB GB wrote: > basically > > this is what the client gets after the POST > http://mydomain.com/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P > > rather then getting > > https://mydomain.com/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P What the client "gets" after the "post" is not primarily influenced by the apache config. It is the backend that tells the client what is should request (or post to) next. Have a look at your network traffic. Krist -- krist.vanbes...@gmail.com kr...@vanbesien.org Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Reverse Proxy https to http
On Thu, Apr 22, 2010 at 9:59 AM, alin vasile wrote: >> >> ProxyPassReverse https://10.173.90.167:8443/ >> > Shouldn't be ProxyPassReverse / https://10.173.90.167:8443/ ? The other arg is inferred from the context (location container), the two arg form is only required in virtualhost context. -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Reverse Proxy https to http
sorry i made a mistake when I wrote the URL's before basically this is what the client gets after the POST http://mydomain.com/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P rather then getting https://mydomain.com/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P I copy pasted the info from my httpd.conf to my ssl.conf file and it SEEMS to work. But how do I preserve cookies if the Preserver host directive is disabled. Take note that when I enable that option, everything that is backend http stops working thx On Thu, Apr 22, 2010 at 10:03 AM, GB GB wrote: > I dont know why, but when I copy paste my virtualhost info from > httpd.conf and put in ssl.conf like you it works??!! > > thx > > On Thu, Apr 22, 2010 at 9:01 AM, Mauri wrote: >> >> u can investigate on the version. I have this: httpd-2.2.3-31 >> >> Please see at ssl.conf top: >> >> LoadModule ssl_module modules/mod_ssl.so >> LoadFile /usr/lib/libxml2.so >> LoadModule proxy_html_module modules/mod_proxy_html.so >> LoadModule xml2enc_module modules/mod_xml2enc.so >> >> >> have u load this module? >> >> >> 2010/4/22 GB GB >>> >>> The version I am using is >>> Server version: Apache/2.0.54 >>> Server built: Sep 23 2005 15:28:48 >>> >>> ProxyHTMLURLMap doesn't work with what I am using. >>> >>> >>> On Thu, Apr 22, 2010 at 8:32 AM, Mauri wrote: >>> > Hi GB. >>> > >>> > I have a similar solution. >>> > >>> > Client --> https://mysite.com --> proxy --> http://backend. >>> > >>> > the url in the client broswer is https://mysite.com. >>> > >>> > this is my /etc/httpd/conf.d/ssl.conf: >>> > >>> > >>> > >>> > LoadModule ssl_module modules/mod_ssl.so >>> > LoadFile /usr/lib/libxml2.so >>> > LoadModule proxy_html_module modules/mod_proxy_html.so >>> > LoadModule xml2enc_module modules/mod_xml2enc.so >>> > Listen 443 >>> > AddType application/x-x509-ca-cert .crt >>> > AddType application/x-pkcs7-crl .crl >>> > SSLPassPhraseDialog builtin >>> > SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) >>> > SSLSessionCacheTimeout 300 >>> > SSLMutex default >>> > SSLRandomSeed startup file:/dev/urandom 256 >>> > SSLRandomSeed connect builtin >>> > SSLCryptoDevice builtin >>> > >>> > NameVirtualHost mysite.com:443 >>> > >>> > ServerName mysite.com >>> > ProxyRequests off >>> > ProxyPass / https://10.173.90.167:8443/ >>> > ProxyHTMLURLMap https://10.173.90.167:8443 / >>> > >>> > ProxyPassReverse https://10.173.90.167:8443/ >>> > ProxyHTMLEnable On >>> > ProxyHTMLURLMap / / >>> > RequestHeader unset Accept-Encoding >>> > >>> > >>> > SSLEngine on >>> > SSLProxyEngine on >>> > SSLProtocol all -SSLv2 >>> > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW >>> > SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer >>> > SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key >>> > SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer >>> > >>> > >>> > SSLOptions +StdEnvVars >>> > >>> > >>> > SSLOptions +StdEnvVars >>> > >>> > SetEnvIf User-Agent ".*MSIE.*" \ >>> > nokeepalive ssl-unclean-shutdown \ >>> > downgrade-1.0 force-response-1.0 >>> > CustomLog logs/ssl_request_log \ >>> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > 2010/4/22 GB GB >>> >> >>> >> Basically what goes on when the user types in https://mydomain.com/lsw >>> >> he gets an authentification page from the backend application. Once he >>> >> enters his credentials, I notice a POST in the apache logs. >>> >> >>> >> This is what the user types in: >>> >> https://mydomain.com/lsw/clientele/gen/authentification.jsp >>> >> he enters his credentials, then a POST appears in the log : >>> >> POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302 >>> >> >>> >> and in the browser I get the following: The connection has timed out >>> >> >>> >> >>> >> >>> >> http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P >>> >> >>> >> the above link doesn't work because its http rather than https!! >>> >> >>> >> If I add the "s" manually >>> >> >>> >> >>> >> https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P >>> >> then it works. >>> >> >>> >> 1)So how can I force the protocole to remain https once the client >>> >> does a POST. >>> >> 2)I have noticed in many examples that people use PreserveHost on, in >>> >> my case, if activate >>> >> PreserveHost on then I cant even get the first page to work: >>> >> >>> >> Thx in advance >>> >> >>> >> >>> >> >>> >> >>> >> On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien >>> >> wrote: >>> >> > On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote: >>> >> > >>> >> > >>> >> > >>> >> >> #this for some reason becomes http from client perspective >>> >> >> #PreserveHost on does not work with lsw, so I d
Re: [us...@httpd] Reverse Proxy https to http
I dont know why, but when I copy paste my virtualhost info from httpd.conf and put in ssl.conf like you it works??!! thx On Thu, Apr 22, 2010 at 9:01 AM, Mauri wrote: > > u can investigate on the version. I have this: httpd-2.2.3-31 > > Please see at ssl.conf top: > > LoadModule ssl_module modules/mod_ssl.so > LoadFile /usr/lib/libxml2.so > LoadModule proxy_html_module modules/mod_proxy_html.so > LoadModule xml2enc_module modules/mod_xml2enc.so > > > have u load this module? > > > 2010/4/22 GB GB >> >> The version I am using is >> Server version: Apache/2.0.54 >> Server built: Sep 23 2005 15:28:48 >> >> ProxyHTMLURLMap doesn't work with what I am using. >> >> >> On Thu, Apr 22, 2010 at 8:32 AM, Mauri wrote: >> > Hi GB. >> > >> > I have a similar solution. >> > >> > Client --> https://mysite.com --> proxy --> http://backend. >> > >> > the url in the client broswer is https://mysite.com. >> > >> > this is my /etc/httpd/conf.d/ssl.conf: >> > >> > >> > >> > LoadModule ssl_module modules/mod_ssl.so >> > LoadFile /usr/lib/libxml2.so >> > LoadModule proxy_html_module modules/mod_proxy_html.so >> > LoadModule xml2enc_module modules/mod_xml2enc.so >> > Listen 443 >> > AddType application/x-x509-ca-cert .crt >> > AddType application/x-pkcs7-crl .crl >> > SSLPassPhraseDialog builtin >> > SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) >> > SSLSessionCacheTimeout 300 >> > SSLMutex default >> > SSLRandomSeed startup file:/dev/urandom 256 >> > SSLRandomSeed connect builtin >> > SSLCryptoDevice builtin >> > >> > NameVirtualHost mysite.com:443 >> > >> > ServerName mysite.com >> > ProxyRequests off >> > ProxyPass / https://10.173.90.167:8443/ >> > ProxyHTMLURLMap https://10.173.90.167:8443 / >> > >> > ProxyPassReverse https://10.173.90.167:8443/ >> > ProxyHTMLEnable On >> > ProxyHTMLURLMap / / >> > RequestHeader unset Accept-Encoding >> > >> > >> > SSLEngine on >> > SSLProxyEngine on >> > SSLProtocol all -SSLv2 >> > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW >> > SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer >> > SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key >> > SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer >> > >> > >> > SSLOptions +StdEnvVars >> > >> > >> > SSLOptions +StdEnvVars >> > >> > SetEnvIf User-Agent ".*MSIE.*" \ >> > nokeepalive ssl-unclean-shutdown \ >> > downgrade-1.0 force-response-1.0 >> > CustomLog logs/ssl_request_log \ >> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" >> > >> > >> > >> > >> > >> > >> > >> > 2010/4/22 GB GB >> >> >> >> Basically what goes on when the user types in https://mydomain.com/lsw >> >> he gets an authentification page from the backend application. Once he >> >> enters his credentials, I notice a POST in the apache logs. >> >> >> >> This is what the user types in: >> >> https://mydomain.com/lsw/clientele/gen/authentification.jsp >> >> he enters his credentials, then a POST appears in the log : >> >> POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302 >> >> >> >> and in the browser I get the following: The connection has timed out >> >> >> >> >> >> >> >> http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P >> >> >> >> the above link doesn't work because its http rather than https!! >> >> >> >> If I add the "s" manually >> >> >> >> >> >> https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P >> >> then it works. >> >> >> >> 1)So how can I force the protocole to remain https once the client >> >> does a POST. >> >> 2)I have noticed in many examples that people use PreserveHost on, in >> >> my case, if activate >> >> PreserveHost on then I cant even get the first page to work: >> >> >> >> Thx in advance >> >> >> >> >> >> >> >> >> >> On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien >> >> wrote: >> >> > On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote: >> >> > >> >> > >> >> > >> >> >> #this for some reason becomes http from client perspective >> >> >> #PreserveHost on does not work with lsw, so I disabled it >> >> >> RewriteRule ^/lsw(.*)$ http://backend2.ca:8082/lsw$1 >> >> >> [NC,P,L] >> >> >> ProxyPassReverse /lsw http://backend2.ca:8082/lsw >> >> >> Redirect permanent /lsw https://mydomain.com/lsw >> >> > >> >> > First of all: Remove the "Redirect Permanent". It's not needed (as >> >> > this virtualhost only gets https requests anyway) and confuses. If >> >> > you >> >> > want to make sure that people who accidentaly land on the http site >> >> > get redirected to https you need to put a redirect in the http >> >> > virtual >> >> > host. >> >> > >> >> > Secondly: Look at what your backend produces. It is very well >> >> > possible >> >> > that it passes html pages back to the client that contain http://
Re: [us...@httpd] Reverse Proxy https to http
Shouldn't be ProxyPassReverse / https://10.173.90.167:8443/ ? From: GB GB To: users@httpd.apache.org Sent: Thu, April 22, 2010 3:56:36 PM Subject: Re: [us...@httpd] Reverse Proxy https to http The version I am using is Server version: Apache/2.0.54 Server built: Sep 23 2005 15:28:48 ProxyHTMLURLMap doesn't work with what I am using. On Thu, Apr 22, 2010 at 8:32 AM, Mauri wrote: > Hi GB. > > I have a similar solution. > > Client --> https://mysite.com--> proxy --> http://backend. > > the url in the client broswer is https://mysite.com. > > this is my /etc/httpd/conf.d/ssl.conf: > > > > LoadModule ssl_module modules/mod_ssl.so > LoadFile /usr/lib/libxml2.so > LoadModule proxy_html_module modules/mod_proxy_html.so > LoadModule xml2enc_module modules/mod_xml2enc.so > Listen 443 > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl.crl > SSLPassPhraseDialog builtin > SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) > SSLSessionCacheTimeout 300 > SSLMutex default > SSLRandomSeed startup file:/dev/urandom 256 > SSLRandomSeed connect builtin > SSLCryptoDevice builtin > > NameVirtualHost mysite.com:443 > > ServerName mysite.com > ProxyRequests off > ProxyPass / https://10.173.90.167:8443/ > ProxyHTMLURLMap https://10.173.90.167:8443 / > > ProxyPassReverse https://10.173.90.167:8443/ > ProxyHTMLEnable On > ProxyHTMLURLMap / / > RequestHeaderunset Accept-Encoding > > > SSLEngine on > SSLProxyEngine on > SSLProtocol all -SSLv2 > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW > SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer > SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key > SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer > > > SSLOptions +StdEnvVars > > > SSLOptions +StdEnvVars > > SetEnvIf User-Agent ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > CustomLog logs/ssl_request_log \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > > > > > > > 2010/4/22 GB GB >> >> Basically what goes on when the user types in https://mydomain.com/lsw >> he gets an authentification page from the backend application. Once he >> enters his credentials, I notice a POST in the apache logs. >> >> This is what the user types in: >> https://mydomain.com/lsw/clientele/gen/authentification.jsp >> he enters his credentials, then a POST appears in the log : >> POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302 >> >> and in the browser I get the following: The connection has timed out >> >> >> http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P >> >> the above link doesn't work because its http rather than https!! >> >> If I add the "s" manually >> >> https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P >> then it works. >> >> 1)So how can I force the protocole to remain https once the client >> does a POST. >> 2)I have noticed in many examples that people use PreserveHost on, in >> my case, if activate >> PreserveHost on then I cant even get the first page to work: >> >> Thx in advance >> >> >> >> >> On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien >> wrote: >> > On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote: >> > >> > >> > >> >> #this for some reason becomes http from client perspective >> >> #PreserveHost on does not work with lsw, so I disabled it >> >> RewriteRule ^/lsw(.*)$http://backend2.ca:8082/lsw$1 >> >> [NC,P,L] >> >> ProxyPassReverse /lsw http://backend2.ca:8082/lsw >> >> Redirect permanent /lsw https://mydomain.com/lsw >> > >> > First of all: Remove the "Redirect Permanent". It's not needed (as >> > this virtualhost only gets https requests anyway) and confuses. If you >> > want to make sure that people who accidentaly land on the http site >> > get redirected to https you need to put a redirect in the http virtual >> > host. >> > >> > Secondly: Look at what your backend produces. It is very well possible >> > that it passes html pages back to the client that contain http:// >> > style URLs. RewriteRule only operates on request URLs, >> > ProxyPassReverse only on
Re: [us...@httpd] Reverse Proxy https to http
On Thu, Apr 22, 2010 at 2:21 PM, GB GB wrote: > and in the browser I get the following: The connection has timed out > > http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P If the browser tries to access the backend directly this is because it was told to do so, probably by the backend itself. Have a look at the HTTP traffic coming from the browser When apache is used as a forward proxy it will only forward requests to the backend, and then forward the responses back to the browser. It does not modify the response. If the backend sends a webpage that contains a link that points directly at the backend than you have a problem. Basically when you have a forward-proxy / backend combination you need to configure the backend so that it knows that is should return correct URLs that point to the frontend. Krist -- krist.vanbes...@gmail.com kr...@vanbesien.org Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Reverse Proxy https to http
u can investigate on the version. I have this: httpd-2.2.3-31 Please see at ssl.conf top: LoadModule ssl_module modules/mod_ssl.so LoadFile /usr/lib/libxml2.so LoadModule proxy_html_module modules/mod_proxy_html.so LoadModule xml2enc_module modules/mod_xml2enc.so have u load this module? 2010/4/22 GB GB > The version I am using is > Server version: Apache/2.0.54 > Server built: Sep 23 2005 15:28:48 > > ProxyHTMLURLMap doesn't work with what I am using. > > > On Thu, Apr 22, 2010 at 8:32 AM, Mauri wrote: > > Hi GB. > > > > I have a similar solution. > > > > Client --> https://mysite.com --> proxy --> http://backend. > > > > the url in the client broswer is https://mysite.com. > > > > this is my /etc/httpd/conf.d/ssl.conf: > > > > > > > > LoadModule ssl_module modules/mod_ssl.so > > LoadFile /usr/lib/libxml2.so > > LoadModule proxy_html_module modules/mod_proxy_html.so > > LoadModule xml2enc_module modules/mod_xml2enc.so > > Listen 443 > > AddType application/x-x509-ca-cert .crt > > AddType application/x-pkcs7-crl.crl > > SSLPassPhraseDialog builtin > > SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) > > SSLSessionCacheTimeout 300 > > SSLMutex default > > SSLRandomSeed startup file:/dev/urandom 256 > > SSLRandomSeed connect builtin > > SSLCryptoDevice builtin > > > > NameVirtualHost mysite.com:443 > > > > ServerName mysite.com > > ProxyRequests off > > ProxyPass / https://10.173.90.167:8443/ > > ProxyHTMLURLMap https://10.173.90.167:8443 / > > > > ProxyPassReverse https://10.173.90.167:8443/ > > ProxyHTMLEnable On > > ProxyHTMLURLMap / / > > RequestHeaderunset Accept-Encoding > > > > > > SSLEngine on > > SSLProxyEngine on > > SSLProtocol all -SSLv2 > > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW > > SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer > > SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key > > SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer > > > > > > SSLOptions +StdEnvVars > > > > > > SSLOptions +StdEnvVars > > > > SetEnvIf User-Agent ".*MSIE.*" \ > > nokeepalive ssl-unclean-shutdown \ > > downgrade-1.0 force-response-1.0 > > CustomLog logs/ssl_request_log \ > > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > > > > > > > > > > > > > > > 2010/4/22 GB GB > >> > >> Basically what goes on when the user types in https://mydomain.com/lsw > >> he gets an authentification page from the backend application. Once he > >> enters his credentials, I notice a POST in the apache logs. > >> > >> This is what the user types in: > >> https://mydomain.com/lsw/clientele/gen/authentification.jsp > >> he enters his credentials, then a POST appears in the log : > >> POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302 > >> > >> and in the browser I get the following: The connection has timed out > >> > >> > >> > http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P > >> > >> the above link doesn't work because its http rather than https!! > >> > >> If I add the "s" manually > >> > >> > https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P > >> then it works. > >> > >> 1)So how can I force the protocole to remain https once the client > >> does a POST. > >> 2)I have noticed in many examples that people use PreserveHost on, in > >> my case, if activate > >> PreserveHost on then I cant even get the first page to work: > >> > >> Thx in advance > >> > >> > >> > >> > >> On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien > >> wrote: > >> > On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote: > >> > > >> > > >> > > >> >> #this for some reason becomes http from client perspective > >> >> #PreserveHost on does not work with lsw, so I disabled it > >> >> RewriteRule ^/lsw(.*)$http://backend2.ca:8082/lsw$1 > >> >> [NC,P,L] > >> >> ProxyPassReverse /lsw http://backend2.ca:8082/lsw > >> >> Redirect permanent /lsw https://mydomain.com/lsw > >> > > >> > First of all: Remove the "Redirect Permanent". It's not needed (as > >> > this virtualhost only gets https requests anyway) and confuses. If you > >> > want to make sure that people who accidentaly land on the http site > >> > get redirected to https you need to put a redirect in the http virtual > >> > host. > >> > > >> > Secondly: Look at what your backend produces. It is very well possible > >> > that it passes html pages back to the client that contain http:// > >> > style URLs. RewriteRule only operates on request URLs, > >> > ProxyPassReverse only on redirects passed back. The content passed > >> > back by the backend is not modified. > >> > > >> > HTH, > >> > > >> > Krist > >> > > >> > -- > >> > krist.vanbes...@gmail.com > >> > kr...@vanbesien.org > >> > Bremgarten b. Bern, Switzerland > >> > -- > >> > A: It r
Re: [us...@httpd] Reverse Proxy https to http
The version I am using is Server version: Apache/2.0.54 Server built: Sep 23 2005 15:28:48 ProxyHTMLURLMap doesn't work with what I am using. On Thu, Apr 22, 2010 at 8:32 AM, Mauri wrote: > Hi GB. > > I have a similar solution. > > Client --> https://mysite.com --> proxy --> http://backend. > > the url in the client broswer is https://mysite.com. > > this is my /etc/httpd/conf.d/ssl.conf: > > > > LoadModule ssl_module modules/mod_ssl.so > LoadFile /usr/lib/libxml2.so > LoadModule proxy_html_module modules/mod_proxy_html.so > LoadModule xml2enc_module modules/mod_xml2enc.so > Listen 443 > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl .crl > SSLPassPhraseDialog builtin > SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) > SSLSessionCacheTimeout 300 > SSLMutex default > SSLRandomSeed startup file:/dev/urandom 256 > SSLRandomSeed connect builtin > SSLCryptoDevice builtin > > NameVirtualHost mysite.com:443 > > ServerName mysite.com > ProxyRequests off > ProxyPass / https://10.173.90.167:8443/ > ProxyHTMLURLMap https://10.173.90.167:8443 / > > ProxyPassReverse https://10.173.90.167:8443/ > ProxyHTMLEnable On > ProxyHTMLURLMap / / > RequestHeader unset Accept-Encoding > > > SSLEngine on > SSLProxyEngine on > SSLProtocol all -SSLv2 > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW > SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer > SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key > SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer > > > SSLOptions +StdEnvVars > > > SSLOptions +StdEnvVars > > SetEnvIf User-Agent ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > CustomLog logs/ssl_request_log \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > > > > > > > 2010/4/22 GB GB >> >> Basically what goes on when the user types in https://mydomain.com/lsw >> he gets an authentification page from the backend application. Once he >> enters his credentials, I notice a POST in the apache logs. >> >> This is what the user types in: >> https://mydomain.com/lsw/clientele/gen/authentification.jsp >> he enters his credentials, then a POST appears in the log : >> POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302 >> >> and in the browser I get the following: The connection has timed out >> >> >> http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P >> >> the above link doesn't work because its http rather than https!! >> >> If I add the "s" manually >> >> https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P >> then it works. >> >> 1)So how can I force the protocole to remain https once the client >> does a POST. >> 2)I have noticed in many examples that people use PreserveHost on, in >> my case, if activate >> PreserveHost on then I cant even get the first page to work: >> >> Thx in advance >> >> >> >> >> On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien >> wrote: >> > On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote: >> > >> > >> > >> >> #this for some reason becomes http from client perspective >> >> #PreserveHost on does not work with lsw, so I disabled it >> >> RewriteRule ^/lsw(.*)$ http://backend2.ca:8082/lsw$1 >> >> [NC,P,L] >> >> ProxyPassReverse /lsw http://backend2.ca:8082/lsw >> >> Redirect permanent /lsw https://mydomain.com/lsw >> > >> > First of all: Remove the "Redirect Permanent". It's not needed (as >> > this virtualhost only gets https requests anyway) and confuses. If you >> > want to make sure that people who accidentaly land on the http site >> > get redirected to https you need to put a redirect in the http virtual >> > host. >> > >> > Secondly: Look at what your backend produces. It is very well possible >> > that it passes html pages back to the client that contain http:// >> > style URLs. RewriteRule only operates on request URLs, >> > ProxyPassReverse only on redirects passed back. The content passed >> > back by the backend is not modified. >> > >> > HTH, >> > >> > Krist >> > >> > -- >> > krist.vanbes...@gmail.com >> > kr...@vanbesien.org >> > Bremgarten b. Bern, Switzerland >> > -- >> > A: It reverses the normal flow of conversation. >> > Q: What's wrong with top-posting? >> > A: Top-posting. >> > Q: What's the biggest scourge on plain text email discussions? >> > >> > - >> > The official User-To-User support forum of the Apache HTTP Server >> > Project. >> > See http://httpd.apache.org/userslist.html> for more info. >> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> > " from the digest: users-digest-unsubscr...@httpd.apache.org >> > For additional commands, e-mail: users-h...@httpd.apache.org >> > >> > >> >> - >> The officia
Re: [us...@httpd] Reverse Proxy https to http
Hi GB. I have a similar solution. Client --> https://mysite.com --> proxy --> http://backend. the url in the client broswer is https://mysite.com. this is my /etc/httpd/conf.d/ssl.conf: LoadModule ssl_module modules/mod_ssl.so LoadFile /usr/lib/libxml2.so LoadModule proxy_html_module modules/mod_proxy_html.so LoadModule xml2enc_module modules/mod_xml2enc.so Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin NameVirtualHost mysite.com:443 ServerName mysite.com ProxyRequests off ProxyPass / https://10.173.90.167:8443/ ProxyHTMLURLMap https://10.173.90.167:8443 / ProxyPassReverse https://10.173.90.167:8443/ ProxyHTMLEnable On ProxyHTMLURLMap / / RequestHeaderunset Accept-Encoding SSLEngine on SSLProxyEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer SSLOptions +StdEnvVars SSLOptions +StdEnvVars SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 2010/4/22 GB GB > Basically what goes on when the user types in https://mydomain.com/lsw > he gets an authentification page from the backend application. Once he > enters his credentials, I notice a POST in the apache logs. > > This is what the user types in: > https://mydomain.com/lsw/clientele/gen/authentification.jsp > he enters his credentials, then a POST appears in the log : > POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302 > > and in the browser I get the following: The connection has timed out > > > http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P > > the above link doesn't work because its http rather than https!! > > If I add the "s" manually > > https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P > then it works. > > 1)So how can I force the protocole to remain https once the client > does a POST. > 2)I have noticed in many examples that people use PreserveHost on, in > my case, if activate > PreserveHost on then I cant even get the first page to work: > > Thx in advance > > > > > On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien > wrote: > > On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote: > > > > > > > >> #this for some reason becomes http from client perspective > >> #PreserveHost on does not work with lsw, so I disabled it > >> RewriteRule ^/lsw(.*)$http://backend2.ca:8082/lsw$1 > [NC,P,L] > >> ProxyPassReverse /lsw http://backend2.ca:8082/lsw > >> Redirect permanent /lsw https://mydomain.com/lsw > > > > First of all: Remove the "Redirect Permanent". It's not needed (as > > this virtualhost only gets https requests anyway) and confuses. If you > > want to make sure that people who accidentaly land on the http site > > get redirected to https you need to put a redirect in the http virtual > > host. > > > > Secondly: Look at what your backend produces. It is very well possible > > that it passes html pages back to the client that contain http:// > > style URLs. RewriteRule only operates on request URLs, > > ProxyPassReverse only on redirects passed back. The content passed > > back by the backend is not modified. > > > > HTH, > > > > Krist > > > > -- > > krist.vanbes...@gmail.com > > kr...@vanbesien.org > > Bremgarten b. Bern, Switzerland > > -- > > A: It reverses the normal flow of conversation. > > Q: What's wrong with top-posting? > > A: Top-posting. > > Q: What's the biggest scourge on plain text email discussions? > > > > - > > The official User-To-User support forum of the Apache HTTP Server > Project. > > See http://httpd.apache.org/userslist.html> for more info. > > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > > " from the digest: users-digest-unsubscr...@httpd.apache.org > > For additional commands, e-mail: users-h...@httpd.apache.org > > > > > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
Re: [us...@httpd] Reverse Proxy https to http
Basically what goes on when the user types in https://mydomain.com/lsw he gets an authentification page from the backend application. Once he enters his credentials, I notice a POST in the apache logs. This is what the user types in: https://mydomain.com/lsw/clientele/gen/authentification.jsp he enters his credentials, then a POST appears in the log : POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302 and in the browser I get the following: The connection has timed out http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P the above link doesn't work because its http rather than https!! If I add the "s" manually https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P then it works. 1)So how can I force the protocole to remain https once the client does a POST. 2)I have noticed in many examples that people use PreserveHost on, in my case, if activate PreserveHost on then I cant even get the first page to work: Thx in advance On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien wrote: > On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote: > > > >> #this for some reason becomes http from client perspective >> #PreserveHost on does not work with lsw, so I disabled it >> RewriteRule ^/lsw(.*)$ http://backend2.ca:8082/lsw$1 [NC,P,L] >> ProxyPassReverse /lsw http://backend2.ca:8082/lsw >> Redirect permanent /lsw https://mydomain.com/lsw > > First of all: Remove the "Redirect Permanent". It's not needed (as > this virtualhost only gets https requests anyway) and confuses. If you > want to make sure that people who accidentaly land on the http site > get redirected to https you need to put a redirect in the http virtual > host. > > Secondly: Look at what your backend produces. It is very well possible > that it passes html pages back to the client that contain http:// > style URLs. RewriteRule only operates on request URLs, > ProxyPassReverse only on redirects passed back. The content passed > back by the backend is not modified. > > HTH, > > Krist > > -- > krist.vanbes...@gmail.com > kr...@vanbesien.org > Bremgarten b. Bern, Switzerland > -- > A: It reverses the normal flow of conversation. > Q: What's wrong with top-posting? > A: Top-posting. > Q: What's the biggest scourge on plain text email discussions? > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Reverse Proxy https to http
On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote: > #this for some reason becomes http from client perspective > #PreserveHost on does not work with lsw, so I disabled it > RewriteRule ^/lsw(.*)$ http://backend2.ca:8082/lsw$1 [NC,P,L] > ProxyPassReverse /lsw http://backend2.ca:8082/lsw > Redirect permanent /lsw https://mydomain.com/lsw First of all: Remove the "Redirect Permanent". It's not needed (as this virtualhost only gets https requests anyway) and confuses. If you want to make sure that people who accidentaly land on the http site get redirected to https you need to put a redirect in the http virtual host. Secondly: Look at what your backend produces. It is very well possible that it passes html pages back to the client that contain http:// style URLs. RewriteRule only operates on request URLs, ProxyPassReverse only on redirects passed back. The content passed back by the backend is not modified. HTH, Krist -- krist.vanbes...@gmail.com kr...@vanbesien.org Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Reverse Proxy https to http
Hello, I am trying to configure my proxy to be able to accept HTTPS and forward requests to backend server which is in HTTP user-->(https://mydomain.com/abc)-ssl: [reverse proxy]:http--->http://backend.ca/8082/abc I want to preserve the URL as https//mydomain.com/abc. I looked at my firewall logs and noticed 6 https sessions and one http. The http session is what is not working in my rewriting I presume. My goal is to preserve https protocol client side, although the backend is in http. Also, when I use Preserverhost on when using https to http, it fails right away BUT https to https works good. Thx here is my config file User nobody Group nobody ServerAdmin ...@x ServerName mydomain.com UseCanonicalName Off ServerSignature Off HostnameLookups Off SecServerSignature "Serveur-Web/1.0" ServerRoot "/usr/apache2" DocumentRoot "/var/apache2/htdocs" PidFile /var/apache2/logs/httpd.pid ScoreBoardFile /var/apache2/logs/httpd.scoreboard Listen 80 Timeout 60 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 15 MinSpareServers 10 MaxSpareServers 20 StartServers10 MaxClients 256 MaxRequestsPerChild 0 StartServers 2 MaxClients 250 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 LimitRequestBody 10240 LimitRequestFields 40 LimitRequestFieldsize 1500 LimitRequestline 500 CoreDumpDirectory /var/apache2/logs Options None AllowOverride None Order deny,allow Deny from all Order allow,deny Allow from all Order allow,deny Allow from all TypesConfig /etc/apache2/mime.types DefaultType text/plain AddEncoding x-compress .Z AddEncoding x-gzip .gz .tgz AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddType application/x-tar .tgz AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl LogLevel notice ErrorLog syslog:local7 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent ErrorLog /var/apache2/logs/error_log CustomLog /var/apache2/logs/access_log combined LoadModule ssl_module modules/mod_ssl.so Include /etc/apache2/ssl.conf RewriteEngine on RewriteLog /var/apache2/logs/rewrite.log RewriteLogLevel 2 RewriteCond %{SERVER_PROTOCOL} !^https [NC] RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,QSA] NameVirtualHost 10.6.3.205:443 NameVirtualHost 10.6.3.103:443 ServerName mydomain1.com ServerAlias mydomain1 ProxyBadHeader Ignore ProxyRequests Off ProxyPreserveHost On RewriteEngine On SSLProxyEngine on DocumentRoot "/var/apache2/htdocs" ProxyPass https://mydomain1.com/ https://backend3.ca:44322/ ProxyPass / https://backend3.ca:44322/ ProxyPassReverse https://backend3.ca:44322/ https://mydomain1.com/ LogLevel info ErrorLog /var/apache2/logs/mydomain1.com.error.log TransferLog /var/apache2/logs/mydomain1.com.access.log RewriteLogLevel 0 RewriteLog /var/apache2/logs/mydomain1.com.rewrite.log ServerName mydomain.com ServerAlias mydomain ProxyBadHeader Ignore ProxyRequests Off RewriteEngine On SSLProxyEngine on RewriteEngine on RewriteRule ^/lsw2(.*)$ https://backend1.sap.ca:26961/lsw2/$1 [NC,P,L]# this works #this for some reason becomes http from client perspective #PreserveHost on does not work with lsw, so I disabled it RewriteRule ^/lsw(.*)$http://backend2.ca:8082/lsw$1 [NC,P,L] ProxyPassReverse /lsw http://backend2.ca:8082/lsw Redirect permanent /lsw https://mydomain.com/lsw LogLevel info ErrorLog /var/apache2/logs/mydomain.com.error.log TransferLog/var/apache2/logs/mydomain.com.access.log RewriteLogLevel 0 RewriteLog /var/apache2/logs/mydomain.com.rewrite.log LoadModule security_modulemodules/mod_security.so SecFilterEngine On SecFilterCheckURLEncoding On SecFilterCheckUnicodeEncoding On SecFilter hidden SecFilterForceByteRange 32 126 SecAuditEngine RelevantOnly SecAuditLog /var/apache2/logs/audit_log SecFilterDebugLog /var/apache2/logs/modsec_debug_log SecFilterDebugLevel 0 SecFilterDefaultAction "deny,log,status:500" SecFilterSelective HTTP_Transfer-Encoding "!^$" SecFilter /etc/passwd SecFilterSelective ARGS "bin/" SecFilterSelective ARGS "^(.*)[][\"|\#|\^|\{|\}|<|\||\`|>|\@|\$|\*](.*)$" SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from" - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org