httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hanack Leif" <Leif.Han...@t-systems.com>
Subject [users@httpd] Re: Re: https/SSL and ProxyRemote did not work when using a reverse proxy (PLEASE HELP:)
Date Thu, 30 Dec 2004 13:18:33 GMT
Nick Kew wrote:

> > I'm trying to get the following szenario to work with Apache
> > 2.0.51/OpenSSL 0.9.7d.
>
> 2.0.51 had some serious problems.  Better not to use it - upgrade to
.52
> or, if that's not possible for any reason, go back to .50.

I tried it even with 2.0.52/OpenSSL 0.9.7e with the same result.

>
> > Client --http--> Reverse Proxy  --internal--> Forward Proxy
> > (ProxyRemote) --https--> Webserver
>
> Erk!  Are you expecting that "internal" to run http or https?

Ok, it seems to be not clear enough:) Hope this clearifies it:

                             INTRANET                           INTRANET
##### INTERNET               INTERNET

                  -----Apache-------------------------------
------Proxy--------------       ------RemoteServer-------
                  |                                        |      |
|      |                        |
Client --http-----------ProxyPass/-Reverse                 |      |
|      |                        |
                  |         |                              |      |
|      |                        |
                  | https://remoteServerIP                 |      |
|      |                        |
                  |         |                              |      |
|      |                        |
                  | ProxyRemote https http://proxyIP:3128
--SSL-through-http/connect--    --https---                       |
                  |                                        |      |
|      |                        |
                  -----Apache-------------------------------
------Proxy--------------       ------RemoteServer-------

                             INTRANET                           INTRANET
##### INTERNET               INTERNET

The Client is located inside intranet and requests content from the
apache
only throught HTTP. Some URLs need to be redirected to a remote server,
which
is outside intranet! The clients can not reach the remote server!
Because 
we are leaving the intranet, we want to use SSL to reach the remote
server.
The remote server could not be reached directly from the apache. We need
a 
proxy. The proxy is reachable at http://proxyIP:3128. The Proxy can 
handle HTTP, CONNECT and HTTPS requests!

The "ProxyRemote https http://proxyIP:3128" directive tells apache, that
all 
requests of protocol https are proxied through http://proxyIP:3128.
ProxyRemote do the SSL Stuff! ProxyRemote do not support HTTPS directly,

instead the CONNECT method is used. Ralf Engelschall wrote ProxyRemote
is
able to convert from HTTP to HTTPS. But i can not set this one up:(

If my remote server is reachable without a proxy everything works fine.
This let me assume, that the 'normal' SSL Stuff is working properly.

>
> > My logs :
> >
> > [Mon Dec 13 14:14:50 2004] [debug] ssl_engine_io.c(1517): OpenSSL:
I/O
> > error, 7 bytes expected to read on BIO#a55e90 [mem: a5b670]
> > [Mon Dec 13 14:14:50 2004] [debug] ssl_engine_kernel.c(1793):
OpenSSL:
> > Exit: error in SSLv2/v3 read server hello A
> > [Mon Dec 13 14:14:50 2004] [info] SSL Proxy connect failed
>
> Is that from the reverse proxy?  It seems to be trying to connect
> with SSL.

Yes, correct, see the details from above. The apache is a reverse proxy
that 
includes a ProxyRemote directive which plugs in a normal forward proxy.

>
> > My config :
> >
> > <VirtualHost serverIP:80>
> > ServerName intra-xy.com
> > ServerAdmin mailadmin@example.com
> > ProxyRequests Off
> > ProxyRemote * http://proxyIP:3128 <http://proxyIP:3128> 
> > SSLProxyEngine on
> > ProxyPass / https://remoteServerIP/ <https://remoteServerIP/> 
> > ProxyPassReverse / https://remoteServerIP/ <https://remoteServerIP/>

> > </VirtualHost>
>
> That ProxyRemote appears to be asking for the internal connection to
use
> http, not https.  If the log entries are from this server ... well,
> I'm confused.
>
> Is your "proxyIP:3128" in fact expecting http or https?

Because of the limitation of ProxyRemote, we can not use HTTPS. SSL 
communication is 'tunneled' through the HTTP/CONNECT method.

Thanks, Leif

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message