Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 73343 invoked from network); 22 Apr 2010 13:01:45 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 22 Apr 2010 13:01:45 -0000 Received: (qmail 26401 invoked by uid 500); 22 Apr 2010 13:01:41 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 26309 invoked by uid 500); 22 Apr 2010 13:01:41 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 26301 invoked by uid 99); 22 Apr 2010 13:01:41 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Apr 2010 13:01:41 +0000 X-ASF-Spam-Status: No, hits=4.7 required=10.0 tests=AWL,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,NORMAL_HTTP_TO_IP,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL,WEIRD_PORT X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of lain80@gmail.com designates 74.125.82.173 as permitted sender) Received: from [74.125.82.173] (HELO mail-wy0-f173.google.com) (74.125.82.173) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Apr 2010 13:01:37 +0000 Received: by wyb42 with SMTP id 42so853971wyb.18 for ; Thu, 22 Apr 2010 06:01:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:content-type; bh=k4G57QnjGSGKMjspESNiYDhckRvbb+FhJjBtWnNgVZ4=; b=cNoORHXGkKwyHWW0fG63h9SVVgz26NNoXWz8TnrPnK+miuVI3hD2D6aaWa4/xsqcA2 B21mo2qpA2/lenZb7IBWsUpmcvstNPTUr7OLmkjz5jpgNksrfaVP39nMWsgcAxm9Tj4H S2b1McCUPkeVXkq58QcwxKPDJwQUv6ymylSJo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=RKtmPE+vBbfVwYoWersGnCQ7XfrV5yK5CeF5nx8vfBiaXOQAtzrOU355rJO5jaUiL0 cbFoR6nG9OAhfTX1INRTJk0FSLKu6oMoX+QBv5mAikJDVjRm8NG9hjT6Vp0xBoj2YUG+ YXiyv9SAO2VlxN4V3W5R+w6l9B4yh1uKI6J5o= MIME-Version: 1.0 Received: by 10.102.253.1 with HTTP; Thu, 22 Apr 2010 06:01:14 -0700 (PDT) In-Reply-To: References: Date: Thu, 22 Apr 2010 15:01:14 +0200 Received: by 10.103.126.37 with SMTP id d37mr2245538mun.66.1271941274845; Thu, 22 Apr 2010 06:01:14 -0700 (PDT) Message-ID: From: Mauri To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=0016e659f3fadcc36b0484d2e744 Subject: Re: [users@httpd] Reverse Proxy https to http --0016e659f3fadcc36b0484d2e744 Content-Type: text/plain; charset=ISO-8859-1 u can investigate on the version. I have this: httpd-2.2.3-31 Please see at ssl.conf top: ================================================ LoadModule ssl_module modules/mod_ssl.so LoadFile /usr/lib/libxml2.so LoadModule proxy_html_module modules/mod_proxy_html.so LoadModule xml2enc_module modules/mod_xml2enc.so ================================================ have u load this module? 2010/4/22 GB GB > The version I am using is > Server version: Apache/2.0.54 > Server built: Sep 23 2005 15:28:48 > > ProxyHTMLURLMap doesn't work with what I am using..... > > > On Thu, Apr 22, 2010 at 8:32 AM, Mauri wrote: > > Hi GB. > > > > I have a similar solution. > > > > Client --> https://mysite.com --> proxy --> http://backend. > > > > the url in the client broswer is https://mysite.com. > > > > this is my /etc/httpd/conf.d/ssl.conf: > > > > > > > > LoadModule ssl_module modules/mod_ssl.so > > LoadFile /usr/lib/libxml2.so > > LoadModule proxy_html_module modules/mod_proxy_html.so > > LoadModule xml2enc_module modules/mod_xml2enc.so > > Listen 443 > > AddType application/x-x509-ca-cert .crt > > AddType application/x-pkcs7-crl .crl > > SSLPassPhraseDialog builtin > > SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) > > SSLSessionCacheTimeout 300 > > SSLMutex default > > SSLRandomSeed startup file:/dev/urandom 256 > > SSLRandomSeed connect builtin > > SSLCryptoDevice builtin > > > > NameVirtualHost mysite.com:443 > > > > ServerName mysite.com > > ProxyRequests off > > ProxyPass / https://10.173.90.167:8443/ > > ProxyHTMLURLMap https://10.173.90.167:8443 / > > > > ProxyPassReverse https://10.173.90.167:8443/ > > ProxyHTMLEnable On > > ProxyHTMLURLMap / / > > RequestHeader unset Accept-Encoding > > > > > > SSLEngine on > > SSLProxyEngine on > > SSLProtocol all -SSLv2 > > SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW > > SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer > > SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key > > SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer > > > > > > SSLOptions +StdEnvVars > > > > > > SSLOptions +StdEnvVars > > > > SetEnvIf User-Agent ".*MSIE.*" \ > > nokeepalive ssl-unclean-shutdown \ > > downgrade-1.0 force-response-1.0 > > CustomLog logs/ssl_request_log \ > > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > > > > > > > > > > > > > > > 2010/4/22 GB GB > >> > >> Basically what goes on when the user types in https://mydomain.com/lsw > >> he gets an authentification page from the backend application. Once he > >> enters his credentials, I notice a POST in the apache logs. > >> > >> This is what the user types in: > >> https://mydomain.com/lsw/clientele/gen/authentification.jsp > >> he enters his credentials, then a POST appears in the log : > >> POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302 > >> > >> and in the browser I get the following: The connection has timed out > >> > >> > >> > http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P > >> > >> the above link doesn't work because its http rather than https!! > >> > >> If I add the "s" manually > >> > >> > https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P > >> then it works. > >> > >> 1)So how can I force the protocole to remain https once the client > >> does a POST..... > >> 2)I have noticed in many examples that people use PreserveHost on, in > >> my case, if activate > >> PreserveHost on then I cant even get the first page to work: > >> > >> Thx in advance > >> > >> > >> > >> > >> On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien > >> wrote: > >> > On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote: > >> > > >> > > >> > > >> >> #this for some reason becomes http from client perspective > >> >> #PreserveHost on does not work with lsw, so I disabled it.... > >> >> RewriteRule ^/lsw(.*)$ http://backend2.ca:8082/lsw$1 > >> >> [NC,P,L] > >> >> ProxyPassReverse /lsw http://backend2.ca:8082/lsw > >> >> Redirect permanent /lsw https://mydomain.com/lsw > >> > > >> > First of all: Remove the "Redirect Permanent". It's not needed (as > >> > this virtualhost only gets https requests anyway) and confuses. If you > >> > want to make sure that people who accidentaly land on the http site > >> > get redirected to https you need to put a redirect in the http virtual > >> > host. > >> > > >> > Secondly: Look at what your backend produces. It is very well possible > >> > that it passes html pages back to the client that contain http:// > >> > style URLs. RewriteRule only operates on request URLs, > >> > ProxyPassReverse only on redirects passed back. The content passed > >> > back by the backend is not modified. > >> > > >> > HTH, > >> > > >> > Krist > >> > > >> > -- > >> > krist.vanbesien@gmail.com > >> > krist@vanbesien.org > >> > Bremgarten b. Bern, Switzerland > >> > -- > >> > A: It reverses the normal flow of conversation. > >> > Q: What's wrong with top-posting? > >> > A: Top-posting. > >> > Q: What's the biggest scourge on plain text email discussions? > >> > > >> > --------------------------------------------------------------------- > >> > The official User-To-User support forum of the Apache HTTP Server > >> > Project. > >> > See for more info. > >> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > >> > " from the digest: users-digest-unsubscribe@httpd.apache.org > >> > For additional commands, e-mail: users-help@httpd.apache.org > >> > > >> > > >> > >> --------------------------------------------------------------------- > >> The official User-To-User support forum of the Apache HTTP Server > Project. > >> See for more info. > >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > >> " from the digest: users-digest-unsubscribe@httpd.apache.org > >> For additional commands, e-mail: users-help@httpd.apache.org > >> > > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > > --0016e659f3fadcc36b0484d2e744 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
u can investigate on the version. I have this: httpd-2.2.3-31

Pl= ease see at ssl.conf top:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D
LoadModule ssl_module modules/mod_ssl.so
Loa= dFile=A0=A0 /usr/lib/libxml2.so
LoadModule proxy_html_module=20 modules/mod_proxy_html.so
LoadModule xml2enc_module=20 modules/mod_xml2enc.so
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D

have u load this module?


2010/4/22 GB GB <gbcyoyo@gmail.com>
The version I am = using is
Server version: Apache/2.0.54
Server built: =A0 Sep 23 2005 15:28:48

=A0ProxyHTMLURLMap doesn't work with what I am using.....


On Thu, Apr 22, 2010 at 8:32 AM, Mauri <lain80@gmail.com> wrote:
> Hi GB.
>
> I have a similar solution.
>
> Client --> https:/= /mysite.com --> proxy --> http://backend.
>
> the url in the client broswer is https://mysite.com.
>
> this is my /etc/httpd/conf.d/ssl.conf:
>
>
>
> LoadModule ssl_module modules/mod_ssl.so
> LoadFile=A0=A0 /usr/lib/libxml2.so
> LoadModule proxy_html_module modules/mod_proxy_html.so
> LoadModule xml2enc_module modules/mod_xml2enc.so
> Listen 443
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl=A0=A0=A0 .crl
> SSLPassPhraseDialog=A0 builtin
> SSLSessionCache=A0=A0=A0=A0=A0=A0=A0=A0 shmcb:/var/cache/mod_ssl/scach= e(512000)
> SSLSessionCacheTimeout=A0 300
> SSLMutex default
> SSLRandomSeed startup file:/dev/urandom=A0 256
> SSLRandomSeed connect builtin
> SSLCryptoDevice builtin
>
> NameVirtualHost my= site.com:443
> <VirtualHost my= site.com:443>
> ServerName mysite.com<= /a>
> ProxyRequests off
> ProxyPass / = https://10.173.90.167:8443/
> ProxyHTMLURLMap https://10.173.90.167:8443 /
> <Location />
> =A0=A0=A0=A0=A0=A0=A0 ProxyPassReverse https://10.173.90.167:8443/
> =A0=A0=A0=A0=A0=A0=A0 ProxyHTMLEnable On
> =A0=A0=A0=A0=A0=A0=A0 ProxyHTMLURLMap=A0 /=A0=A0=A0=A0=A0 /
> =A0=A0=A0=A0=A0=A0=A0 RequestHeader=A0=A0=A0 unset=A0 Accept-Encoding<= br> > </Location>
>
> SSLEngine on
> SSLProxyEngine on
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer
> SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key
> SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer
>
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> =A0=A0=A0 SSLOptions +StdEnvVars
> </Files>
> <Directory "/var/www/cgi-bin">
> =A0=A0=A0 SSLOptions +StdEnvVars
> </Directory>
> SetEnvIf User-Agent ".*MSIE.*" \
> =A0=A0=A0=A0=A0=A0=A0=A0 nokeepalive ssl-unclean-shutdown \
> =A0=A0=A0=A0=A0=A0=A0=A0 downgrade-1.0 force-response-1.0
> CustomLog logs/ssl_request_log \
> =A0=A0=A0=A0=A0=A0=A0=A0=A0 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}= x \"%r\" %b"
> </VirtualHost>
>
>
>
>
>
>
> 2010/4/22 GB GB <gbcyoyo@gmail= .com>
>>
>> Basically what goes on when the user types in https://mydomain.com/lsw
>> he gets an authentification page from the backend application. Onc= e he
>> =A0enters his credentials, I notice a POST in the apache logs.
>>
>> This is what the user types in:
>> https://mydomain.com/lsw/clientele/gen/authentifica= tion.jsp
>> he enters his credentials, then a POST appears in the log :
>> POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302 >>
>> and in the browser I get the following: The connection has timed o= ut
>>
>>
>> http://backend2.ca/lsw/clien= tele/ses/pagePersonnelle.jsp?Mouftah=3DVXV744A9SVZMU9P
>>
>> the above link doesn't work because its http rather than https= !!
>>
>> If I add the "s" manually
>>
>> https://backend2.ca/lsw/cli= entele/ses/pagePersonnelle.jsp?Mouftah=3DVXV744A9SVZMU9P
>> =A0then it works.
>>
>> 1)So how can I force the protocole to remain https once the client=
>> does a POST.....
>> 2)I have noticed in many examples that people use PreserveHost on,= in
>> my case, if activate
>> PreserveHost on then I cant even get the first page to work:
>>
>> Thx in advance
>>
>>
>>
>>
>> On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien
>> <krist.vanbesien@g= mail.com> wrote:
>> > On Tue, Apr 20, 2010 at 6:41 PM, GB GB <gbcyoyo@gmail.com> wrote:
>> >
>> >
>> >
>> >> #this for some reason becomes http from client perspectiv= e
>> >> #PreserveHost on does not work with lsw, so I disabled it= ....
>> >> RewriteRule =A0 =A0 =A0 ^/lsw(.*)$ =A0 =A0http://backend2.ca:8082/lsw$1<= /a>
>> >> [NC,P,L]
>> >> ProxyPassReverse =A0/lsw =A0 =A0 =A0 =A0 =A0http://backend2.ca:8082/lsw
>> >> Redirect permanent /lsw https://mydomain.com/lsw
>> >
>> > First of all: Remove the "Redirect Permanent". It&#= 39;s not needed (as
>> > this virtualhost only gets https requests anyway) and confuse= s. If you
>> > want to make sure that people who accidentaly land on the htt= p site
>> > get redirected to https you need to put a redirect in the htt= p virtual
>> > host.
>> >
>> > Secondly: Look at what your backend produces. It is very well= possible
>> > that it passes html pages back to the client that contain htt= p://
>> > style URLs. RewriteRule only operates on request URLs,
>> > ProxyPassReverse only on redirects passed back. The content p= assed
>> > back by the backend is not modified.
>> >
>> > HTH,
>> >
>> > Krist
>> >
>> > --
>> > krist.vanbesien@= gmail.com
>> > krist@vanbesien.org
>> > Bremgarten b. Bern, Switzerland
>> > --
>> > A: It reverses the normal flow of conversation.
>> > Q: What's wrong with top-posting?
>> > A: Top-posting.
>> > Q: What's the biggest scourge on plain text email discuss= ions?
>> >
>> > -------------------------------------------------------------= --------
>> > The official User-To-User support forum of the Apache HTTP Se= rver
>> > Project.
>> > See <URL:http://httpd.apache.org/userslist.html> for more= info.
>> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> > =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
>> > For additional commands, e-mail: users-help@httpd.apache.org
>> >
>> >
>>
>> ------------------------------------------------------------------= ---
>> The official User-To-User support forum of the Apache HTTP Server = Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info= .
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org >> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.<= br> See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
=A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


--0016e659f3fadcc36b0484d2e744--