httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Holger Weissboeck" <holger.weissbo...@dynatrace.com>
Subject [users@httpd] How to tunnel tcp through apache 2.2 reverse proxy
Date Thu, 18 Jun 2009 11:55:07 GMT
Good day everyone,

i am in desperate need for your help with a problem tunneling a custom
tcp protocol through a chain of apache servers configured as proxies.

The necessary setup looks like this:
Client -> [Apache 2.2 Reverse Proxy] -> [Apache 2.2 Forward Proxy] ->
Server
and unfortunately it can't be changed.

Client and Server a talking a custom protocol. To tunnel through the
proxies the Client sends a HTTP CONNECT request to the first proxy
(according to the INTERNET-DRAFT "Tunneling TCP based protocols through
Web proxy servers" by Ari Luotonen). The proxy is then supposed to
digest this HTTP CONNECT HEADER from the wire and create a tcp tunnel
between the Client and the Server. Client and Server then can talk their
custom protocol.

In the following setups this approach works flawlessly:
* Client -> [Apache 2.2 Forward Proxy] -> Server
* Client -> [Apache 2.0 Forward Proxy] -> Server
* Client -> [Apache 2.0 Reverse Proxy] -> Server

Unfortunately it does not work for Apache 2.2 reverse proxies:
* Client -> [Apache 2.2 Reverse Proxy] -> Server
* Client -> [Apache 2.2 Reverse Proxy] -> [Apache 2.2 Forward Proxy] ->
Server

How do i have to configure the proxies so that the CONNECT request
actually creates a tunnel?

My current configurations are the following:

Reverse Proxy:
Listen 9006
NameVirtualHost *:9006
<VirtualHost *:9006>
 AllowCONNECT 9008
 ProxyPass / http://forwardproxyhost:9007
 ProxyRemote * http://forwardproxyhost:9007
</VirtualHost>

Forward Proxy:
Listen 9007
NameVirtualHost *:9007
<VirtualHost *:9007>
 AllowCONNECT 9008
 ProxyRequests On
</VirtualHost>

The HTTP CONNECT request header looks like this:
CONNECT serverhost:9008 HTTP/1.1
Host: serverhost:9008
User-agent: myCustomUserAgent
Connection: Keep-Alive

With the above setup the reverse proxy alters the request header and
sends the following to the forward proxy:
CONNECT http://serverhost:9008/ HTTP/1.1
Host: serverhost:9008
User-agent: myCustomUserAgent
Via: 1.1 reverseproxyhost:9008
X-Forwarded-For: serverhost
X-Forwarded-Host: serverhost:9008
X-Forwarded-Server: serverhost
Connection: Keep-Alive

...and then the chained forward proxy responds with the following:
HTTP/1.1 400 Bad Request
Date: Thu, 18 Jun 2009 11:42:02 GMT
Server: Apache/2.2.9 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 303
Content-Type: text/html; charset=iso-8859-1
Via: 1.1 reverseproxyhost:9008
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br
/>
</p>
<hr>
<address>Apache/2.2.9 (Ubuntu) Server at forwardproxyhost Port
0</address>
</body></html>

The http:// part after the CONNECT keyword is new and was attached to
the request header by the reverse proxy. If i send this exact request
without the http://, it works. However, i have not found a way to make
Apache 2.2 do that for me. I have played with this for a while now using
different alterations of ProxyPass, ProxyPassReverse, ProxyRemote and so
on. None of those gave me the results i need.

Btw: Modules proxy, proxy_connect, proxy_http are enabled and proxy.conf
accepts all requests ("Allow from all").

Thanks in advance!

Holger Weissboeck

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message