httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Wyatt <Josh.Wy...@hcssystems.com>
Subject Re: [users@httpd] Reverse SSL proxy with NULL cipher on backend?
Date Mon, 18 Sep 2006 16:10:30 GMT
Spil Oss wrote:
> Hi Josh,
> 
> When you say "https is hard-coded as the beginning of all URLs" you
> mean that that is done in all pages that the webserver generates? In
> that case you might just address oapache using http, and in apache2's
> config ProxyPass / http://localhost/.
> 
> Kind Regards,
> 
> Spil

Hi Spil,

Thank you for your response.

Actually, the logic goes something like this:
1. End-human requests a report from the application server.
2. The request is handed off to a report server;
3. the report server generates the report himself via a special URL on the webserver;
4. The report retrieval URL is then mangled for security reasons, and sent back to the end-human
5. a new browser window pops up for the end-human, and retrieves the report via mangled URL.

Now, step 3 uses a "hidden" internal URL which gets mangled later on in step 4.  This mangling
action doesn't happen unless SSL is enabled on on oapache.

Sounds complicated, and I'm sure R. Goldberg had a hand in this.  But stage 3 requires SSL.
 

Thanks,
Josh


> On 18/09/06, Josh Wyatt <Josh.Wyatt@hcssystems.com> wrote:
> 
>> Joshua Slive wrote:
>> > On 9/16/06, Josh Wyatt <Josh.Wyatt@hcssystems.com> wrote:
>> >> I'd like to use NULL authentication, ciphers, etc to reduce the
>> >> proxyapache <-> oapache SSL overhead.  How can I configure oapache
and
>> >> proxyapache to use NULL for authentication, ciphers, etc?
>> >
>> >
>> > I don't know the answer to that.  I suspect it is impossible without
>> > modifying the configuratio n of oapache to accept null ciphers.
>> >
>> > But in any case, this is silly.  Why no just configure oapache to use
>> > ordinary http instead?
>> >
>> > Joshua.
>>
>> I agree it's silly that SSL is required.  But it truly is for this 
>> application (https is hard-coded as the beginning of all URLs), and 
>> it's a COTS application, so we can't change that bit.
>>
>> Now, I absolutely DO have control over oapache's configuration.  And 
>> as I stated in my initial post, I already tried specifying NULL 
>> ciphers with.  Quoting my initial post:
>>
>> 'SSLProxyCipherSuite NULL' on proxyapache, and 'SSLCipherSuite NULL' 
>> on oapache.  In oapache's logfiles I get:
>>
>> [Fri Sep 15 22:00:51 2006] [error] mod_ssl: SSL handshake failed 
>> (server oapache:8888, client proxyapache) (OpenSSL library error follows)
>> [Fri Sep 15 22:00:51 2006] [error] OpenSSL: error:1408A0C1:SSL 
>> routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Hint: Too restrictive 
>> SSLCipherSuite or using DSA server certificate?]
>>
>> Any help you can provide would be greatly appreciated.
>>
>> Thanks,
>> Josh
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server 
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message