Re: [us...@httpd] Reverse Proxy https to http
On Thu, Apr 22, 2010 at 4:31 PM, GB GB wrote: > basically > > this is what the client gets after the POST > http://mydomain.com/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P > > rather then getting > > https://mydomain.com/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P What the client "gets" after the "post" is not primarily influenced by the apache config. It is the backend that tells the client what is should request (or post to) next. Have a look at your network traffic. Krist -- krist.vanbes...@gmail.com kr...@vanbesien.org Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Reverse Proxy https to http
On Thu, Apr 22, 2010 at 9:59 AM, alin vasile wrote: >> >> ProxyPassReverse https://10.173.90.167:8443/ >> > Shouldn't be ProxyPassReverse / https://10.173.90.167:8443/ ? The other arg is inferred from the context (location container), the two arg form is only required in virtualhost context. -- Eric Covener cove...@gmail.com - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Reverse Proxy https to http
sorry i made a mistake when I wrote the URL's before
basically
this is what the client gets after the POST
http://mydomain.com/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P
rather then getting
https://mydomain.com/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P
I copy pasted the info from my httpd.conf to my ssl.conf file and it
SEEMS to work.
But how do I preserve cookies if the Preserver host directive is disabled.
Take note that when I enable that option, everything that is backend
http stops working
thx
On Thu, Apr 22, 2010 at 10:03 AM, GB GB wrote:
> I dont know why, but when I copy paste my virtualhost info from
> httpd.conf and put in ssl.conf like you it works??!!
>
> thx
>
> On Thu, Apr 22, 2010 at 9:01 AM, Mauri wrote:
>>
>> u can investigate on the version. I have this: httpd-2.2.3-31
>>
>> Please see at ssl.conf top:
>>
>> LoadModule ssl_module modules/mod_ssl.so
>> LoadFile /usr/lib/libxml2.so
>> LoadModule proxy_html_module modules/mod_proxy_html.so
>> LoadModule xml2enc_module modules/mod_xml2enc.so
>>
>>
>> have u load this module?
>>
>>
>> 2010/4/22 GB GB
>>>
>>> The version I am using is
>>> Server version: Apache/2.0.54
>>> Server built: Sep 23 2005 15:28:48
>>>
>>> ProxyHTMLURLMap doesn't work with what I am using.
>>>
>>>
>>> On Thu, Apr 22, 2010 at 8:32 AM, Mauri wrote:
>>> > Hi GB.
>>> >
>>> > I have a similar solution.
>>> >
>>> > Client --> https://mysite.com --> proxy --> http://backend.
>>> >
>>> > the url in the client broswer is https://mysite.com.
>>> >
>>> > this is my /etc/httpd/conf.d/ssl.conf:
>>> >
>>> >
>>> >
>>> > LoadModule ssl_module modules/mod_ssl.so
>>> > LoadFile /usr/lib/libxml2.so
>>> > LoadModule proxy_html_module modules/mod_proxy_html.so
>>> > LoadModule xml2enc_module modules/mod_xml2enc.so
>>> > Listen 443
>>> > AddType application/x-x509-ca-cert .crt
>>> > AddType application/x-pkcs7-crl .crl
>>> > SSLPassPhraseDialog builtin
>>> > SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
>>> > SSLSessionCacheTimeout 300
>>> > SSLMutex default
>>> > SSLRandomSeed startup file:/dev/urandom 256
>>> > SSLRandomSeed connect builtin
>>> > SSLCryptoDevice builtin
>>> >
>>> > NameVirtualHost mysite.com:443
>>> >
>>> > ServerName mysite.com
>>> > ProxyRequests off
>>> > ProxyPass / https://10.173.90.167:8443/
>>> > ProxyHTMLURLMap https://10.173.90.167:8443 /
>>> >
>>> > ProxyPassReverse https://10.173.90.167:8443/
>>> > ProxyHTMLEnable On
>>> > ProxyHTMLURLMap / /
>>> > RequestHeader unset Accept-Encoding
>>> >
>>> >
>>> > SSLEngine on
>>> > SSLProxyEngine on
>>> > SSLProtocol all -SSLv2
>>> > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>>> > SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer
>>> > SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key
>>> > SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer
>>> >
>>> >
>>> > SSLOptions +StdEnvVars
>>> >
>>> >
>>> > SSLOptions +StdEnvVars
>>> >
>>> > SetEnvIf User-Agent ".*MSIE.*" \
>>> > nokeepalive ssl-unclean-shutdown \
>>> > downgrade-1.0 force-response-1.0
>>> > CustomLog logs/ssl_request_log \
>>> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > 2010/4/22 GB GB
>>> >>
>>> >> Basically what goes on when the user types in https://mydomain.com/lsw
>>> >> he gets an authentification page from the backend application. Once he
>>> >> enters his credentials, I notice a POST in the apache logs.
>>> >>
>>> >> This is what the user types in:
>>> >> https://mydomain.com/lsw/clientele/gen/authentification.jsp
>>> >> he enters his credentials, then a POST appears in the log :
>>> >> POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302
>>> >>
>>> >> and in the browser I get the following: The connection has timed out
>>> >>
>>> >>
>>> >>
>>> >> http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P
>>> >>
>>> >> the above link doesn't work because its http rather than https!!
>>> >>
>>> >> If I add the "s" manually
>>> >>
>>> >>
>>> >> https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P
>>> >> then it works.
>>> >>
>>> >> 1)So how can I force the protocole to remain https once the client
>>> >> does a POST.
>>> >> 2)I have noticed in many examples that people use PreserveHost on, in
>>> >> my case, if activate
>>> >> PreserveHost on then I cant even get the first page to work:
>>> >>
>>> >> Thx in advance
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien
>>> >> wrote:
>>> >> > On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote:
>>> >> >
>>> >> >
>>> >> >
>>> >> >> #this for some reason becomes http from client perspective
>>> >> >> #PreserveHost on does not work with lsw, so I d
Re: [us...@httpd] Reverse Proxy https to http
I dont know why, but when I copy paste my virtualhost info from
httpd.conf and put in ssl.conf like you it works??!!
thx
On Thu, Apr 22, 2010 at 9:01 AM, Mauri wrote:
>
> u can investigate on the version. I have this: httpd-2.2.3-31
>
> Please see at ssl.conf top:
>
> LoadModule ssl_module modules/mod_ssl.so
> LoadFile /usr/lib/libxml2.so
> LoadModule proxy_html_module modules/mod_proxy_html.so
> LoadModule xml2enc_module modules/mod_xml2enc.so
>
>
> have u load this module?
>
>
> 2010/4/22 GB GB
>>
>> The version I am using is
>> Server version: Apache/2.0.54
>> Server built: Sep 23 2005 15:28:48
>>
>> ProxyHTMLURLMap doesn't work with what I am using.
>>
>>
>> On Thu, Apr 22, 2010 at 8:32 AM, Mauri wrote:
>> > Hi GB.
>> >
>> > I have a similar solution.
>> >
>> > Client --> https://mysite.com --> proxy --> http://backend.
>> >
>> > the url in the client broswer is https://mysite.com.
>> >
>> > this is my /etc/httpd/conf.d/ssl.conf:
>> >
>> >
>> >
>> > LoadModule ssl_module modules/mod_ssl.so
>> > LoadFile /usr/lib/libxml2.so
>> > LoadModule proxy_html_module modules/mod_proxy_html.so
>> > LoadModule xml2enc_module modules/mod_xml2enc.so
>> > Listen 443
>> > AddType application/x-x509-ca-cert .crt
>> > AddType application/x-pkcs7-crl .crl
>> > SSLPassPhraseDialog builtin
>> > SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
>> > SSLSessionCacheTimeout 300
>> > SSLMutex default
>> > SSLRandomSeed startup file:/dev/urandom 256
>> > SSLRandomSeed connect builtin
>> > SSLCryptoDevice builtin
>> >
>> > NameVirtualHost mysite.com:443
>> >
>> > ServerName mysite.com
>> > ProxyRequests off
>> > ProxyPass / https://10.173.90.167:8443/
>> > ProxyHTMLURLMap https://10.173.90.167:8443 /
>> >
>> > ProxyPassReverse https://10.173.90.167:8443/
>> > ProxyHTMLEnable On
>> > ProxyHTMLURLMap / /
>> > RequestHeader unset Accept-Encoding
>> >
>> >
>> > SSLEngine on
>> > SSLProxyEngine on
>> > SSLProtocol all -SSLv2
>> > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>> > SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer
>> > SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key
>> > SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer
>> >
>> >
>> > SSLOptions +StdEnvVars
>> >
>> >
>> > SSLOptions +StdEnvVars
>> >
>> > SetEnvIf User-Agent ".*MSIE.*" \
>> > nokeepalive ssl-unclean-shutdown \
>> > downgrade-1.0 force-response-1.0
>> > CustomLog logs/ssl_request_log \
>> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > 2010/4/22 GB GB
>> >>
>> >> Basically what goes on when the user types in https://mydomain.com/lsw
>> >> he gets an authentification page from the backend application. Once he
>> >> enters his credentials, I notice a POST in the apache logs.
>> >>
>> >> This is what the user types in:
>> >> https://mydomain.com/lsw/clientele/gen/authentification.jsp
>> >> he enters his credentials, then a POST appears in the log :
>> >> POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302
>> >>
>> >> and in the browser I get the following: The connection has timed out
>> >>
>> >>
>> >>
>> >> http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P
>> >>
>> >> the above link doesn't work because its http rather than https!!
>> >>
>> >> If I add the "s" manually
>> >>
>> >>
>> >> https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P
>> >> then it works.
>> >>
>> >> 1)So how can I force the protocole to remain https once the client
>> >> does a POST.
>> >> 2)I have noticed in many examples that people use PreserveHost on, in
>> >> my case, if activate
>> >> PreserveHost on then I cant even get the first page to work:
>> >>
>> >> Thx in advance
>> >>
>> >>
>> >>
>> >>
>> >> On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien
>> >> wrote:
>> >> > On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote:
>> >> >
>> >> >
>> >> >
>> >> >> #this for some reason becomes http from client perspective
>> >> >> #PreserveHost on does not work with lsw, so I disabled it
>> >> >> RewriteRule ^/lsw(.*)$ http://backend2.ca:8082/lsw$1
>> >> >> [NC,P,L]
>> >> >> ProxyPassReverse /lsw http://backend2.ca:8082/lsw
>> >> >> Redirect permanent /lsw https://mydomain.com/lsw
>> >> >
>> >> > First of all: Remove the "Redirect Permanent". It's not needed (as
>> >> > this virtualhost only gets https requests anyway) and confuses. If
>> >> > you
>> >> > want to make sure that people who accidentaly land on the http site
>> >> > get redirected to https you need to put a redirect in the http
>> >> > virtual
>> >> > host.
>> >> >
>> >> > Secondly: Look at what your backend produces. It is very well
>> >> > possible
>> >> > that it passes html pages back to the client that contain http://
Re: [us...@httpd] Reverse Proxy https to http
Shouldn't be ProxyPassReverse / https://10.173.90.167:8443/ ?
From: GB GB
To: users@httpd.apache.org
Sent: Thu, April 22, 2010 3:56:36 PM
Subject: Re: [us...@httpd] Reverse Proxy https to http
The version I am using is
Server version: Apache/2.0.54
Server built: Sep 23 2005 15:28:48
ProxyHTMLURLMap doesn't work with what I am using.
On Thu, Apr 22, 2010 at 8:32 AM, Mauri wrote:
> Hi GB.
>
> I have a similar solution.
>
> Client --> https://mysite.com--> proxy --> http://backend.
>
> the url in the client broswer is https://mysite.com.
>
> this is my /etc/httpd/conf.d/ssl.conf:
>
>
>
> LoadModule ssl_module modules/mod_ssl.so
> LoadFile /usr/lib/libxml2.so
> LoadModule proxy_html_module modules/mod_proxy_html.so
> LoadModule xml2enc_module modules/mod_xml2enc.so
> Listen 443
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl.crl
> SSLPassPhraseDialog builtin
> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
> SSLSessionCacheTimeout 300
> SSLMutex default
> SSLRandomSeed startup file:/dev/urandom 256
> SSLRandomSeed connect builtin
> SSLCryptoDevice builtin
>
> NameVirtualHost mysite.com:443
>
> ServerName mysite.com
> ProxyRequests off
> ProxyPass / https://10.173.90.167:8443/
> ProxyHTMLURLMap https://10.173.90.167:8443 /
>
> ProxyPassReverse https://10.173.90.167:8443/
> ProxyHTMLEnable On
> ProxyHTMLURLMap / /
> RequestHeaderunset Accept-Encoding
>
>
> SSLEngine on
> SSLProxyEngine on
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer
> SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key
> SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer
>
>
> SSLOptions +StdEnvVars
>
>
> SSLOptions +StdEnvVars
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> CustomLog logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
>
>
>
>
>
> 2010/4/22 GB GB
>>
>> Basically what goes on when the user types in https://mydomain.com/lsw
>> he gets an authentification page from the backend application. Once he
>> enters his credentials, I notice a POST in the apache logs.
>>
>> This is what the user types in:
>> https://mydomain.com/lsw/clientele/gen/authentification.jsp
>> he enters his credentials, then a POST appears in the log :
>> POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302
>>
>> and in the browser I get the following: The connection has timed out
>>
>>
>> http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P
>>
>> the above link doesn't work because its http rather than https!!
>>
>> If I add the "s" manually
>>
>> https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P
>> then it works.
>>
>> 1)So how can I force the protocole to remain https once the client
>> does a POST.
>> 2)I have noticed in many examples that people use PreserveHost on, in
>> my case, if activate
>> PreserveHost on then I cant even get the first page to work:
>>
>> Thx in advance
>>
>>
>>
>>
>> On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien
>> wrote:
>> > On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote:
>> >
>> >
>> >
>> >> #this for some reason becomes http from client perspective
>> >> #PreserveHost on does not work with lsw, so I disabled it
>> >> RewriteRule ^/lsw(.*)$http://backend2.ca:8082/lsw$1
>> >> [NC,P,L]
>> >> ProxyPassReverse /lsw http://backend2.ca:8082/lsw
>> >> Redirect permanent /lsw https://mydomain.com/lsw
>> >
>> > First of all: Remove the "Redirect Permanent". It's not needed (as
>> > this virtualhost only gets https requests anyway) and confuses. If you
>> > want to make sure that people who accidentaly land on the http site
>> > get redirected to https you need to put a redirect in the http virtual
>> > host.
>> >
>> > Secondly: Look at what your backend produces. It is very well possible
>> > that it passes html pages back to the client that contain http://
>> > style URLs. RewriteRule only operates on request URLs,
>> > ProxyPassReverse only on
Re: [us...@httpd] Reverse Proxy https to http
On Thu, Apr 22, 2010 at 2:21 PM, GB GB wrote: > and in the browser I get the following: The connection has timed out > > http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P If the browser tries to access the backend directly this is because it was told to do so, probably by the backend itself. Have a look at the HTTP traffic coming from the browser When apache is used as a forward proxy it will only forward requests to the backend, and then forward the responses back to the browser. It does not modify the response. If the backend sends a webpage that contains a link that points directly at the backend than you have a problem. Basically when you have a forward-proxy / backend combination you need to configure the backend so that it knows that is should return correct URLs that point to the frontend. Krist -- krist.vanbes...@gmail.com kr...@vanbesien.org Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Reverse Proxy https to http
u can investigate on the version. I have this: httpd-2.2.3-31
Please see at ssl.conf top:
LoadModule ssl_module modules/mod_ssl.so
LoadFile /usr/lib/libxml2.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule xml2enc_module modules/mod_xml2enc.so
have u load this module?
2010/4/22 GB GB
> The version I am using is
> Server version: Apache/2.0.54
> Server built: Sep 23 2005 15:28:48
>
> ProxyHTMLURLMap doesn't work with what I am using.
>
>
> On Thu, Apr 22, 2010 at 8:32 AM, Mauri wrote:
> > Hi GB.
> >
> > I have a similar solution.
> >
> > Client --> https://mysite.com --> proxy --> http://backend.
> >
> > the url in the client broswer is https://mysite.com.
> >
> > this is my /etc/httpd/conf.d/ssl.conf:
> >
> >
> >
> > LoadModule ssl_module modules/mod_ssl.so
> > LoadFile /usr/lib/libxml2.so
> > LoadModule proxy_html_module modules/mod_proxy_html.so
> > LoadModule xml2enc_module modules/mod_xml2enc.so
> > Listen 443
> > AddType application/x-x509-ca-cert .crt
> > AddType application/x-pkcs7-crl.crl
> > SSLPassPhraseDialog builtin
> > SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
> > SSLSessionCacheTimeout 300
> > SSLMutex default
> > SSLRandomSeed startup file:/dev/urandom 256
> > SSLRandomSeed connect builtin
> > SSLCryptoDevice builtin
> >
> > NameVirtualHost mysite.com:443
> >
> > ServerName mysite.com
> > ProxyRequests off
> > ProxyPass / https://10.173.90.167:8443/
> > ProxyHTMLURLMap https://10.173.90.167:8443 /
> >
> > ProxyPassReverse https://10.173.90.167:8443/
> > ProxyHTMLEnable On
> > ProxyHTMLURLMap / /
> > RequestHeaderunset Accept-Encoding
> >
> >
> > SSLEngine on
> > SSLProxyEngine on
> > SSLProtocol all -SSLv2
> > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> > SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer
> > SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key
> > SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer
> >
> >
> > SSLOptions +StdEnvVars
> >
> >
> > SSLOptions +StdEnvVars
> >
> > SetEnvIf User-Agent ".*MSIE.*" \
> > nokeepalive ssl-unclean-shutdown \
> > downgrade-1.0 force-response-1.0
> > CustomLog logs/ssl_request_log \
> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> >
> >
> >
> >
> >
> >
> >
> > 2010/4/22 GB GB
> >>
> >> Basically what goes on when the user types in https://mydomain.com/lsw
> >> he gets an authentification page from the backend application. Once he
> >> enters his credentials, I notice a POST in the apache logs.
> >>
> >> This is what the user types in:
> >> https://mydomain.com/lsw/clientele/gen/authentification.jsp
> >> he enters his credentials, then a POST appears in the log :
> >> POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302
> >>
> >> and in the browser I get the following: The connection has timed out
> >>
> >>
> >>
> http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P
> >>
> >> the above link doesn't work because its http rather than https!!
> >>
> >> If I add the "s" manually
> >>
> >>
> https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P
> >> then it works.
> >>
> >> 1)So how can I force the protocole to remain https once the client
> >> does a POST.
> >> 2)I have noticed in many examples that people use PreserveHost on, in
> >> my case, if activate
> >> PreserveHost on then I cant even get the first page to work:
> >>
> >> Thx in advance
> >>
> >>
> >>
> >>
> >> On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien
> >> wrote:
> >> > On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote:
> >> >
> >> >
> >> >
> >> >> #this for some reason becomes http from client perspective
> >> >> #PreserveHost on does not work with lsw, so I disabled it
> >> >> RewriteRule ^/lsw(.*)$http://backend2.ca:8082/lsw$1
> >> >> [NC,P,L]
> >> >> ProxyPassReverse /lsw http://backend2.ca:8082/lsw
> >> >> Redirect permanent /lsw https://mydomain.com/lsw
> >> >
> >> > First of all: Remove the "Redirect Permanent". It's not needed (as
> >> > this virtualhost only gets https requests anyway) and confuses. If you
> >> > want to make sure that people who accidentaly land on the http site
> >> > get redirected to https you need to put a redirect in the http virtual
> >> > host.
> >> >
> >> > Secondly: Look at what your backend produces. It is very well possible
> >> > that it passes html pages back to the client that contain http://
> >> > style URLs. RewriteRule only operates on request URLs,
> >> > ProxyPassReverse only on redirects passed back. The content passed
> >> > back by the backend is not modified.
> >> >
> >> > HTH,
> >> >
> >> > Krist
> >> >
> >> > --
> >> > krist.vanbes...@gmail.com
> >> > kr...@vanbesien.org
> >> > Bremgarten b. Bern, Switzerland
> >> > --
> >> > A: It r
Re: [us...@httpd] Reverse Proxy https to http
The version I am using is
Server version: Apache/2.0.54
Server built: Sep 23 2005 15:28:48
ProxyHTMLURLMap doesn't work with what I am using.
On Thu, Apr 22, 2010 at 8:32 AM, Mauri wrote:
> Hi GB.
>
> I have a similar solution.
>
> Client --> https://mysite.com --> proxy --> http://backend.
>
> the url in the client broswer is https://mysite.com.
>
> this is my /etc/httpd/conf.d/ssl.conf:
>
>
>
> LoadModule ssl_module modules/mod_ssl.so
> LoadFile /usr/lib/libxml2.so
> LoadModule proxy_html_module modules/mod_proxy_html.so
> LoadModule xml2enc_module modules/mod_xml2enc.so
> Listen 443
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
> SSLPassPhraseDialog builtin
> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
> SSLSessionCacheTimeout 300
> SSLMutex default
> SSLRandomSeed startup file:/dev/urandom 256
> SSLRandomSeed connect builtin
> SSLCryptoDevice builtin
>
> NameVirtualHost mysite.com:443
>
> ServerName mysite.com
> ProxyRequests off
> ProxyPass / https://10.173.90.167:8443/
> ProxyHTMLURLMap https://10.173.90.167:8443 /
>
> ProxyPassReverse https://10.173.90.167:8443/
> ProxyHTMLEnable On
> ProxyHTMLURLMap / /
> RequestHeader unset Accept-Encoding
>
>
> SSLEngine on
> SSLProxyEngine on
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer
> SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key
> SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer
>
>
> SSLOptions +StdEnvVars
>
>
> SSLOptions +StdEnvVars
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> CustomLog logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
>
>
>
>
>
> 2010/4/22 GB GB
>>
>> Basically what goes on when the user types in https://mydomain.com/lsw
>> he gets an authentification page from the backend application. Once he
>> enters his credentials, I notice a POST in the apache logs.
>>
>> This is what the user types in:
>> https://mydomain.com/lsw/clientele/gen/authentification.jsp
>> he enters his credentials, then a POST appears in the log :
>> POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302
>>
>> and in the browser I get the following: The connection has timed out
>>
>>
>> http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P
>>
>> the above link doesn't work because its http rather than https!!
>>
>> If I add the "s" manually
>>
>> https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P
>> then it works.
>>
>> 1)So how can I force the protocole to remain https once the client
>> does a POST.
>> 2)I have noticed in many examples that people use PreserveHost on, in
>> my case, if activate
>> PreserveHost on then I cant even get the first page to work:
>>
>> Thx in advance
>>
>>
>>
>>
>> On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien
>> wrote:
>> > On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote:
>> >
>> >
>> >
>> >> #this for some reason becomes http from client perspective
>> >> #PreserveHost on does not work with lsw, so I disabled it
>> >> RewriteRule ^/lsw(.*)$ http://backend2.ca:8082/lsw$1
>> >> [NC,P,L]
>> >> ProxyPassReverse /lsw http://backend2.ca:8082/lsw
>> >> Redirect permanent /lsw https://mydomain.com/lsw
>> >
>> > First of all: Remove the "Redirect Permanent". It's not needed (as
>> > this virtualhost only gets https requests anyway) and confuses. If you
>> > want to make sure that people who accidentaly land on the http site
>> > get redirected to https you need to put a redirect in the http virtual
>> > host.
>> >
>> > Secondly: Look at what your backend produces. It is very well possible
>> > that it passes html pages back to the client that contain http://
>> > style URLs. RewriteRule only operates on request URLs,
>> > ProxyPassReverse only on redirects passed back. The content passed
>> > back by the backend is not modified.
>> >
>> > HTH,
>> >
>> > Krist
>> >
>> > --
>> > krist.vanbes...@gmail.com
>> > kr...@vanbesien.org
>> > Bremgarten b. Bern, Switzerland
>> > --
>> > A: It reverses the normal flow of conversation.
>> > Q: What's wrong with top-posting?
>> > A: Top-posting.
>> > Q: What's the biggest scourge on plain text email discussions?
>> >
>> > -
>> > The official User-To-User support forum of the Apache HTTP Server
>> > Project.
>> > See http://httpd.apache.org/userslist.html> for more info.
>> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> > " from the digest: users-digest-unsubscr...@httpd.apache.org
>> > For additional commands, e-mail: users-h...@httpd.apache.org
>> >
>> >
>>
>> -
>> The officia
Re: [us...@httpd] Reverse Proxy https to http
Hi GB.
I have a similar solution.
Client --> https://mysite.com --> proxy --> http://backend.
the url in the client broswer is https://mysite.com.
this is my /etc/httpd/conf.d/ssl.conf:
LoadModule ssl_module modules/mod_ssl.so
LoadFile /usr/lib/libxml2.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule xml2enc_module modules/mod_xml2enc.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl.crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
NameVirtualHost mysite.com:443
ServerName mysite.com
ProxyRequests off
ProxyPass / https://10.173.90.167:8443/
ProxyHTMLURLMap https://10.173.90.167:8443 /
ProxyPassReverse https://10.173.90.167:8443/
ProxyHTMLEnable On
ProxyHTMLURLMap / /
RequestHeaderunset Accept-Encoding
SSLEngine on
SSLProxyEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer
SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key
SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
2010/4/22 GB GB
> Basically what goes on when the user types in https://mydomain.com/lsw
> he gets an authentification page from the backend application. Once he
> enters his credentials, I notice a POST in the apache logs.
>
> This is what the user types in:
> https://mydomain.com/lsw/clientele/gen/authentification.jsp
> he enters his credentials, then a POST appears in the log :
> POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302
>
> and in the browser I get the following: The connection has timed out
>
>
> http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P
>
> the above link doesn't work because its http rather than https!!
>
> If I add the "s" manually
>
> https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P
> then it works.
>
> 1)So how can I force the protocole to remain https once the client
> does a POST.
> 2)I have noticed in many examples that people use PreserveHost on, in
> my case, if activate
> PreserveHost on then I cant even get the first page to work:
>
> Thx in advance
>
>
>
>
> On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien
> wrote:
> > On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote:
> >
> >
> >
> >> #this for some reason becomes http from client perspective
> >> #PreserveHost on does not work with lsw, so I disabled it
> >> RewriteRule ^/lsw(.*)$http://backend2.ca:8082/lsw$1
> [NC,P,L]
> >> ProxyPassReverse /lsw http://backend2.ca:8082/lsw
> >> Redirect permanent /lsw https://mydomain.com/lsw
> >
> > First of all: Remove the "Redirect Permanent". It's not needed (as
> > this virtualhost only gets https requests anyway) and confuses. If you
> > want to make sure that people who accidentaly land on the http site
> > get redirected to https you need to put a redirect in the http virtual
> > host.
> >
> > Secondly: Look at what your backend produces. It is very well possible
> > that it passes html pages back to the client that contain http://
> > style URLs. RewriteRule only operates on request URLs,
> > ProxyPassReverse only on redirects passed back. The content passed
> > back by the backend is not modified.
> >
> > HTH,
> >
> > Krist
> >
> > --
> > krist.vanbes...@gmail.com
> > kr...@vanbesien.org
> > Bremgarten b. Bern, Switzerland
> > --
> > A: It reverses the normal flow of conversation.
> > Q: What's wrong with top-posting?
> > A: Top-posting.
> > Q: What's the biggest scourge on plain text email discussions?
> >
> > -
> > The official User-To-User support forum of the Apache HTTP Server
> Project.
> > See http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > " from the digest: users-digest-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> >
>
> -
> The official User-To-User support forum of the Apache HTTP Server Project.
> See http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> " from the digest: users-digest-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
Re: [us...@httpd] Reverse Proxy https to http
Basically what goes on when the user types in https://mydomain.com/lsw he gets an authentification page from the backend application. Once he enters his credentials, I notice a POST in the apache logs. This is what the user types in: https://mydomain.com/lsw/clientele/gen/authentification.jsp he enters his credentials, then a POST appears in the log : POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302 and in the browser I get the following: The connection has timed out http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P the above link doesn't work because its http rather than https!! If I add the "s" manually https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P then it works. 1)So how can I force the protocole to remain https once the client does a POST. 2)I have noticed in many examples that people use PreserveHost on, in my case, if activate PreserveHost on then I cant even get the first page to work: Thx in advance On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien wrote: > On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote: > > > >> #this for some reason becomes http from client perspective >> #PreserveHost on does not work with lsw, so I disabled it >> RewriteRule ^/lsw(.*)$ http://backend2.ca:8082/lsw$1 [NC,P,L] >> ProxyPassReverse /lsw http://backend2.ca:8082/lsw >> Redirect permanent /lsw https://mydomain.com/lsw > > First of all: Remove the "Redirect Permanent". It's not needed (as > this virtualhost only gets https requests anyway) and confuses. If you > want to make sure that people who accidentaly land on the http site > get redirected to https you need to put a redirect in the http virtual > host. > > Secondly: Look at what your backend produces. It is very well possible > that it passes html pages back to the client that contain http:// > style URLs. RewriteRule only operates on request URLs, > ProxyPassReverse only on redirects passed back. The content passed > back by the backend is not modified. > > HTH, > > Krist > > -- > krist.vanbes...@gmail.com > kr...@vanbesien.org > Bremgarten b. Bern, Switzerland > -- > A: It reverses the normal flow of conversation. > Q: What's wrong with top-posting? > A: Top-posting. > Q: What's the biggest scourge on plain text email discussions? > > - > The official User-To-User support forum of the Apache HTTP Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [us...@httpd] Reverse Proxy https to http
On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote: > #this for some reason becomes http from client perspective > #PreserveHost on does not work with lsw, so I disabled it > RewriteRule ^/lsw(.*)$ http://backend2.ca:8082/lsw$1 [NC,P,L] > ProxyPassReverse /lsw http://backend2.ca:8082/lsw > Redirect permanent /lsw https://mydomain.com/lsw First of all: Remove the "Redirect Permanent". It's not needed (as this virtualhost only gets https requests anyway) and confuses. If you want to make sure that people who accidentaly land on the http site get redirected to https you need to put a redirect in the http virtual host. Secondly: Look at what your backend produces. It is very well possible that it passes html pages back to the client that contain http:// style URLs. RewriteRule only operates on request URLs, ProxyPassReverse only on redirects passed back. The content passed back by the backend is not modified. HTH, Krist -- krist.vanbes...@gmail.com kr...@vanbesien.org Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[us...@httpd] Reverse Proxy https to http
Hello,
I am trying to configure my proxy to be able to accept HTTPS and
forward requests to backend server which is in HTTP
user-->(https://mydomain.com/abc)-ssl: [reverse
proxy]:http--->http://backend.ca/8082/abc
I want to preserve the URL as https//mydomain.com/abc.
I looked at my firewall logs and noticed 6 https sessions and one http.
The http session is what is not working in my rewriting I presume.
My goal is to preserve https protocol client side, although the
backend is in http.
Also, when I use Preserverhost on when using https to http, it fails
right away BUT https to https works good.
Thx
here is my config file
User nobody
Group nobody
ServerAdmin ...@x
ServerName mydomain.com
UseCanonicalName Off
ServerSignature Off
HostnameLookups Off
SecServerSignature "Serveur-Web/1.0"
ServerRoot "/usr/apache2"
DocumentRoot "/var/apache2/htdocs"
PidFile /var/apache2/logs/httpd.pid
ScoreBoardFile /var/apache2/logs/httpd.scoreboard
Listen 80
Timeout 60
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 10
MaxSpareServers 20
StartServers10
MaxClients 256
MaxRequestsPerChild 0
StartServers 2
MaxClients 250
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
LimitRequestBody 10240
LimitRequestFields 40
LimitRequestFieldsize 1500
LimitRequestline 500
CoreDumpDirectory /var/apache2/logs
Options None
AllowOverride None
Order deny,allow
Deny from all
Order allow,deny
Allow from all
Order allow,deny
Allow from all
TypesConfig /etc/apache2/mime.types
DefaultType text/plain
AddEncoding x-compress .Z
AddEncoding x-gzip .gz .tgz
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-tar .tgz
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
LogLevel notice
ErrorLog syslog:local7
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
ErrorLog /var/apache2/logs/error_log
CustomLog /var/apache2/logs/access_log combined
LoadModule ssl_module modules/mod_ssl.so
Include /etc/apache2/ssl.conf
RewriteEngine on
RewriteLog /var/apache2/logs/rewrite.log
RewriteLogLevel 2
RewriteCond %{SERVER_PROTOCOL} !^https [NC]
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,QSA]
NameVirtualHost 10.6.3.205:443
NameVirtualHost 10.6.3.103:443
ServerName mydomain1.com
ServerAlias mydomain1
ProxyBadHeader Ignore
ProxyRequests Off
ProxyPreserveHost On
RewriteEngine On
SSLProxyEngine on
DocumentRoot "/var/apache2/htdocs"
ProxyPass https://mydomain1.com/ https://backend3.ca:44322/
ProxyPass / https://backend3.ca:44322/
ProxyPassReverse https://backend3.ca:44322/ https://mydomain1.com/
LogLevel info
ErrorLog /var/apache2/logs/mydomain1.com.error.log
TransferLog
/var/apache2/logs/mydomain1.com.access.log
RewriteLogLevel 0
RewriteLog
/var/apache2/logs/mydomain1.com.rewrite.log
ServerName mydomain.com
ServerAlias mydomain
ProxyBadHeader Ignore
ProxyRequests Off
RewriteEngine On
SSLProxyEngine on
RewriteEngine on
RewriteRule ^/lsw2(.*)$ https://backend1.sap.ca:26961/lsw2/$1
[NC,P,L]# this works
#this for some reason becomes http from client perspective
#PreserveHost on does not work with lsw, so I disabled it
RewriteRule ^/lsw(.*)$http://backend2.ca:8082/lsw$1 [NC,P,L]
ProxyPassReverse /lsw http://backend2.ca:8082/lsw
Redirect permanent /lsw https://mydomain.com/lsw
LogLevel info
ErrorLog /var/apache2/logs/mydomain.com.error.log
TransferLog/var/apache2/logs/mydomain.com.access.log
RewriteLogLevel 0
RewriteLog
/var/apache2/logs/mydomain.com.rewrite.log
LoadModule security_modulemodules/mod_security.so
SecFilterEngine On
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding On
SecFilter hidden
SecFilterForceByteRange 32 126
SecAuditEngine RelevantOnly
SecAuditLog /var/apache2/logs/audit_log
SecFilterDebugLog /var/apache2/logs/modsec_debug_log
SecFilterDebugLevel 0
SecFilterDefaultAction "deny,log,status:500"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
SecFilter /etc/passwd
SecFilterSelective ARGS "bin/"
SecFilterSelective ARGS "^(.*)[][\"|\#|\^|\{|\}|<|\||\`|>|\@|\$|\*](.*)$"
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
