httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Krist van Besien" <krist.vanbes...@gmail.com>
Subject Re: [users@httpd] mod_proxy and SSL
Date Thu, 18 May 2006 07:48:32 GMT
On 5/17/06, Sebastian Reitenbach <itlistuser@rapideye.de> wrote:
> Hi,
>
> I have an apache listening for SSL connections on port 443 behind a NAT
> firewall in the DMZ. Connections for one virtual host shall be reverse proxied
> to another host in the same DMZ, but it seems that I am unable to get it to
> work, for me it seems I must have missed sth. obvious.
>
> I tried this with mod_proxy:
>
> SSLProxyEngine On
> ProxyRequests On
> AllowCONNECT 443
> ProxyPass / https://10.0.0.2/
> ProxyPassReverse / https://10.0.0.2/
>
> then I receive the following error messages at the proxy:
> [Wed May 17 17:07:18 2006] [error] SSL Proxy requested for
> webgis.rapideye.de:80 but not enabled [Hint: SSLProxyEngine]
> [Wed May 17 17:07:18 2006] [error] proxy: failed to enable ssl support for
> 10.0.0.2:443 (0.0.0.2)
> [Wed May 17 17:07:19 2006] [notice] child pid 28242 exit signal Segmentation
> fault (11)
>
> because of the segmentation fault, I am not sure, whether it shall work that
> way or not, but I doubt it.
>
> with the SSLProxyEngine enabled:
> SSLProxyEngine On
> ProxyRequests On
> AllowCONNECT 443
> ProxyPass / https://10.0.0.2/
> ProxyPassReverse / https://10.0.0.2/
>
> I have this message in the error_log of the proxy:
> [Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet:
> proxy: request failed to 10.10.10.2:443 (10.0.0.2)
> [Wed May 17 17:09:55 2006] [error] proxy: HTTP: previous connection is closed
> [Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet:
> proxy: request failed to 10.0.0.2:443 (10.0.0.2)
>
> and this in the error_log of the apache behind the proxy:
> [Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request
> \x80|\\x03\x01
> [Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request
> \x80|\x01\x03\x01
>
>
> with only these in the virtual host of the proxy, it is working, but only
> without HTTPS
>
> ProxyPass / http://10.0.0.2/
> ProxyPassReverse / http://10.0.0.2/
>
> Is there any way to access an HTTPS server behind a apache HTTPS proxy?

Firstly: You  don't need
 ProxyRequests On
 AllowCONNECT 443

First this. This is to allow clients to use your server as a _forward_
proxy to HTTPS hosts. Do not put "ProxyRequests On" in your config
file if you are only doing reverse proxying.

Proxying to a HTTPS server is possible. (I do this on one of my
systems), but it requires a bit more than just adding SSLProxyEngine
On on most installations. This is because when forwarding requests to
an HTTPS server Apache has to behave as an https _client_. For this is
requires a few files that are usually not present on a stock Apache
install.

This is how I would do it,

SSLProxyEngine On
SSLProxyCACertificateFile /usr/local/apache/conf/cacerts.crt
ProxyPass / https://10.0.0.2/
ProxyPassReverse / https://10.0.0.2/


You need to create the filey /usr/local/apache/conf/cacerts.crt, and
in it you put the (PEM encoded) certificate used to sign the
certificate your 10.0.0.2 server uses. This way apache can complete
the SSL handshake with your server.

For more info read the mod_ssl documentation, specifically the
SSLProxy* directives. The docs are not that obvious, but they do
contain the answers you are looking for.

Krist
-- 
krist.vanbesien@gmail.com
Solothurn, Switzerland

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message