Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 65250 invoked from network); 22 Apr 2010 12:32:32 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 22 Apr 2010 12:32:32 -0000 Received: (qmail 70970 invoked by uid 500); 22 Apr 2010 12:32:28 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 70950 invoked by uid 500); 22 Apr 2010 12:32:28 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 70942 invoked by uid 99); 22 Apr 2010 12:32:28 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Apr 2010 12:32:28 +0000 X-ASF-Spam-Status: No, hits=4.8 required=10.0 tests=AWL,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,NORMAL_HTTP_TO_IP,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL,WEIRD_PORT X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of lain80@gmail.com designates 74.125.82.173 as permitted sender) Received: from [74.125.82.173] (HELO mail-wy0-f173.google.com) (74.125.82.173) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Apr 2010 12:32:24 +0000 Received: by wyb42 with SMTP id 42so833663wyb.18 for ; Thu, 22 Apr 2010 05:32:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:content-type; bh=eKBKRuPrian+IBjo1WqrE73hO0N8C+KvYYWUojQqRNQ=; b=KElYMoi22QY4HsrkelUhNV3Sq0avI4EVURJwtHDJTatjFa+RVYgpO6l83xydwALOWt quI6S1FpHS7ANkemtD7np49yBpEPUb1vm2aui2Bdp1Z15oQiKpxAQjdxnCQoJSbiUVGl HyyAmcDd35nRtFzfRKkcEFNQBtHvfsyUL/hqQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=Ckq7VLUCZGrZksN3FW33+atjhsECgIjyuHTtgoDiAXfP06moTsjS4pW8y6DBgefaRS os0U8gUPTm80WWDK8rGZDa7lOEh62wGgiZKjCWMrOPnQxHGijCRIWf8JOrtVRB15aYuL moCh8CMH9IGoQoaoE3gwdNwrjFq4HS/u93c7Q= MIME-Version: 1.0 Received: by 10.102.253.1 with HTTP; Thu, 22 Apr 2010 05:32:01 -0700 (PDT) In-Reply-To: References: Date: Thu, 22 Apr 2010 14:32:01 +0200 Received: by 10.102.240.34 with SMTP id n34mr2211917muh.31.1271939521780; Thu, 22 Apr 2010 05:32:01 -0700 (PDT) Message-ID: From: Mauri To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=0016364272105f1d320484d27f3b Subject: Re: [users@httpd] Reverse Proxy https to http --0016364272105f1d320484d27f3b Content-Type: text/plain; charset=ISO-8859-1 Hi GB. I have a similar solution. Client --> https://mysite.com --> proxy --> http://backend. the url in the client broswer is https://mysite.com. this is my /etc/httpd/conf.d/ssl.conf: LoadModule ssl_module modules/mod_ssl.so LoadFile /usr/lib/libxml2.so LoadModule proxy_html_module modules/mod_proxy_html.so LoadModule xml2enc_module modules/mod_xml2enc.so Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin NameVirtualHost mysite.com:443 ServerName mysite.com ProxyRequests off ProxyPass / https://10.173.90.167:8443/ ProxyHTMLURLMap https://10.173.90.167:8443 / ProxyPassReverse https://10.173.90.167:8443/ ProxyHTMLEnable On ProxyHTMLURLMap / / RequestHeader unset Accept-Encoding SSLEngine on SSLProxyEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key SSLCertificateChainFile /etc/httpd/cert/IT_Global_CA.cer SSLOptions +StdEnvVars SSLOptions +StdEnvVars SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 2010/4/22 GB GB > Basically what goes on when the user types in https://mydomain.com/lsw > he gets an authentification page from the backend application. Once he > enters his credentials, I notice a POST in the apache logs. > > This is what the user types in: > https://mydomain.com/lsw/clientele/gen/authentification.jsp > he enters his credentials, then a POST appears in the log : > POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302 > > and in the browser I get the following: The connection has timed out > > > http://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P > > the above link doesn't work because its http rather than https!! > > If I add the "s" manually > > https://backend2.ca/lsw/clientele/ses/pagePersonnelle.jsp?Mouftah=VXV744A9SVZMU9P > then it works. > > 1)So how can I force the protocole to remain https once the client > does a POST..... > 2)I have noticed in many examples that people use PreserveHost on, in > my case, if activate > PreserveHost on then I cant even get the first page to work: > > Thx in advance > > > > > On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien > wrote: > > On Tue, Apr 20, 2010 at 6:41 PM, GB GB wrote: > > > > > > > >> #this for some reason becomes http from client perspective > >> #PreserveHost on does not work with lsw, so I disabled it.... > >> RewriteRule ^/lsw(.*)$ http://backend2.ca:8082/lsw$1 > [NC,P,L] > >> ProxyPassReverse /lsw http://backend2.ca:8082/lsw > >> Redirect permanent /lsw https://mydomain.com/lsw > > > > First of all: Remove the "Redirect Permanent". It's not needed (as > > this virtualhost only gets https requests anyway) and confuses. If you > > want to make sure that people who accidentaly land on the http site > > get redirected to https you need to put a redirect in the http virtual > > host. > > > > Secondly: Look at what your backend produces. It is very well possible > > that it passes html pages back to the client that contain http:// > > style URLs. RewriteRule only operates on request URLs, > > ProxyPassReverse only on redirects passed back. The content passed > > back by the backend is not modified. > > > > HTH, > > > > Krist > > > > -- > > krist.vanbesien@gmail.com > > krist@vanbesien.org > > Bremgarten b. Bern, Switzerland > > -- > > A: It reverses the normal flow of conversation. > > Q: What's wrong with top-posting? > > A: Top-posting. > > Q: What's the biggest scourge on plain text email discussions? > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP Server > Project. > > See for more info. > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > > " from the digest: users-digest-unsubscribe@httpd.apache.org > > For additional commands, e-mail: users-help@httpd.apache.org > > > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > > --0016364272105f1d320484d27f3b Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi GB.

I have a similar solution.

Client --> https://mysite.com --> proxy --> http://backend.

the url in the client broswer is https://mysite.com.

this is my /etc/httpd/conf.d/ssl.conf:



LoadModule ssl_mo= dule modules/mod_ssl.so
LoadFile=A0=A0 /usr/lib/libxml2.so
LoadModule= proxy_html_module modules/mod_proxy_html.so
LoadModule xml2enc_module m= odules/mod_xml2enc.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType applicatio= n/x-pkcs7-crl=A0=A0=A0 .crl
SSLPassPhraseDialog=A0 builtin
SSLSession= Cache=A0=A0=A0=A0=A0=A0=A0=A0 shmcb:/var/cache/mod_ssl/scache(512000)
SS= LSessionCacheTimeout=A0 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom=A0 256
SSLRa= ndomSeed connect builtin
SSLCryptoDevice builtin

NameVirtualHost = mysite.com:443
<VirtualHost mysite.com:443>
ServerName mysite.com
ProxyRequests of= f
ProxyPass / https://10.173.90.= 167:8443/
ProxyHTMLURLMap htt= ps://10.173.90.167:8443 /
<Location />
=A0=A0=A0=A0=A0=A0=A0 ProxyPassReverse https://10.173.90.167:8443/
=A0=A0=A0=A0= =A0=A0=A0 ProxyHTMLEnable On
=A0=A0=A0=A0=A0=A0=A0 ProxyHTMLURLMap=A0 /= =A0=A0=A0=A0=A0 /
=A0=A0=A0=A0=A0=A0=A0 RequestHeader=A0=A0=A0 unset=A0 = Accept-Encoding
</Location>

SSLEngine on
SSLProxyEngine on
SSLProtocol a= ll -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+= LOW
SSLCertificateFile /etc/httpd/cert/IT_Global_Alternative.cer
SSLCertificateKeyFile /etc/httpd/cert/IT_Global_Alternative.key
SSLCerti= ficateChainFile /etc/httpd/cert/IT_Global_CA.cer

<Files ~ "\= .(cgi|shtml|phtml|php3?)$">
=A0=A0=A0 SSLOptions +StdEnvVars
= </Files>
<Directory "/var/www/cgi-bin">
=A0=A0=A0 SSLOptions +Std= EnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \=
=A0=A0=A0=A0=A0=A0=A0=A0 nokeepalive ssl-unclean-shutdown \
=A0=A0= =A0=A0=A0=A0=A0=A0 downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
=A0=A0=A0=A0=A0=A0=A0=A0=A0 "%t %h= %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualH= ost>






2010/4/22 GB = GB <gbcyoyo@gmail= .com>
Basically what go= es on when the user types in https://mydomain.com/lsw
he gets an authentification page from the backend application. Once he
=A0enters his credentials, I notice a POST in the apache logs.

This is what the user types in:
https://mydomain.com/lsw/clientele/gen/authentification.jsp<= /a>
he enters his credentials, then a POST appears in the log :
POST /lsw/clientele/gen/authentification.jsp HTTP/1.1" 302

and in the browser I get the following: The connection has timed out

http://backend2.ca/lsw/clientele/ses/= pagePersonnelle.jsp?Mouftah=3DVXV744A9SVZMU9P

the above link doesn't work because its http rather than https!!

If I add the "s" manually
https://backend2.ca/lsw/clientele/se= s/pagePersonnelle.jsp?Mouftah=3DVXV744A9SVZMU9P
=A0then it works.

1)So how can I force the protocole to remain https once the client
does a POST.....
2)I have noticed in many examples that people use PreserveHost on, in
my case, if activate
PreserveHost on then I cant even get the first page to work:

Thx in advance




On Wed, Apr 21, 2010 at 4:56 AM, Krist van Besien
<krist.vanbesien@gmail.com<= /a>> wrote:
> On Tue, Apr 20, 2010 at 6:41 PM, GB GB <gbcyoyo@gmail.com> wrote:
>
>
>
>> #this for some reason becomes http from client perspective
>> #PreserveHost on does not work with lsw, so I disabled it....
>> RewriteRule =A0 =A0 =A0 ^/lsw(.*)$ =A0 =A0http://backend2.ca:8082/lsw$1 =A0 = =A0 [NC,P,L]
>> ProxyPassReverse =A0/lsw =A0 =A0 =A0 =A0 =A0http://backend2.ca:8082/lsw
>> Redirect permanent /lsw https://mydomain.com/lsw
>
> First of all: Remove the "Redirect Permanent". It's not = needed (as
> this virtualhost only gets https requests anyway) and confuses. If you=
> want to make sure that people who accidentaly land on the http site > get redirected to https you need to put a redirect in the http virtual=
> host.
>
> Secondly: Look at what your backend produces. It is very well possible=
> that it passes html pages back to the client that contain http://
> style URLs. RewriteRule only operates on request URLs,
> ProxyPassReverse only on redirects passed back. The content passed
> back by the backend is not modified.
>
> HTH,
>
> Krist
>
> --
> krist.vanbesien@gmail.com=
> krist@vanbesien.org
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email discussions?
>
> ---------------------------------------------------------------------<= br> > The official User-To-User support forum of the Apache HTTP Server Proj= ect.
> See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> =A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.<= br> See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
=A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


--0016364272105f1d320484d27f3b--