You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Rajesh Cherukuri <ra...@gmail.com> on 2018/03/13 18:35:31 UTC

[users@httpd] Apache Proxy https

Hi
can some one help me on this , i am trying to configure Apache as forward
proxy so that  client can connect to the HTTPS url , below is my
configuration , i get 403 when connecting to HTTPS urls , i can  connect
to  http url without any issues if i update below vhost with* <Proxy
"http://example.com <http://example.com>"> *my apache version is 2.4

*Vhost  configuration*

Listen xxx.xx.xxx.x:8082

<VirtualHost  xxx.xx.xxx.x:8082>
ServerName      testnew1.com
 ProxyRequests On
ProxyVia On
SSLProxyEngine On






*<Proxy "*"> Require all denied </Proxy> <Proxy "https://example.com
<https://example.com>"> ProxySet connectiontimeout=5 timeout=30 Require all
granted </Proxy> *
</VirtualHost>






error log

[Tue Mar 13 14:33:10.305463 2018] [ssl:debug] [pid 28530]
ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost testnew1.com:80,
skipping SSL setup
[Tue Mar 13 14:33:10.437213 2018] [ssl:debug] [pid 28530]
ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost testnew1.com:80,
skipping SSL setup
[Tue Mar 13 14:33:10.479295 2018] [proxy:debug] [pid 28536]
proxy_util.c(1843): AH00925: initializing worker https://example.com shared
[Tue Mar 13 14:33:10.479327 2018] [proxy:debug] [pid 28536]
proxy_util.c(1885): AH00927: initializing worker https://example.com local
[Tue Mar 13 14:33:10.479394 2018] [proxy:debug] [pid 28536]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28536 for (example.com)
[Tue Mar 13 14:33:10.479428 2018] [proxy:debug] [pid 28536]
proxy_util.c(1843): AH00925: initializing worker proxy:forward shared
[Tue Mar 13 14:33:10.479438 2018] [proxy:debug] [pid 28536]
proxy_util.c(1885): AH00927: initializing worker proxy:forward local
[Tue Mar 13 14:33:10.479477 2018] [proxy:debug] [pid 28536]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28536 for (*)
[Tue Mar 13 14:33:10.493164 2018] [proxy:debug] [pid 28537]
proxy_util.c(1843): AH00925: initializing worker https://example.com shared
[Tue Mar 13 14:33:10.493195 2018] [proxy:debug] [pid 28537]
proxy_util.c(1885): AH00927: initializing worker https://example.com local
[Tue Mar 13 14:33:10.493263 2018] [proxy:debug] [pid 28537]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28537 for (example.com)
[Tue Mar 13 14:33:10.493298 2018] [proxy:debug] [pid 28537]
proxy_util.c(1843): AH00925: initializing worker proxy:forward shared
[Tue Mar 13 14:33:10.493309 2018] [proxy:debug] [pid 28537]
proxy_util.c(1885): AH00927: initializing worker proxy:forward local
[Tue Mar 13 14:33:10.493351 2018] [proxy:debug] [pid 28537]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28537 for (*)
[Tue Mar 13 14:33:10.496458 2018] [proxy:debug] [pid 28538]
proxy_util.c(1843): AH00925: initializing worker https://example.com shared
[Tue Mar 13 14:33:10.496488 2018] [proxy:debug] [pid 28538]
proxy_util.c(1885): AH00927: initializing worker https://example.com local
[Tue Mar 13 14:33:10.496556 2018] [proxy:debug] [pid 28538]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28538 for (example.com)
[Tue Mar 13 14:33:10.496590 2018] [proxy:debug] [pid 28538]
proxy_util.c(1843): AH00925: initializing worker proxy:forward shared
[Tue Mar 13 14:33:10.496601 2018] [proxy:debug] [pid 28538]
proxy_util.c(1885): AH00927: initializing worker proxy:forward local
[Tue Mar 13 14:33:10.496643 2018] [proxy:debug] [pid 28538]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28538 for (*)
[Tue Mar 13 14:33:10.500193 2018] [proxy:debug] [pid 28539]
proxy_util.c(1843): AH00925: initializing worker https://example.com shared
[Tue Mar 13 14:33:10.500226 2018] [proxy:debug] [pid 28539]
proxy_util.c(1885): AH00927: initializing worker https://example.com local
[Tue Mar 13 14:33:10.500296 2018] [proxy:debug] [pid 28539]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28539 for (example.com)
[Tue Mar 13 14:33:10.500333 2018] [proxy:debug] [pid 28539]
proxy_util.c(1843): AH00925: initializing worker proxy:forward shared
[Tue Mar 13 14:33:10.500344 2018] [proxy:debug] [pid 28539]
proxy_util.c(1885): AH00927: initializing worker proxy:forward local
[Tue Mar 13 14:33:10.500400 2018] [proxy:debug] [pid 28539]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28539 for (*)
[Tue Mar 13 14:33:10.504005 2018] [proxy:debug] [pid 28535]
proxy_util.c(1843): AH00925: initializing worker https://example.com shared
[Tue Mar 13 14:33:10.504035 2018] [proxy:debug] [pid 28535]
proxy_util.c(1885): AH00927: initializing worker https://example.com local
[Tue Mar 13 14:33:10.504105 2018] [proxy:debug] [pid 28535]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28535 for (example.com)
[Tue Mar 13 14:33:10.504141 2018] [proxy:debug] [pid 28535]
proxy_util.c(1843): AH00925: initializing worker proxy:forward shared
[Tue Mar 13 14:33:10.504152 2018] [proxy:debug] [pid 28535]
proxy_util.c(1885): AH00927: initializing worker proxy:forward local
[Tue Mar 13 14:33:10.504191 2018] [proxy:debug] [pid 28535]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28535 for (*)
[Tue Mar 13 14:33:24.883644 2018] [core:debug] [pid 28536] vhost.c(1170):
[client 172.16.135.4:57782] AH02417: Replacing host header 'example.com:443'
with host 'example.com:443' given in the request uri
[Tue Mar 13 14:33:24.884073 2018] [authz_core:debug] [pid 28536]
mod_authz_core.c(809): [client 172.16.135.4:57782] AH01626: authorization
result of Require all denied: denied
[Tue Mar 13 14:33:24.884090 2018] [authz_core:debug] [pid 28536]
mod_authz_core.c(809): [client 172.16.135.4:57782] AH01626: authorization
result of <RequireAny>: denied
[Tue Mar 13 14:33:24.884099 2018] [authz_core:error] [pid 28536] [client
172.16.135.4:57782] AH01630: client denied by server configuration: proxy:
example.com:443
(END)




*curl test *
 * About to connect() to proxy xxx.xx.xxx.x port 8082 (#0)
*   Trying xxx.xx.xxx.x..
* Connected to xxx.xx.xxx.x (xxx.xx.xxx.x) port 8082 (#0)
* Establish HTTP proxy tunnel to example.com:443
> CONNECT example.com:443 HTTP/1.1
> Host: example.com:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< Date: Tue, 13 Mar 2018 14:51:50 GMT
Date: Tue, 13 Mar 2018 14:51:50 GMT
< Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
< Content-Length: 216
Content-Length: 216
< Content-Type: text/html; charset=iso-8859-1
Content-Type: text/html; charset=iso-8859-1
<

* Received HTTP code 403 from proxy after CONNECT
* Connection #0 to host xxx.xx.xxx.x left intact
curl: (56) Received HTTP code 403 from proxy after CONNECT

Re: [users@httpd] Apache Proxy https

Posted by Rajesh Cherukuri <ra...@gmail.com>.

yes the requireany works for the list , but i wanted to understand if we
can do both uri and host for a single url  like  Require expr %{HTTP_HOST}
%{REQUEST_URI}  for  example "  https://www.hp.com/us/en/hp-news" to allow
only specific part of website

Re: [users@httpd] Apache Proxy https

Posted by Eric Covener <co...@gmail.com>.

On Wed, Mar 14, 2018 at 9:15 AM, Rajesh Cherukuri <ra...@gmail.com> wrote:
> eric
>
> Thanks for the details, however i have list of URL's  that needs to be
> allowed  , i assume we need to use RequireAny is that correct also i have
> few of the urls that like https://www.hp.com/us/en/hp-news can i add uri
> with in require expr or do i need to use proxy Match


The requireall was only to make sure that the example showed limiting
who can connect also.  You could nest a requireany inside with a list
of target hosts.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache Proxy https

Posted by Rajesh Cherukuri <ra...@gmail.com>.

eric

Thanks for the details, however i have list of URL's  that needs to be
allowed  , i assume we need to use RequireAny is that correct also i have
few of the urls that like https://www.hp.com/*us/en/hp-news *can i add uri
with in require expr or do i need to use proxy Match

Re: [users@httpd] Apache Proxy https

Posted by Eric Covener <co...@gmail.com>.

> <Proxy "https://example.com">
> ProxySet connectiontimeout=5 timeout=30
> Require all granted
> </Proxy>

AFAICT you cannot match/limit the connectable hosts this way.  Fwd
proxy always uses "*".

I don't see good recipes out there, but this worked in my quick test:

<Proxy *>
  <RequireAll>
     Require host *.mylan.com
     Require expr %{HTTP_HOST} =~ /^example.com:443$/
  </RequireAll>
<Proxy>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org