httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 29744] - CONNECT does not work over existing SSL connection
Date Fri, 16 Mar 2007 14:15:13 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=29744>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=29744





------- Additional Comments From lionel.victor@free.fr  2007-03-16 07:15 -------
Sorry for that late answer.

What you described with the Unsupported HTTP version number message seems to 
be a bug from proxytunnel... I haven't had the time to investigate the -e 
option which is used to specify that proxytunnel must use SSL so I cannot 
comment on that.

Basically, as it did not work for me I used an extra tool called stunnel that 
simply listen to a port locally and open an SSL session to a remotehost. You 
just send traffic in clear to the local port and stunnel makes the connection 
to the remote host:port with ssl and deals with the crypto.

Now, if you want to connect through an HTTP proxy, you use
proxytunnel.exe -p proxy:proxyport -d targethost:targetport -a anylocalport

If you have to proxy other SSL, you must first launch stunnel with an entry 
like that in your stunnel.conf
[ssh-tunnel]
accept = porttolistento
connect = ssltargethost:ssltargetport
client = yes

Then any combination is possible... in my case:

proxytunnel-1 creates a tunnel to a remote host with apache-proxy-ssl
proxytunnel-1 listent to port 443 (-a 443)
here is the command line
proxytunnel.exe -p proxy:proxyport -d apache-proxy-ssl-host:443 -a 443

then stunnel unwrap the ssl layer:
here is the entry for ssl-tunnel.conf
[ssh-tunnel]
accept = 8080
connect = 127.0.0.1:443
client = yes

then another proxytunnel creates the tunnel through apache-proxy:
proxytunnel.exe -p localhost:8080 -d anywhere:anyport

Of course, anywhere anyport must match your configuration on the apache-proxy-
ssl-host, otherwise, you will be rejected.

The second proxytunnel.exe is not necessary.. you can also configure your 
explorer to use localhost:8080 as a proxy instead...

Well you get the idea:
- proxytunnel just connect to an http host throug a proxy
- stunnel manages the ssl traffic: it converts https into http for you if you 
prefer...

now, based on your needs, you must embedd tunnels to jump from host to host 
and decrypt the traffic... the exact config depends on what you want to 
achieve.

The nice thing is that you can now secure the apache-proxy module with ssl 
(including client authentication) and it opens some new opportunities to 
secure a network.

hope it helps


(In reply to comment #35)
> Thanks for your comments (comment #34).  I tried your version of
> mod_proxy_connect.c, but it made no difference.  It seems that the issue is 
in
> proxytunnel: it appears to send plain HTTP headers, even over an HTTPS
> connection.  Hmmm.
> Please could you describe your solution a little more fully - I've never 
played
> with stunnel and don't understand the setup you've described.
> Thanks!



-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message