You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Walter Goulet <wg...@gmail.com> on 2012/05/02 06:06:59 UTC

[users@httpd] [PATCH] Improve docs describing a forward proxy config to enable proxying SSL requests

Hi,

While setting up a forward proxy server in httpd-2.2.16, it wasn't
immediately obvious to me from reading docs that I needed to enable
mod_proxy_connect to enable the forward proxy to handle CONNECT
requests for proxying SSL traffic. Plus, the mod_ssl SSLProxyEngine
directive could easily be confused as a required component to enable a
forward proxy to properly proxy SSL requests.

Here are patches I've prepared for mod_ssl.xml and mod_proxy.xml to
add additional descriptive text to the <ProxyRequest> directive in
mod_proxy.xml and <SSLProxyEngine> directive in mod_ssl.xml. They are
applied to the latest versions of the docs in trunk.

Thanks,
Walter

wgoulet@ubuntu:~/apachepatch$ cat mod_ssl.xml.patch
--- mod_ssl.xml.trunk    2012-05-01 20:39:23.704643002 -0700
+++ mod_ssl.xml    2012-05-01 20:39:01.632624877 -0700
@@ -1736,7 +1736,7 @@
 is usually used inside a <directive module="core"
 type="section">VirtualHost</directive> section to enable SSL/TLS for proxy
 usage in a particular virtual host. By default the SSL/TLS Protocol Engine is
-disabled for proxy image both for the main server and all configured
virtual hosts.</p>
+disabled for proxy image both for the main server and all configured
virtual hosts. Note that the SSLProxyEngine directive should not, in
general, be included in a virtual host that will be acting as a
forward proxy (using <Proxy> or <ProxyRequest> directives.
SSLProxyEngine is not required to enable a forward proxy server to
proxy SSL/TLS requests.</p>
 <example><title>Example</title>
 <highlight language="config">
 &lt;VirtualHost _default_:443&gt;

wgoulet@ubuntu:~/apachepatch$ cat mod_proxy.xml.patch
--- mod_proxy.xml.trunk    2012-05-01 20:38:38.448808512 -0700
+++ mod_proxy.xml    2012-05-01 20:42:01.296343935 -0700
@@ -562,6 +562,9 @@
     need also <module>mod_proxy_http</module> or <module>mod_proxy_ftp</module>
     (or both) present in the server.</p>

+    <p>In order to get the functionality of proxying HTTPS sites, you
+    need <module>mod_proxy_connect</module> enabled in the server.</p>
+
     <note type="warning"><title>Warning</title>
       <p>Do not enable proxying with <directive
       module="mod_proxy">ProxyRequests</directive> until you have <a
wgoulet@ubuntu:~/apachepatch$

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org