Thank you. Those points you raised helped me to get it working. The key was to turn on SSL proxy (i.e. SSLProxyEngine On). I did not have to do anything with CA certificates or c_rehash.
Again, I appreciate your help and thank you. On Tue, Feb 3, 2009 at 2:42 AM, Krist van Besien <krist.vanbes...@gmail.com>wrote: > On Tue, Feb 3, 2009 at 5:42 AM, Jake Vang <vangj...@googlemail.com> wrote: > > Thanks for the link. I tried to implement it according to that site. > > However, I keep getting a permission denied error. > > What do you have in the error log? > > > > > Could this permission error be related to the fact that server1 and > server2 > > are both running on SSL? I am running Ubuntu 8.10, and I've already > enabled > > mod_proxy (a2enmod proxy). Is there any other module I need to enable? > > You might have to explicitely allow access to <Location /site2>, also > proxing to ssl is not something that usually works out of the box. You > have two options here. > - Enable http on your site2 (in a way that only access from the other > apache is permitted), > or > - setup SSLProxying. > > Apache can't proxy to https urls out of the box. You need to do some work. > > you need to add the following to your config. > --- begin config --- > # turn on SSL proxying. > SSLProxyEngine On > > # to tell Apache where to find CA certificates to check remote server > certificates with: > # (You can choose yourself where you put these certificates) > SSLProxyCACertificatePath /path/to/ca/certificates. > --- end config --- > > Then in this path you need to put the CA certificate(s) used to sign > the certificate(s) used by the server(s) you communicate with. If you > want to talk to a server that uses a "self signed" certificate you > will need to put it in this dir too. (Remember that Apache is acting > as a HTTPS client here) > > Once you've done that you need to run c_rehash in that directory. > c_rehash is part of a standard openssl distribution. c_rehash creates > hashed aliases in this dir. Apache needs these. > > In order to test if everything is there you can do the following: > > openssl s_client -CApath /path/to/ca/certificates -connect > remoteserver:8443 > > if the conenction succeeds just try to do a > GET /something/ > > > HTH, > > Krist > > -- > krist.vanbes...@gmail.com > kr...@vanbesien.org > Bremgarten b. Bern, Switzerland > -- > A: It reverses the normal flow of conversation. > Q: What's wrong with top-posting? > A: Top-posting. > Q: What's the biggest scourge on plain text email discussions? > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
