httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel E" <emmanue...@gmx.net>
Subject Re: [users@httpd] How to encrypt traffic between client and apache proxy server
Date Thu, 24 Apr 2008 17:15:14 GMT
check out https://issues.apache.org/bugzilla/show_bug.cgi?id=29744

and use the patch available there.

its a pity that this patch still wont make it to the main tree...
  ----- Original Message ----- 
  From: Stephen Hu 
  To: users@httpd.apache.org 
  Sent: Thursday, April 24, 2008 8:44 PM
  Subject: [users@httpd] How to encrypt traffic between client and apache proxy server


  Hi,

       I was trying to setup a forward proxy solution with apache, but via port 443(SSL) rather
than just via 80. So I hope it should work as the following diagram:  

   

  Client(IP1:Random)     (IP2:443)Apache(IP2:Random) (IP3:443)Web Server

  1  |--------SSL Hand Shake-----(443)|

  2  |-CONNECT IP3:443 HTTP/1.1->(443)|

  3                                   |----TCP hand shake---(443)|

  4  |<-HTTP/1.0 200 Established-(443)|

   

  6  |----------------------SSL Hand Shake------------------(443)|

  7  |------GET / HTTP/1.1------>(443)|----GET / HTTP/1.1-->(443)|

  8  |<------------HTML----------(443)|<---------HTML-------(443)|

   

       So I configured my apache server like this: 

  <VirtualHost _default_:443>

  ProxyRequests On

  <Proxy *>

      Order deny,allow

      Allow from all

  </Proxy>

   

       I did the following test. It looks like apache works, after SSL hand shake, I sent
"CONNECT IP3:443 HTTP/1.1" to apache proxy(encrypted), apache decrypted the CONNECT instruction
correctly and tried to connect IP3 and returned "HTTP/1.0 200 Connection Established..", BUT
the only problem is apache returned the HTTP/1.0 200 in PLAN TEXT, so my client doesn't understand
it and stops. Here is the test log: 

   

  1. Connect to proxy: 

  openssl s_client -connect IP2:443 -state -debug

   

  SSL handshake has read 1361 bytes and written 340 bytes

  ---

  New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

  Server public key is 1024 bit

  Compression: NONE

  Expansion: NONE

  SSL-Session:

      Protocol  : TLSv1

      Cipher    : DHE-RSA-AES256-SHA

      Session-ID: FC2A51765458493165B386D05A1DAF2CEAE4C762078D534ADD862E1802381486

      Session-ID-ctx: 

      Master-Key: 695B9E094F07F7ECD0B73EC8E0FC0A441B8A96C41CE2B85E771C85DC5AADC5BBB41F1DDA7F387D62B0C808A6411BFDB6

      Key-Arg   : None

      Krb5 Principal: None

      Start Time: 1209048482

      Timeout   : 300 (sec)

      Verify return code: 18 (self signed certificate)

  ---

   

  2. I sent CONNECT instruction: 

  CONNECT 209.47.41.27:443 HTTP/1.1

  Host: www.testhost.com

   

  SSL3 alert write:fatal:protocol version

  32713:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:288:

   

  SSL3 alert write:warning:close notify

   

       I traced on proxy server, actually, it returned: "HTTP/1.0 200 Connection Established.."
in PLAN TEXT and caused this problem.

   

  Very Best Regards!
  Stephen



Mime
View raw message