httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject SSL backend via ProxyRemote (using CONNECT)
Date Thu, 24 Apr 2014 13:05:09 GMT
Hello,

with the following (chained) configuration :

<VirtualHost 127.0.0.1:80>
    ServerName reverse-proxy
    ProxyPass / https://backend:443/
    ProxyRemote * http://proxy:8080
    #ProxyRequests off
</VirtualHost>

<VirtualHost 127.0.0.1:8080>
    ServerName forward-proxy
    ProxyRequests on
</VirtualHost>

<VirtualHost 127.0.0.1:443>
    ServerName backend
    ## Whatever ###
</VirtualHost>

Then, when the reverse-proxy receives a request-line like :
    GET /index.php HTTP/1.1
    Host: reverse-proxy
    ...

It forwards this one(s) to the backend :
    > CONNECT backend:443 HTTP/1.0
    < HTTP/1.0 200 Established
    < SSL stream now (note the full URL in the request-line) >
    GET https://backend/index.php HTTP/1.1
    Host: backend
    ...

I agree that ProxyRemote is supposed to be a forward proxy (hence the
full URL when requesting plain HTTP through it, with GET
http://backend/index.php HTTP/1.1), but the final backend is not (and
may even refuse full URLs, which is actually a case I'm facing).

Am I missing something or should this be fixed when CONNECT is used by
ProxyRemote?
In the latter case, should it depend on "ProxyRequests off" only (to
not break existing)?

That could be done with this patch (where ProxyRequests' dependency is
commented out):

Index: modules/proxy/proxy_util.c
===================================================================
--- modules/proxy/proxy_util.c    (revision 1589129)
+++ modules/proxy/proxy_util.c    (working copy)
@@ -2186,7 +2313,7 @@ ap_proxy_determine_connection(apr_pool_t *p, reque
      * short living pool.
      */
     /* are we connecting directly, or via a proxy? */
-    if (!proxyname) {
+    if (!proxyname || (conn->is_ssl/* && conf->req_set && !conf->req*/))
{
         *url = apr_pstrcat(p, uri->path, uri->query ? "?" : "",
                            uri->query ? uri->query : "",
                            uri->fragment ? "#" : "",
[END]

Regards,
Yann.

Mime
View raw message