httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marat Khalili <...@rqc.ru>
Subject Re: [users@httpd] Forward Proxy on behalf of the client instead of as a tunnel
Date Tue, 28 Feb 2017 18:05:26 GMT
Solution using reverse proxy does not require any control over proxied services, but you'll
need to enumerate them all in your proxy configuration. Proxy will discriminate requests by
hostname and port and forward them to specified services. This will give you additional control
and security at the cost of management overhead.

If you cannot or wish not enumerate all your target services, looks like you can use "P" option
of mod_rewrite: https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_p . I do not have
much experience with it, but it might work.
-- 

With Best Regards,
Marat Khalili

On February 28, 2017 6:39:38 PM GMT+03:00, Daniel Frank <danthehitman@gmail.com> wrote:
>I see how my original question made it sound like a single service.  I
>was
>trying to keep the scenario as simple as possible and probably over
>simplified it.  The reality is that the endpoint we will be connecting
>to
>will be many appliances at many different IPs.
>
>Regarding using a reverse proxy, even if it were one service I dont see
>how
>the reverse proxy would work since we dont control that service or
>where it
>is running.  Maybe I am misunderstanding how the reverse proxy works as
>well.
>
>Thanks for the response.  Regarding the original question, is what I am
>asking possible?
>
>-Dan
>
>On Tue, Feb 28, 2017 at 12:19 AM, Marat Khalili <mkh@rqc.ru> wrote:
>
>> Why are you calling it _forward_ proxy if it's only going to connect
>to
>> one service? Your problem can easily be solved with _reverse_ proxy.
>>
>> --
>>
>> With Best Regards,
>> Marat Khalili
>>
>> On 28/02/17 02:16, Daniel Frank wrote:
>>
>> All,
>>
>> I am trying to set Apache up as a forward proxy to help solve an
>issue
>> that we have where an HTTP Client in our application does not support
>TLS
>> 1.2 but an API that we need to consume only supports TLS 1.2.  What I
>am
>> attempting to do is use Apache to talk HTTPS/TLS 1.2 to the target
>API but
>> allow my internal client to talk to the proxy over HTTP.
>>
>> I had it in my head that this was what a forward proxy was going to
>give
>> me so after having set up a forward proxy and configuring my
>application to
>> use it I was surprised to see that I was getting exactly the same
>behavior
>> that I was getting when I had no proxy configured (failure of my
>internal
>> client to speak TLS 1.2).
>>
>> So my question is; can Apache be configured as a FORWARD proxy to
>speak
>> HTTP with the caller but HTTPS to the callee?
>>
>> I have spent a lot of time searching and I did check the mailing list
>> archives but it's entirely possible that I just dont even know what
>to
>> search for to get a good answer so if this is a dumb question I
>sincerely
>> apologize for wasting the groups time.
>>
>> Thanks in advance for any help.
>>
>> -Dan
>>
>>
>>

Mime
View raw message