On Wed, Aug 24, 2011 at 11:16 AM, Bill Moseley <mose...@hank.org> wrote:
> Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8r > OS X 10.6.8 > > I need help with a forward proxy setup and SSL. > > I have created a simple httpd.conf file with two virtual hosts, listening > on 8080 and 8443 (accepting SSL connections). I'm using a self-signed > certificate for testing. WIth this config both of these requests work just > fine: > > http://localhost:8080/foo.txt > https://localhost:8443/foo.txt (issues a warning about the self-signed > cert, of course) > > > I enabled mod_proxy (and _http and _connect) and then I set up both Firefox > and Chrome to proxy http to localhost:8080 and https to localhost:8443. > > The forward proxy works fine for non-SSL requests. Any non-SSL site I go > to is passed through my local Apache proxy. But, the SSL pages do not work, > and with LogLevel debug I see: > > [Wed Aug 24 11:54:42 2011] [info] SSL Library Error: 336027803 > error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request > speaking HTTP to HTTPS port!? > > So, I assume I'm not understanding the configuration needed to proxy the > SSL requests. > > Here's my httpd.config. Again, this config will serve local files over > http or https fine. And when a browser is set up to proxy via > localhost:8080 normal http proxy works fine (and I can see all we pages I > access logged as they are proxied). > > But, with the browser https proxy config set to localhost 8443 https > requests fails with the error above. > > > moseley@bair ~/Documents/apache $ cat httpd.conf > > ServerRoot /Users/moseley/Documents/apache > PidFile apache.pid > Lockfile accept.lock > > LoadModule ssl_module /usr/libexec/apache2/mod_ssl.so > > LoadModule proxy_module /usr/libexec/apache2/mod_proxy.so > LoadModule proxy_http_module /usr/libexec/apache2/mod_proxy_http.so > LoadModule proxy_connect_module > /usr/libexec/apache2/mod_proxy_connect.so > > LoadModule log_config_module /usr/libexec/apache2/mod_log_config.so > > LogLevel Debug > > > CustomLog logs/access_log \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > > > Listen localhost:8080 > Listen localhost:8443 > > > DocumentRoot /Users/moseley/Documents/apache/htdocs > > ServerName hank.org > > SSLSessionCache dbm:ssl.cache > > <VirtualHost *:8080> > ProxyRequests ON > </VirtualHost> > > <VirtualHost *:8443> > ProxyRequests ON > > # This needed? > AllowCONNECT 443 8443 > > SSLEngine on > I've never used Apache like this before but I suspect that you may need the SSLProxyEngine directive as well. http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslproxyengine > > SSLCertificateFile certs3/server.crt > SSLCertificateKeyFile certs3/server.key > > #SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > </VirtualHost> > > -- > Bill Moseley > mose...@hank.org > -- Jens-Harald Johansen -- There are 10 kinds of people in the world: Those who understand binary and those who don't...