httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From frankp...@netscape.net
Subject Re: [users@httpd] SSL and reverse proxying
Date Fri, 30 Jun 2006 00:54:43 GMT
Hi,
I first set up SSL, then I set up forward proxy server. It worked. Now I am setting up reverse
proxy server. It has some problem. English works. Chinese does not work. But Chinese in Tomcat
works.
The following are my error_log, configuration files.
 
[Thu Jun 29 20:39:40 2006] [notice] Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.7g proxy_html/2.5
configured -- resuming normal operations
[Thu Jun 29 20:40:09 2006] [error] [client 192.168.0.90] Invalid method in request \x80L\x01\x03\x01
[Thu Jun 29 20:40:14 2006] [error] [client 192.168.0.90] Invalid method in request \x80L\x01\x03\x01
[Thu Jun 29 20:40:20 2006] [error] [client 192.168.0.90] Invalid method in request \x80L\x01\x03\x01
[Thu Jun 29 20:40:31 2006] [error] [client 192.168.0.90] File does not exist: /usr/local/apache/htdocs/3
[Thu Jun 29 20:40:36 2006] [error] [client 192.168.0.90] File does not exist: /usr/local/apache/htdocs/1
[Thu Jun 29 20:40:42 2006] [error] [client 192.168.0.90] File does not exist: /usr/local/apache/htdocs/2
[Thu Jun 29 20:40:47 2006] [error] [client 192.168.0.90] Unsupported charset gb2312 in HTML
META
[Thu Jun 29 20:40:47 2006] [warn] [client 192.168.0.90] No usable charset information: using
old HTTP default LATIN1
[Thu Jun 29 20:40:47 2006] [error] [client 192.168.0.90] Error in bucket read
[Thu Jun 29 20:40:47 2006] [error] [client 192.168.0.90] Error in bucket read
[Thu Jun 29 20:40:48 2006] [error] [client 192.168.0.90] Error in bucket read
[Thu Jun 29 20:40:48 2006] [error] [client 192.168.0.90] Error in bucket read
[Thu Jun 29 20:40:48 2006] [error] [client 192.168.0.90] Error in bucket read
[Thu Jun 29 20:40:48 2006] [error] [client 192.168.0.90] Error in bucket read
[Thu Jun 29 20:40:48 2006] [error] [client 192.168.0.90] Error in bucket read
[Thu Jun 29 20:40:48 2006] [error] [client 192.168.0.90] Error in bucket read
[Thu Jun 29 20:40:48 2006] [error] [client 192.168.0.90] Error in bucket read
[Thu Jun 29 20:40:48 2006] [error] [client 192.168.0.90] Error in bucket read
[Thu Jun 29 20:40:48 2006] [error] [client 192.168.0.90] Error in bucket read
[Thu Jun 29 20:40:48 2006] [error] [client 192.168.0.90] Error in bucket read
 
 
#!/bin/bash
./configure --prefix=/usr/local/apache \
--with-mpm=prefork \
--enable-ssl \
--disable-charset-lite \
--disable-include \
--disable-env \
--enable-setenvif \
--disable-status \
--disable-autoindex \
--disable-asis \
--disable-cgi \
--disable-negotiation \
--disable-imap \
--disable-actions \
--disable-userdir \
--disable-alias \
--enable-proxy \
--enable-cache \
--enable-disk-cache \
--enable-file-cache \
--enable-mem-cache \
--enable-diskcache \
--enable-headers \
--enable-deflate \
--enable-rewrite \
--enable-mime \
--enable-negotiation \
--enable-speling 
 
ServerRoot "/usr/local/apache"
Listen 8088
#ProxyRequests On
#ProxyVia      On
ProxyRequests off
ProxyVia      off
#LoadFile /usr/local/lib/libxml2.so.2.6.26
LoadFile /usr/local/lib/libxml2.so.2.6.26
#LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_html_module modules/mod_proxy_html.so
<Directory proxy:*>
Order deny,allow
Deny from all
Allow from 192.168.0 
</Directory>
CacheRoot "/usr/local/apache/proxy"
#CacheGcInterval 4
#CacheMaxExpire 24
#CacheLastModifiedFactore 0.1
#CacheDefaultExpire 1
#NoCache www.peacehall.com
User daemon
Group daemon
</IfModule>
ServerAdmin you@example.com
ServerName www.ddint.org:8088
DocumentRoot "/usr/local/apache/htdocs"
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>
<Directory "/usr/local/apache/htdocs">
    Options Indexes FollowSymLinks
    Order allow,deny
    Allow from all
</Directory>
<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>
<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>
ErrorLog logs/error_log
LogLevel warn
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog logs/access_log common
</IfModule>
<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
</IfModule>
<IfModule cgid_module>
    #
    # ScriptSock: On threaded servers, designate the path to the UNIX
    # socket used to communicate with the CGI daemon of mod_cgid.
    #
    #Scriptsock logs/cgisock
</IfModule>
<Directory "/usr/local/apache/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>
DefaultType text/plain
<IfModule mime_module>
    TypesConfig conf/mime.types
    #AddType application/x-gzip .tgz
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    #AddHandler cgi-script .cgi
    # For type maps (negotiated resources):
    #AddHandler type-map var
    #AddType text/html .shtml
    #AddOutputFilter INCLUDES .shtml
</IfModule>
#MIMEMagicFile conf/magic
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#EnableMMAP off
#EnableSendfile off

# Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf
# Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
#Include conf/extra/httpd-autoindex.conf
# Language settings
Include conf/extra/httpd-languages.conf
# User home directories
#Include conf/extra/httpd-userdir.conf
# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf
# Virtual hosts
#Include conf/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf
# Various default settings
#Include conf/extra/httpd-default.conf
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

 
 
#httpd-ssl.conf
Listen 8843
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLSessionCache        shmcb:/usr/local/apache/logs/ssl_scache(512000)
SSLSessionCacheTimeout  300
<VirtualHost _default_:8843>
<Directory proxy:*>
Order deny,allow
Deny from all
Allow from 192.168.0 
</Directory>
DocumentRoot "/usr/local/apache/htdocs"
ServerName www.ddint.org:8843
ServerAdmin you@example.com
#SSLEngine on
SSLProxyEngine on
ProxyPass /1/ http://www.dajiyuan.com/
ProxyPass /2/ http://www.peacehall.com/
ProxyPass /3/ http://breakevilaxis.org/
ProxyPass /g/ http://www.google.com/
ProxyPass /z/ http://zyzg.org/
ProxyHTMLURLMap  http://www.dajiyuan.com /1
ProxyHTMLURLMap  http://www.peacehall.com /2
ProxyHTMLURLMap  http://breakevilaxis.org /3
ProxyHTMLURLMap  http://www.google.com /g
ProxyHTMLURLMap  http://zyzg.org /z
<Location /1/>
 ProxyPassReverse /
 SetOutputFilter proxy-html
 ProxyHTMLURLMap / /1/
 ProxyHTMLURLMap /1 /1
</Location>
<Location /2/>
 ProxyPassReverse /
 SetOutputFilter proxy-html
 ProxyHTMLURLMap / /2/
 ProxyHTMLURLMap /2 /2
</Location>
<Location /3/>
 ProxyPassReverse /
 SetOutputFilter proxy-html
 ProxyHTMLURLMap / /3/
 ProxyHTMLURLMap /3 /3
</Location>
<Location /g/>
 ProxyPassReverse /
 SetOutputFilter proxy-html
 ProxyHTMLURLMap / /g/
 ProxyHTMLURLMap /g /g
</Location>
<Location /z/>
 ProxyPassReverse /
 SetOutputFilter proxy-html
 ProxyHTMLURLMap / /z/
 ProxyHTMLURLMap /z /z
</Location>
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache/conf/new.cert.cert
#SSLCertificateFile /usr/local/apache/conf/server-dsa.crt
SSLCertificateKeyFile /usr/local/apache/conf/new.cert.key
#SSLCertificateKeyFile /usr/local/apache/conf/server-dsa.key
#SSLCertificateChainFile /usr/local/apache/conf/server-ca.crt
#SSLCACertificatePath /usr/local/apache/conf
#SSLCACertificateFile /usr/local/apache/conf/client.cert.cert
#SSLCARevocationPath /usr/local/apache/conf/ssl.crl
#SSLCARevocationFile /usr/local/apache/conf/ssl.crl/ca-bundle.crl
#SSLVerifyClient require
#SSLVerifyDepth  1
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>                                  

-----Original Message-----
From: Joshua Slive <joshua@slive.ca>
To: sniedermeyer@cob.org <sniedermeyer@cob.org>; Apache Users <users@httpd.apache.org>
Sent: Thu, 29 Jun 2006 20:18:12 -0400
Subject: Re: [users@httpd] SSL and reverse proxying


[Sending back to the list. Please keep the discussion there.] 
 
On 6/29/06, sniedermeyer@cob.org <sniedermeyer@cob.org> wrote: 
> 
> Hi Joshua, 
> 
> In order to get the communication between the RPS and the web app server to 
> be SSL though, don't you need to have two certs and a special configuration 
> vs. having a single cert on the RPS if you're willing to have the 
> communication between the RPS and the backend web app server unencrypted. 
> The info were passing between the RPS and web app server needs to remain 
> secure too. Any thoughts on some good reference material on that? I 
> thought I read something about a combined pool of keys or something, but 
> like I said, got lost. 
 
Yes, you need two separate certs. But you need to realize that these 
are entirely separate, unrelated connections (from an ssl 
perspective). So it would be best to first work on getting the 
client->proxy connection working under ssl, using the normal SSL 
config stuff. Then look at the SSLProxy* directives which are used to 
configure the client side of the proxy->web app connection. 
 
I don't know of any tutorials for this stuff, and I'm not all that 
familiar with it myself. 
 
Joshua. 
 
--------------------------------------------------------------------- 
The official User-To-User support forum of the Apache HTTP Server Project. 
See <URL:http://httpd.apache.org/userslist.html> for more info. 
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org 
  " from the digest: users-digest-unsubscribe@httpd.apache.org 
For additional commands, e-mail: users-help@httpd.apache.org 
 

Mime
View raw message