RE: [EMAIL PROTECTED] Configuring a reverse proxy for SSL
> > What seems strange to me is that the proxy host requires > > a certificate just to tunnel a session to an https backend > > system... This seems like quite a lot of overhead for > > nothing... > well, that is is because it is not just a tunnel. :-) > If you want just that, then you could use some kind of port-forward > (e. g.via paket-filter rule) BUT that can't inspect http and protect > the backend server from (some kinds of) malicious requests. > Or rewrite URLs. Precisely. I was using iptables, but quickly realised the limitations, which is why I switched to proxying. > > And contrary to what the docs tend to have one believe, > > AllowCONNECT is not necessary. > > You use this in an HTTP VH which contains a proxy. I'm > not entirely sure how it works (I've never actually used it), > but it looks like mod_proxy is always listening on port 443 > (even if you have no SSL VH?). If a client tries to establish > an SSL session, the server tells him that it can proxy and > so the browse re-tries using the CONNECT method (CONNECT > simply forwards packets unopened between the client > and the backend). > > You might like to try this and let us know... (I'd be interested :-) Actually, that is what I thought I was supposed to do. Not sure of the details about what happened, but generally speaking, the requests were indeed getting forwarded to the local host. However, the request was not understood by the local host, so was returning some kind of error. I say "some kind of error" because it didn't seem to be a typical 50x error and was displayed in a dialog box by my browser. If you would like more details, please let me know exactly what you want. I would be happy to check it out again. Thanks for the explanations!! - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Configuring a reverse proxy for SSL
> -Original Message- > From: David Leangen [mailto:[EMAIL PROTECTED] > > What seems strange to me is that the proxy host requires a > certificate just > to tunnel a session to an https backend system... This seems > like quite a > lot of overhead for nothing... What you're doing is receiving the HTTPS request, decrypting it, reading the request URI and then proxying the request (ie, making a new HTTPS request) to the backend. To do this, your apache needs to be able to establish an HTTPS session with the client and so needs a cert. > > And contrary to what the docs tend to have one believe, > AllowCONNECT is not > necessary. You use this in an HTTP VH which contains a proxy. I'm not entirely sure how it works (I've never actually used it), but it looks like mod_proxy is always listening on port 443 (even if you have no SSL VH?). If a client tries to establish an SSL session, the server tells him that it can proxy and so the browse re-tries using the CONNECT method (CONNECT simply forwards packets unopened between the client and the backend). You might like to try this and let us know... (I'd be interested :-) Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. >In fact, I can even disable mod_connect and this > has absolutely > no effect. > > > For others who google this thread in the future, here's what > seems to be the > "minimal reicipie" for getting this working: > > ** > LoadModule ssl_module modules/mod_ssl.so > Listen 443 > > > SSLEngine on > SSLCertificateFile /path/to/cert > SSLCertificateKeyFile /path/to/key > > SSLProxyEngine on > ProxyPass /bla/ https://backendhost/bla/ > ProxyPassReverse /bla/ https://backendhost/bla/ > > ** > > > - > The official User-To-User support forum of the Apache HTTP > Server Project. > See http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] >" from the digest: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Configuring a reverse proxy for SSL
Hello David, > What seems strange to me is that the proxy host requires a > certificate just > to tunnel a session to an https backend system... This seems > like quite a > lot of overhead for nothing... well, that is is because it is not just a tunnel. :-) If you want just that, then you could use some kind of port-forward (e. g. via paket-filter rule) BUT that can't inspect http and protect the backend server from (some kinds of) malicious requests. Or rewrite URLs. Regards, Manuel Martin - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Configuring a reverse proxy for SSL
>> I am having trouble getting my reverse proxy to work with SSL. > > Do you want the reverse proxy to be https-enabled, or do you > want to reverse-proxy to a https-host? > > To RP to a https-backend system you need 'SSLProxyEngine on'. Ah! That's the little detail I was missing. :-) Thanks for the help!! What seems strange to me is that the proxy host requires a certificate just to tunnel a session to an https backend system... This seems like quite a lot of overhead for nothing... And contrary to what the docs tend to have one believe, AllowCONNECT is not necessary. In fact, I can even disable mod_connect and this has absolutely no effect. For others who google this thread in the future, here's what seems to be the "minimal reicipie" for getting this working: ** LoadModule ssl_module modules/mod_ssl.so Listen 443 SSLEngine on SSLCertificateFile /path/to/cert SSLCertificateKeyFile /path/to/key SSLProxyEngine on ProxyPass /bla/ https://backendhost/bla/ ProxyPassReverse /bla/ https://backendhost/bla/ ** - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Configuring a reverse proxy for SSL
>> > I am having trouble getting my reverse proxy to work with SSL. Do you want the reverse proxy to be https-enabled, or do you want to reverse-proxy to a https-host? To RP to a https-backend system you need 'SSLProxyEngine on'. > [warn] proxy: No protocol handler was valid for the URL /path/blah. If you > are > using a DSO version of mod_proxy, make sure the proxy submodules are > included > in the configuration using LoadModule. What do your ProxyPass/ProxyPassReverse lines look like? It must be something like ProxyPass(Reverse) / https://backend.system/ Joost - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Configuring a reverse proxy for SSL
David , I suggest u should have the following modules under ur load module , mod_proxy mod_proxy_http mod_proxy_html mod_proxy mod_proxy_headers And I recommend you to dissable mod_proxy_connect , I have bad experience on this module while coming to Reverse Proxy SSL at backend, Also Add file libxml2.so under Load modules . U may need to download this and compile the module. Good Luck !!! ( with this modules My rev . Proxy work fine for both http and https ) - Isha B On 10/19/05, David Leangen <[EMAIL PROTECTED]> wrote: Isha, thank you! Comments inline.> > I am having trouble getting my reverse proxy to > work with SSL. > RequestHeader set Front-End-Https "On"That did something... But now I get a 403 error and a message in mylogs (on theproxy server) saying:[warn] proxy: No protocol handler was valid for the URL /path/blah. If you areusing a DSO version of mod_proxy, make sure the proxy submodules areincludedin the configuration using LoadModule.Nothing appears in my logs on the http host machine that serves the content. I have in my LoadModules (among others):mod_proxymod_proxy_httpmod_proxy_connectIs there anything else I need?- The official User-To-User support forum of the Apache HTTP Server Project.See http://httpd.apache.org/userslist.html> for more info.To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] Configuring a reverse proxy for SSL
Isha, thank you! Comments inline. > > I am having trouble getting my reverse proxy to > work with SSL. > RequestHeader set Front-End-Https "On" That did something... But now I get a 403 error and a message in my logs (on the proxy server) saying: [warn] proxy: No protocol handler was valid for the URL /path/blah. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. Nothing appears in my logs on the http host machine that serves the content. I have in my LoadModules (among others): mod_proxy mod_proxy_http mod_proxy_connect Is there anything else I need? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Configuring a reverse proxy for SSL
hello David , Add the following module under mod_proxy.c and try . It works fine for me RequestHeader set Front-End-Https "On" Regards, Isha On 10/17/05, David Leangen <[EMAIL PROTECTED]> wrote: Hello!I am having trouble getting my reverse proxy to work with SSL. Perhaps Ihave misunderstood the documentation... Reverse proxying is working fine for HTTP connections.The only message I notice in my log files is "Invalid method in request\x16\x03".The following is the relevant stuff in my config. Any advice would be greatly appreciated!Listen 443 ProxyRequests off AllowCONNECT Order deny,allowAllow from all ProxyPass /path/ https://192.168.2.2/path/ ProxyPassReverse /path/ https://192.168.2.2/path/- The official User-To-User support forum of the Apache HTTP Server Project.See http://httpd.apache.org/userslist.html> for more info.To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]