On 10/10/07, Boyle Owen <[EMAIL PROTECTED]> wrote: > > -----Original Message----- > > From: Bronzetti Marco [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, October 10, 2007 9:46 AM > > To: users@httpd.apache.org > > Subject: [EMAIL PROTECTED] Https proxy on http Virtual Host > > > > Hi, > > I need to do a Reverse proxy to a Https WebSite from an Http WebSite, > > my httpd.conf should be like that : > > > > <VirtualHost test.telecomitalia.it:80> > > ServerName test.telecomitalia.it > > ErrorLog /appl1/logs/http_error.log > > CustomLog /appl1/logs/http_access.log common > > DocumentRoot /docroot > > DirectoryIndex index.html index.html.var > > <IfModule mod_proxy.c> > > ProxyPass /rep-rs/ https://10.173.82.30/rep-rs/ > > ProxyPass /ti-csr/ https://10.173.82.30/ti-csr/ > > </IfModule> > > </VirtualHost> > > > > Is it possible to do that ? > > Yes, but not like that... > > If the back-end is an HTTPS server, then the front-end (ie your apache) > has to talk SSL to it. To do this, it needs to use mod_ssl and special > directives to contact a back-end HTTPS server (see > http://httpd.apache.org/docs/2.2/mod/mod_proxy.html and > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html)
Important is also that you have the following directives: SSLProxyEngine on and SSLProxyCACertificateFile <file> or SSLProxyCACertificatePath <pat> (see: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslproxycacertificatepath ) You see, apache needs to act as an ssl _client_, which it doesn't do out of the box. In order for apache to act as an ssl client it needs a few extra directives, and you must make the CA certificate used to signthe certificate of the sever(s) you're communicating with available to it using the SSLProxyCACertificateFile (or Path). See the documentation. > By the way, I guess the back-end is a legacy server that you can't > change? Otherwise, it is pretty silly to do this since the connection > from the client to the front-end will be plain HTTP and it makes no > sense to protect data for only part of its journey. I've had to set up such a configuration, to allow a legacy service that only was able to make http requests to communicate with a new service that only accepted https requests. The http -> https proxy ran on the same machine as the legacy service, so there were no big security issues. Krist -- [EMAIL PROTECTED] [EMAIL PROTECTED] Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
