httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sittampalam, Nagu" <Nagu.Sittampa...@southampton.gov.uk>
Subject RE: [users@httpd] Proxy HTTPS tunneling
Date Tue, 11 Feb 2014 16:29:47 GMT
It is forward proxy we are trying to setup now  because reverse proxy does not work for our
backend application which is on IIS and required  client certificate information to be passed
to the backend.   Can you see why the forward proxy configuration is not working?

Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services
Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>
| e-mail Nagu.Sittampalam@capita.co.uk<mailto:Nagu.Sittampalam@capita.co.uk> | post
Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal
privilege, and are intended solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error or think you may have done so, you may not peruse,
use, disseminate, distribute or copy this message. Please notify the sender immediately and
delete the original e-mail from your system.

From: Yehuda Katz [mailto:yehuda@ymkatz.net]
Sent: 11 February 2014 16:25
To: users@httpd.apache.org
Subject: Re: [users@httpd] Proxy HTTPS tunneling

Are you trying to set up a Forward Proxy or a Reverse Proxy (explanation: http://www.jscape.com/blog/bid/87783/Forward-Proxy-vs-Reverse-Proxy)?

Your configuration looks like a forward proxy but your email implies that you really want
a reverse proxy.

See this part of the HTTPD manual for more about reverse proxy setup: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#forwardreverse
A reverse proxy is activated using the ProxyPass<http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass>
directive or the [P] flag to the RewriteRule<http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule>
directive. It is not necessary to turn ProxyRequests<http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxyrequests>
on in order to configure a reverse proxy.

- Y

On Tue, Feb 11, 2014 at 7:51 AM, Sittampalam, Nagu <Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>>
wrote:
Hello

WE are trying to setup  HTTPS tunnelling to a backend server through Apache proxy  but we
are finding the client connect but Apache does not send through the traffic the backend server.

The config we have on our Apache proxy  virtual host  is

<VirtualHost 172.19.1.136:443<http://172.19.1.136:443>>

DocumentRoot "/usr/local/apache2221/htdocs/ibcm/"
ServerName test.testdom.local
ErrorLog logs/ibcm
ServerAdmin webmaster@testdom.local<mailto:webmaster@testdom.local>
ProxyRequests On
AllowConnect 443
SSLEngine on
SSLHonorCipherOrder On
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

SSLCertificateFile "/etc/ssl/crt/ibcm.crt"

SSLCertificateKeyFile "/etc/ssl/crt/testdom.key"

SSLCertificateChainFile "/etc/ssl/crt/CA-DOM.crt"

<proxy *>
   Order deny,allow
   Deny from all
</proxy>

<ProxyMatch (webssl.testdom.com<http://webssl.testdom.com>|192.168.50.100)>
   Order deny,allow
   Allow from all
</ProxyMatch>
</VirtualHost>

Anybody know what we are not doing correctly.   Also we found Apache would not start without
us putting in the root certificate. Thought it would not need any certificate for tunnelling
 so wonder if we have missed something.




Nagu Sittampalam | Security Team Leader , IT Solutions Division | Southampton Strategic Services
Partnership | Landline: 02380 833012 | Fax: 02380 832973 | e-mail Nagu.Sittampalam@southampton.gov.uk<mailto:Nagu.Sittampalam@southampton.gov.uk>
| e-mail Nagu.Sittampalam@capita.co.uk<mailto:Nagu.Sittampalam@capita.co.uk> | post
Capita ITS, 1st Floor, One Guildhall Square, Above Bar, Southampton, SO14 7FP
This email and any files transmitted with it are confidential, and may be subject to legal
privilege, and are intended solely for the use of the individual or entity to whom they are
addressed.
If you have received this email in error or think you may have done so, you may not peruse,
use, disseminate, distribute or copy this message. Please notify the sender immediately and
delete the original e-mail from your system.



Mime
View raw message