httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Krist van Besien" <krist.vanbes...@gmail.com>
Subject Re: [users@httpd] Https proxy on http Virtual Host
Date Wed, 10 Oct 2007 11:00:07 GMT
On 10/10/07, Boyle Owen <Owen.Boyle@swx.com> wrote:
> > -----Original Message-----
> > From: Bronzetti Marco [mailto:marco.bronzetti@telecomitalia.it]
> > Sent: Wednesday, October 10, 2007 9:46 AM
> > To: users@httpd.apache.org
> > Subject: [users@httpd] Https proxy on http Virtual Host
> >
> > Hi,
> > I need to do a Reverse proxy to a Https WebSite from an Http  WebSite,
> > my httpd.conf  should be  like that :
> >
> > <VirtualHost test.telecomitalia.it:80>
> >  ServerName test.telecomitalia.it
> >  ErrorLog /appl1/logs/http_error.log
> >  CustomLog /appl1/logs/http_access.log common
> >  DocumentRoot /docroot
> >  DirectoryIndex index.html index.html.var
> >  <IfModule mod_proxy.c>
> >    ProxyPass /rep-rs/ https://10.173.82.30/rep-rs/
> >    ProxyPass /ti-csr/ https://10.173.82.30/ti-csr/
> >  </IfModule>
> > </VirtualHost>
> >
> > Is it possible to do that ?
>
> Yes, but not like that...
>
> If the back-end is an HTTPS server, then the front-end (ie your apache)
> has to talk SSL to it. To do this, it needs to use mod_ssl and special
> directives to contact a back-end HTTPS server (see
> http://httpd.apache.org/docs/2.2/mod/mod_proxy.html and
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html)

Important is also that you have the following directives:
SSLProxyEngine on
and
SSLProxyCACertificateFile <file>
or
SSLProxyCACertificatePath <pat>
(see: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslproxycacertificatepath
)

You see, apache needs to act as an ssl _client_, which it doesn't do
out of the box. In order for apache to act as an ssl client it needs a
few extra directives, and you must make the CA certificate used to
signthe certificate of the sever(s) you're communicating with
available to it using the SSLProxyCACertificateFile (or Path). See the
documentation.

> By the way, I guess the back-end is a legacy server that you can't
> change? Otherwise, it is pretty silly to do this since the connection
> from the client to the front-end will be plain HTTP and it makes no
> sense to protect data for only part of its journey.

I've had to set up such a configuration, to allow a legacy service
that only was able to make http requests to communicate with a new
service that only accepted https requests. The http -> https proxy ran
on the same machine as the legacy service, so there were no big
security issues.

Krist


-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message