httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mauri <lai...@gmail.com>
Subject Re: [users@httpd] Reverse Proxy https to http
Date Thu, 22 Apr 2010 12:32:01 GMT
Hi GB.

I have a similar solution.

Client --> https://mysite.com --> proxy --> http://backend.

the url in the client broswer is https://mysite.com.

this is my /etc/httpd/conf.d/ssl.conf:



LoadModule ssl_module modules/mod_ssl.so
LoadFile   /usr/lib/libxml2.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule xml2enc_module modules/mod_xml2enc.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

NameVirtualHost mysite.com:443
<VirtualHost mysite.com:443>
ServerName mysite.com
ProxyRequests off
ProxyPass / https://10.173.90.167:8443/
ProxyHTMLURLMap https://10.173.90.167:8443 /
<Location />
        ProxyPassReverse https://10.173.90.167:8443/
        ProxyHTMLEnable On
        ProxyHTMLURLMap  /      /
        RequestHeader    unset  Accept-Encoding
</Location>

SSLEngine on
SSLProxyEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer
SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key
SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>






2010/4/22 GB GB <gbcyoyo@gmail.com>

> Basically what goes on when the user types in https://mydomain.com/lsw
> he gets an authentification page from the backend application. Once he
>  enters his credentials, I notice a POST in the apache logs.
>
> This is what the user types in:
> https://mydomain.com/lsw/clientele/gen/authentification.jsp
> he enters his credentials, then a POST appears in the log :
> POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302
>
> and in the browser I get the following: The connection has timed out
>
>
> http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P
>
> the above link doesn't work because its http rather than https!!
>
> If I add the "s" manually
>
> https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P
>  then it works.
>
> 1)So how can I force the protocole to remain https once the client
> does a POST.....
> 2)I have noticed in many examples that people use PreserveHost on, in
> my case, if activate
> PreserveHost on then I cant even get the first page to work:
>
> Thx in advance
>
>
>
>
> On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien
> <krist.vanbesien@gmail.com> wrote:
> > On Tue, Apr 20, 2010 at 6:41 PM, GB GB <gbcyoyo@gmail.com> wrote:
> >
> >
> >
> >> #this for some reason becomes http from client perspective
> >> #PreserveHost on does not work with lsw, so I disabled it....
> >> RewriteRule       ^/lsw(.*)$    http://backend2.ca:8082/lsw$1
> [NC,P,L]
> >> ProxyPassReverse  /lsw          http://backend2.ca:8082/lsw
> >> Redirect permanent /lsw https://mydomain.com/lsw
> >
> > First of all: Remove the "Redirect Permanent". It's not needed (as
> > this virtualhost only gets https requests anyway) and confuses. If you
> > want to make sure that people who accidentaly land on the http site
> > get redirected to https you need to put a redirect in the http virtual
> > host.
> >
> > Secondly: Look at what your backend produces. It is very well possible
> > that it passes html pages back to the client that contain http://
> > style URLs. RewriteRule only operates on request URLs,
> > ProxyPassReverse only on redirects passed back. The content passed
> > back by the backend is not modified.
> >
> > HTH,
> >
> > Krist
> >
> > --
> > krist.vanbesien@gmail.com
> > krist@vanbesien.org
> > Bremgarten b. Bern, Switzerland
> > --
> > A: It reverses the normal flow of conversation.
> > Q: What's wrong with top-posting?
> > A: Top-posting.
> > Q: What's the biggest scourge on plain text email discussions?
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message