Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 721E7200C29 for ; Wed, 1 Mar 2017 00:02:57 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 70955160B7E; Tue, 28 Feb 2017 23:02:57 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 6F4FF160B7C for ; Wed, 1 Mar 2017 00:02:56 +0100 (CET) Received: (qmail 44341 invoked by uid 500); 28 Feb 2017 23:02:55 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 44330 invoked by uid 99); 28 Feb 2017 23:02:55 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Feb 2017 23:02:55 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 985941812DF for ; Tue, 28 Feb 2017 23:02:54 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.38 X-Spam-Level: ** X-Spam-Status: No, score=2.38 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id ikbgeNXjXPo0 for ; Tue, 28 Feb 2017 23:02:52 +0000 (UTC) Received: from mail-yw0-f178.google.com (mail-yw0-f178.google.com [209.85.161.178]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 825845F23A for ; Tue, 28 Feb 2017 23:02:52 +0000 (UTC) Received: by mail-yw0-f178.google.com with SMTP id v200so19698806ywc.3 for ; Tue, 28 Feb 2017 15:02:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=CSpt0cu2DNSpsTdBdQ8O4jXsfEvq/Uu+uhKA9tcMs6M=; b=qHpr3l7n5CSpHaQ7Ztn0dmWLwTqhrELEileLD+Uchq/ufJYTPPylUlqmeqB2xaQGKu bvtpYBY2JVqQjqmOk7aNu6Uf9/kn8+hiD9hOXmNGXp3vEl9f28g+L2G0DTtwH1OGawgu j3Hik1aN4alkXhVSa1tBu4nz0sebzfSoLAgN/6q/7/lNOJZ6/egmJ0Jgp3ycwdgUPoJI OZBByX8TsmOz4LrKlCp+zVuG8ZyaeZCK4kLpJ1nzgUey91CsmgscJIgYE+ZaBPF6zIcc KvYwkxa8UyjMVjkCwH4pO2PtyFDlmWm10MCg2s2x7ZtUQeZXvMzZ7bVXjP8Jzl0BIrGi 036w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=CSpt0cu2DNSpsTdBdQ8O4jXsfEvq/Uu+uhKA9tcMs6M=; b=nVcb8NNiSDD6WMuvHkCdkZ4gvEdVeaRaXczg2t3BmXXkubvCdJmiGI9ulpRoo0maol JEen1ggFD+WbwpnNkGGdDF9JYT311ZAS/JHKz8A95Kuqj+Ul5hhDlbTFsPiXySA7Pho5 QCRdqyGUUNJiOjHaFvuKkIKXdbx6HSHWlTxa8fwxp+d3qZob45OMBy+zRvERbqaU/Cua ulbNJtEhxu3QJXd0Pr4ITdM+lteOKQ1ym4mqqLCafLCh95MnZqMqZPhKzU6sbyOcR5/7 uF0ETgT6q/wz0umlmj7w+wzVu7+CP/ky0N44ObcbZyTOqoR5/gozFMBVzrpt+boEpIbA nNoA== X-Gm-Message-State: AMke39kgemyo87PePGWJbqBGUf3XExh3rs/TsXdc3shnirzXl6ZTgclIWTrGojkwEtILYnmaAJpiGJma3u0n9g== X-Received: by 10.129.33.10 with SMTP id h10mr1991618ywh.247.1488322968658; Tue, 28 Feb 2017 15:02:48 -0800 (PST) MIME-Version: 1.0 Received: by 10.129.53.3 with HTTP; Tue, 28 Feb 2017 15:02:48 -0800 (PST) In-Reply-To: References: <4d66e963-6927-4a1f-077f-1bdc445c68f9@rqc.ru> From: Daniel Frank Date: Tue, 28 Feb 2017 16:02:48 -0700 Message-ID: To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=001a11427b7adbab9805499f319d Subject: Re: [users@httpd] Forward Proxy on behalf of the client instead of as a tunnel archived-at: Tue, 28 Feb 2017 23:02:57 -0000 --001a11427b7adbab9805499f319d Content-Type: text/plain; charset=UTF-8 Marat, Thank you again for your response. You are correct, I cannot enumerate all of the targets because we do not know about any of them and they could potentially be any IP or URI reachable by the system. I spent some time looking at the P option for mod_rewrite but I got the impression that it would only work in the case of the reverse proxy situation. I was not able to get it to work but I wanted to make sure you thought there was potential for that to help with my forward proxy issue before I spent a lot more time on it. -Dan On Tue, Feb 28, 2017 at 11:05 AM, Marat Khalili wrote: > Solution using reverse proxy does not require any control over proxied > services, but you'll need to enumerate them all in your proxy > configuration. Proxy will discriminate requests by hostname and port and > forward them to specified services. This will give you additional control > and security at the cost of management overhead. > > If you cannot or wish not enumerate all your target services, looks like > you can use "P" option of mod_rewrite: https://httpd.apache.org/docs/ > 2.4/rewrite/flags.html#flag_p . I do not have much experience with it, > but it might work. > -- > > With Best Regards, > Marat Khalili > > On February 28, 2017 6:39:38 PM GMT+03:00, Daniel Frank < > danthehitman@gmail.com> wrote: >> >> I see how my original question made it sound like a single service. I >> was trying to keep the scenario as simple as possible and probably over >> simplified it. The reality is that the endpoint we will be connecting to >> will be many appliances at many different IPs. >> >> Regarding using a reverse proxy, even if it were one service I dont see >> how the reverse proxy would work since we dont control that service or >> where it is running. Maybe I am misunderstanding how the reverse proxy >> works as well. >> >> Thanks for the response. Regarding the original question, is what I am >> asking possible? >> >> -Dan >> >> On Tue, Feb 28, 2017 at 12:19 AM, Marat Khalili wrote: >> >>> Why are you calling it _forward_ proxy if it's only going to connect to >>> one service? Your problem can easily be solved with _reverse_ proxy. >>> >>> -- >>> >>> With Best Regards, >>> Marat Khalili >>> >>> On 28/02/17 02:16, Daniel Frank wrote: >>> >>> All, >>> >>> I am trying to set Apache up as a forward proxy to help solve an issue >>> that we have where an HTTP Client in our application does not support TLS >>> 1.2 but an API that we need to consume only supports TLS 1.2. What I am >>> attempting to do is use Apache to talk HTTPS/TLS 1.2 to the target API but >>> allow my internal client to talk to the proxy over HTTP. >>> >>> I had it in my head that this was what a forward proxy was going to give >>> me so after having set up a forward proxy and configuring my application to >>> use it I was surprised to see that I was getting exactly the same behavior >>> that I was getting when I had no proxy configured (failure of my internal >>> client to speak TLS 1.2). >>> >>> So my question is; can Apache be configured as a FORWARD proxy to speak >>> HTTP with the caller but HTTPS to the callee? >>> >>> I have spent a lot of time searching and I did check the mailing list >>> archives but it's entirely possible that I just dont even know what to >>> search for to get a good answer so if this is a dumb question I sincerely >>> apologize for wasting the groups time. >>> >>> Thanks in advance for any help. >>> >>> -Dan >>> >>> >>> >> --001a11427b7adbab9805499f319d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Marat,

Thank you again for your response.=C2=A0 Yo= u are correct, I cannot enumerate all of the targets because we do not know= about any of them and they could potentially be any IP or URI reachable by= the system. =C2=A0

I spent some time looking at t= he P option for mod_rewrite but I got the impression that it would only wor= k in the case of the reverse proxy situation.=C2=A0 I was not able to get i= t to work but I wanted to make sure you thought there was potential for tha= t to help with my forward proxy issue before I spent a lot more time on it.=

-Dan

On Tue, Feb 28, 2017 at 11:05 AM, Marat Khalili <mkh@rqc= .ru> wrote:
Solution u= sing reverse proxy does not require any control over proxied services, but = you'll need to enumerate them all in your proxy configuration. Proxy wi= ll discriminate requests by hostname and port and forward them to specified= services. This will give you additional control and security at the cost o= f management overhead.

If you cannot or wish not enumerate all your target services, looks like yo= u can use "P" option of mod_rewrite: https://httpd= .apache.org/docs/2.4/rewrite/flags.html#flag_p . I do not have muc= h experience with it, but it might work.
--

With Best Regards,
Marat Khalili

On February 28, 2017 6:39:38 PM GMT+03:00, Daniel Frank <danthehitman@gmail.com&= gt; wrote:
I see how my origina= l question made it sound like a single service.=C2=A0 I was trying to keep = the scenario as simple as possible and probably over simplified it.=C2=A0 T= he reality is that the endpoint we will be connecting to will be many appli= ances at many different IPs. =C2=A0

Regarding using a r= everse proxy, even if it were one service I dont see how the reverse proxy = would work since we dont control that service or where it is running.=C2=A0= Maybe I am misunderstanding how the reverse proxy works as well.

Thank= s for the response.=C2=A0 Regarding the original question, is what I am ask= ing possible?

-Dan

On Tue, Feb 28, 2017 at 12:19 AM, Marat Khalili <mkh@rqc.r= u> wrote:
=20 =20 =20

Why are you calling it _forward_ proxy if it's only going to connect to one service? Your problem can easily be solved with _reverse_ proxy.


--

With Best Regards,
Marat Khalili

On 28/02/17 02:16, Daniel Frank wrote:
All,

I am trying to set Apache up as a forward proxy to help solve an issue that we have where an HTTP Client in our application does not support TLS 1.2 but an API that we need to consume only supports TLS 1.2.=C2=A0 What I a= m attempting to do is use Apache to talk HTTPS/TLS 1.2 to the target API but allow my internal client to talk to the proxy over HTTP.

I had it in my head that this was what a forward proxy was going to give me so after having set up a forward proxy and configuring my application to use it I was surprised to see that I was getting exactly the same behavior that I was getting when I had no proxy configured (failure of my internal client to speak TLS 1.2).

So my question is; can Apache be configured as a FORWARD proxy to speak HTTP with the caller but HTTPS to the callee?

I have spent a lot of time searching and I did check the mailing list archives but it's entirely possible that I just dont even know what to search for to get a good answer so if this is a dumb question I sincerely apologize for wasting the groups time.

Thanks in advance for any help.

-Dan



--001a11427b7adbab9805499f319d--