httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hendrik Schmieder <>
Subject Re: [users@httpd] HTTPS over mod_proxy
Date Mon, 18 Oct 2010 12:29:48 GMT
Rainer Jung schrieb:
> On 18.10.2010 11:17, Hendrik Schmieder wrote:
>> Joost de Heer schrieb:
>>> On 10/18/2010 11:03 AM, Hendrik Schmieder wrote:
>>>> Hello,
>>>> with http over a proxy (like Apache mod_proxy) I send something like
>>>> <request>
>>>> GET HTTP/1.1
>>>> Content-Length: 0
>>>> Host:
>>>> Connection: Keep-Alive
>>>> Accept-Encoding: identity, *;q=0
>>>> </request>
>>>> But I'm not sure what to send in case of HTTPS over proxy.
>>>> The same or should I replace 'http' by 'https' ?
>>> No, you use the CONNECT method.
>> Maybe I was not clear enough.
>> I send the lines between
>> <request> and </request>
>> to the proxy.
> You are talking about a forward proxy. There are two ways you can do
> https using a forward proxy.
> Either you want end-to-end security. Then the proxy simply provides a
> tunnel to the back-end server and browser and back-end directly
> communicate over https (ssl handshake etc.). In order to make this work,
> the client/browser send a special request to the proxy, indicating to
> which server and port it wants the proxy to open the tunnel. The HTTP
> method used here is named "CONNECT". Apache supports it, but it is off
> by default.
> Or you actually want to talk http to the proxy and the proxy should talk
> https to the back-end. This mode is not supported by "normal" clients
> like e.g. browsers. As soon as you configure an https proxy for them,
> they will use the CONNECT method. If you have full control over the
> clint you can nevertheless use this method. Not that it obvously doesn't
> provide end-to-end security. Apache does support this mode as well. And
> yes, that is the mode that works like you suggested, using "https" as
> the scheme in the URL provided in the first reuest line.
> If you want to use either of the two methods, you should make sure you
> are using Apache 2.2.
> Regards,
> Rainer

I'm talking about Apache 2.2 and end-to-end security.
I tried to understand RFC 2616, but failed for CONNECT.

This specification reserves the method name CONNECT for use with a proxy 
that can dynamically switch to being a
tunnel (e.g. SSL tunneling [44]).

[44] Luotonen, A., “Tunneling TCP based protocols through Web proxy 
servers,” Work in Progress.

So should I send

Content-Length: 0
Connection: Keep-Alive
Accept-Encoding: identity, *;q=0

best regards


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message