httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Frank <danthehit...@gmail.com>
Subject Re: [users@httpd] Forward Proxy on behalf of the client instead of as a tunnel
Date Tue, 28 Feb 2017 23:02:48 GMT
Marat,

Thank you again for your response.  You are correct, I cannot enumerate all
of the targets because we do not know about any of them and they could
potentially be any IP or URI reachable by the system.

I spent some time looking at the P option for mod_rewrite but I got the
impression that it would only work in the case of the reverse proxy
situation.  I was not able to get it to work but I wanted to make sure you
thought there was potential for that to help with my forward proxy issue
before I spent a lot more time on it.

-Dan

On Tue, Feb 28, 2017 at 11:05 AM, Marat Khalili <mkh@rqc.ru> wrote:

> Solution using reverse proxy does not require any control over proxied
> services, but you'll need to enumerate them all in your proxy
> configuration. Proxy will discriminate requests by hostname and port and
> forward them to specified services. This will give you additional control
> and security at the cost of management overhead.
>
> If you cannot or wish not enumerate all your target services, looks like
> you can use "P" option of mod_rewrite: https://httpd.apache.org/docs/
> 2.4/rewrite/flags.html#flag_p . I do not have much experience with it,
> but it might work.
> --
>
> With Best Regards,
> Marat Khalili
>
> On February 28, 2017 6:39:38 PM GMT+03:00, Daniel Frank <
> danthehitman@gmail.com> wrote:
>>
>> I see how my original question made it sound like a single service.  I
>> was trying to keep the scenario as simple as possible and probably over
>> simplified it.  The reality is that the endpoint we will be connecting to
>> will be many appliances at many different IPs.
>>
>> Regarding using a reverse proxy, even if it were one service I dont see
>> how the reverse proxy would work since we dont control that service or
>> where it is running.  Maybe I am misunderstanding how the reverse proxy
>> works as well.
>>
>> Thanks for the response.  Regarding the original question, is what I am
>> asking possible?
>>
>> -Dan
>>
>> On Tue, Feb 28, 2017 at 12:19 AM, Marat Khalili <mkh@rqc.ru> wrote:
>>
>>> Why are you calling it _forward_ proxy if it's only going to connect to
>>> one service? Your problem can easily be solved with _reverse_ proxy.
>>>
>>> --
>>>
>>> With Best Regards,
>>> Marat Khalili
>>>
>>> On 28/02/17 02:16, Daniel Frank wrote:
>>>
>>> All,
>>>
>>> I am trying to set Apache up as a forward proxy to help solve an issue
>>> that we have where an HTTP Client in our application does not support TLS
>>> 1.2 but an API that we need to consume only supports TLS 1.2.  What I am
>>> attempting to do is use Apache to talk HTTPS/TLS 1.2 to the target API but
>>> allow my internal client to talk to the proxy over HTTP.
>>>
>>> I had it in my head that this was what a forward proxy was going to give
>>> me so after having set up a forward proxy and configuring my application to
>>> use it I was surprised to see that I was getting exactly the same behavior
>>> that I was getting when I had no proxy configured (failure of my internal
>>> client to speak TLS 1.2).
>>>
>>> So my question is; can Apache be configured as a FORWARD proxy to speak
>>> HTTP with the caller but HTTPS to the callee?
>>>
>>> I have spent a lot of time searching and I did check the mailing list
>>> archives but it's entirely possible that I just dont even know what to
>>> search for to get a good answer so if this is a dumb question I sincerely
>>> apologize for wasting the groups time.
>>>
>>> Thanks in advance for any help.
>>>
>>> -Dan
>>>
>>>
>>>
>>

Mime
View raw message