hi Kirst, all, To use c_rehash, I must have .pem and .crt files. Correct me if I am worong please. The remote server has a self-signed certificate that was generated using keytool (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html) so the file generated is .keytool. Should I generate .pem and .crt files to run c_rehash? If so, how?
On another front, I understand from you that I can having apache as a proxy server that talks SSL witht the backend and non-ssl with the end user (in URL, the user puts http not https even if the backend server is accessed via https). Correct me if I am wrong please. thanks. --- On Fri, 11/4/08, Krist van Besien <[EMAIL PROTECTED]> wrote: > From: Krist van Besien <[EMAIL PROTECTED]> > Subject: Re: [EMAIL PROTECTED] url proxying > To: users@httpd.apache.org, [EMAIL PROTECTED] > Date: Friday, 11 April, 2008, 4:28 PM > On Fri, Apr 11, 2008 at 9:48 AM, Melanie Pfefer > <[EMAIL PROTECTED]> wrote: > > Hi everybody, > > > > I want to enable proxying from apache to a tomcat > application running on ssl. > > > > Redirection is working: > > RewriteRule /abc/ https://remoteserver:8443/abc/ > [R=301,L] > > > > > > But proxying is not: > > RewriteRule /abc/ https://remoteserver:8443/abc/ > [P,L] > > > > In redirection: > > http://myapache/abc/ goes to > https://remoteserver:8443/abc/ but this is shown in the url > which is not my intention. > > > > Any idea how to fix the proxying? > > thanks > > Apache can't proxy to https urls out of the box. You > need to do some work. > > you need to add the following to your config. > > # turn on SSL proxying. > SSLProxyEngine On > > # to tell Apache where to find CA certificates to check > remote server > certificates with: > # (You can choose yourself where you put these > certificates) > SSLProxyCACertificatePath /path/to/ca/certificates. > > Then in this path you need to put the CA certificate(s) > used to sign > the certificate(s) used by the server(s) you communicate > with. If you > want to talk to a server that uses a "self > signed" certificate you > will need to put it in this dir too. > > Once you've done that you need to run c_rehash in that > directory. > c_rehash is part of a standard openssl distribution. > c_rehash creates > hashed aliases in this dir. Apache needs these. > > In order to test if everything is there you can do the > following: > > openssl s_client -CApath /path/to/ca/certificates -connect > remoteserver:8443 > > if the conenction succeeds just try to do a > GET /abc/ > > and see if you get something. If all goes well it should > work for apache also. > > Krist > > > > > > > > > > -- > [EMAIL PROTECTED] > [EMAIL PROTECTED] > Bremgarten b. Bern, Switzerland > -- > A: It reverses the normal flow of conversation. > Q: What's wrong with top-posting? > A: Top-posting. > Q: What's the biggest scourge on plain text email > discussions? > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for > more info. > To unsubscribe, e-mail: [EMAIL PROTECTED] > " from the digest: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] ___________________________________________________________ Yahoo! For Good helps you make a difference http://uk.promotions.yahoo.com/forgood/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
