httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hendrik Schmieder <hendrik.schmie...@jedox.com>
Subject Re: [users@httpd] HTTPS over mod_proxy
Date Mon, 18 Oct 2010 12:29:48 GMT
Rainer Jung schrieb:
> On 18.10.2010 11:17, Hendrik Schmieder wrote:
>> Joost de Heer schrieb:
>>> On 10/18/2010 11:03 AM, Hendrik Schmieder wrote:
>>>> Hello,
>>>>
>>>> with http over a proxy (like Apache mod_proxy) I send something like
>>>>
>>>> <request>
>>>> GET http://192.168.2.234:7777/server/info HTTP/1.1
>>>> Content-Length: 0
>>>> Host: 192.168.2.234:7777
>>>> Connection: Keep-Alive
>>>> Accept-Encoding: identity, *;q=0
>>>>
>>>> </request>
>>>>
>>>> But I'm not sure what to send in case of HTTPS over proxy.
>>>>
>>>> The same or should I replace 'http' by 'https' ?
>>>
>>> No, you use the CONNECT method.
>>>
>>
>> Maybe I was not clear enough.
>>
>> I send the lines between
>> <request> and </request>
>> to the proxy.
>
> You are talking about a forward proxy. There are two ways you can do
> https using a forward proxy.
>
> Either you want end-to-end security. Then the proxy simply provides a
> tunnel to the back-end server and browser and back-end directly
> communicate over https (ssl handshake etc.). In order to make this work,
> the client/browser send a special request to the proxy, indicating to
> which server and port it wants the proxy to open the tunnel. The HTTP
> method used here is named "CONNECT". Apache supports it, but it is off
> by default.
>
> Or you actually want to talk http to the proxy and the proxy should talk
> https to the back-end. This mode is not supported by "normal" clients
> like e.g. browsers. As soon as you configure an https proxy for them,
> they will use the CONNECT method. If you have full control over the
> clint you can nevertheless use this method. Not that it obvously doesn't
> provide end-to-end security. Apache does support this mode as well. And
> yes, that is the mode that works like you suggested, using "https" as
> the scheme in the URL provided in the first reuest line.
>
> If you want to use either of the two methods, you should make sure you
> are using Apache 2.2.
>
> Regards,
>
> Rainer
>

I'm talking about Apache 2.2 and end-to-end security.
I tried to understand RFC 2616, but failed for CONNECT.


9.9 CONNECT
This specification reserves the method name CONNECT for use with a proxy 
that can dynamically switch to being a
tunnel (e.g. SSL tunneling [44]).

[44] Luotonen, A., “Tunneling TCP based protocols through Web proxy 
servers,” Work in Progress.


So should I send

<request>
CONNECT http://192.168.2.234:7777/server/info HTTP/1.1
Content-Length: 0
Host: 192.168.2.234:7777
Connection: Keep-Alive
Accept-Encoding: identity, *;q=0
</request>


best regards

   Hendrik



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message