On 5/17/06, Sebastian Reitenbach <[EMAIL PROTECTED]> wrote:
Hi,
I have an apache listening for SSL connections on port 443 behind a NAT
firewall in the DMZ. Connections for one virtual host shall be reverse proxied
to another host in the same DMZ, but it seems that I am unable to get it to
work, for me it seems I must have missed sth. obvious.
I tried this with mod_proxy:
SSLProxyEngine On
ProxyRequests On
AllowCONNECT 443
ProxyPass / https://10.0.0.2/
ProxyPassReverse / https://10.0.0.2/
then I receive the following error messages at the proxy:
[Wed May 17 17:07:18 2006] [error] SSL Proxy requested for
webgis.rapideye.de:80 but not enabled [Hint: SSLProxyEngine]
[Wed May 17 17:07:18 2006] [error] proxy: failed to enable ssl support for
10.0.0.2:443 (0.0.0.2)
[Wed May 17 17:07:19 2006] [notice] child pid 28242 exit signal Segmentation
fault (11)
because of the segmentation fault, I am not sure, whether it shall work that
way or not, but I doubt it.
with the SSLProxyEngine enabled:
SSLProxyEngine On
ProxyRequests On
AllowCONNECT 443
ProxyPass / https://10.0.0.2/
ProxyPassReverse / https://10.0.0.2/
I have this message in the error_log of the proxy:
[Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet:
proxy: request failed to 10.10.10.2:443 (10.0.0.2)
[Wed May 17 17:09:55 2006] [error] proxy: HTTP: previous connection is closed
[Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet:
proxy: request failed to 10.0.0.2:443 (10.0.0.2)
and this in the error_log of the apache behind the proxy:
[Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request
\x80|\\x03\x01
[Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request
\x80|\x01\x03\x01
with only these in the virtual host of the proxy, it is working, but only
without HTTPS
ProxyPass / http://10.0.0.2/
ProxyPassReverse / http://10.0.0.2/
Is there any way to access an HTTPS server behind a apache HTTPS proxy?
Firstly: You don't need
ProxyRequests On
AllowCONNECT 443
First this. This is to allow clients to use your server as a _forward_
proxy to HTTPS hosts. Do not put "ProxyRequests On" in your config
file if you are only doing reverse proxying.
Proxying to a HTTPS server is possible. (I do this on one of my
systems), but it requires a bit more than just adding SSLProxyEngine
On on most installations. This is because when forwarding requests to
an HTTPS server Apache has to behave as an https _client_. For this is
requires a few files that are usually not present on a stock Apache
install.
This is how I would do it,
SSLProxyEngine On
SSLProxyCACertificateFile /usr/local/apache/conf/cacerts.crt
ProxyPass / https://10.0.0.2/
ProxyPassReverse / https://10.0.0.2/
You need to create the filey /usr/local/apache/conf/cacerts.crt, and
in it you put the (PEM encoded) certificate used to sign the
certificate your 10.0.0.2 server uses. This way apache can complete
the SSL handshake with your server.
For more info read the mod_ssl documentation, specifically the
SSLProxy* directives. The docs are not that obvious, but they do
contain the answers you are looking for.
Krist
--
[EMAIL PROTECTED]
Solothurn, Switzerland
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
