You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Ilia Rassadzin <il...@yahoo.com> on 2003/08/11 23:30:33 UTC
Apache 2.0, mod_perl filter question
Hello mod_perl,
I have some problems with filtering HTTPS traffic.
I modified for my needs FilterSnoop module from Stas
Bekman filter tutorial. It perfectly sees HTTP data,
but not HTTPS.
Does anyone have any suggestions(ideas) about how to
implement a filter which will see HTTPS?
Thanks in advance
Ilia
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
Re: Apache 2.0, mod_perl filter question
Posted by Ilia Rassadzin <il...@yahoo.com>.
Hello,
I am trying to use as a proxy Apache 2.0 which
includes mod_proxy and mod_ssl.
I am trying to use mod_perl for parsing/changing
decrypted plain text HTML data passed over SSL.
maybe there are other ways to do this, let me know.
The script shows that it is theoretically possibly to
parse/modify HTML passed over SSL in case of GET
(working on POST at this time) with a given setup:
SSL-unaware browser <-> mod_proxy+mod_ssl+mod_perl <->
SSL server
this question should probably be like 'How to setup
Apache + mod_ssl + mod_proxy + mod_perl to make
filtering of plain HTML passed over SSL possible?'
minimal setup:
<IfModule mod_proxy.c>
PerlModule MyApache::FilterSnoop
<Proxy *>
PerlOutputFilterHandler
MyApache::FilterSnoop::connection
</Proxy>
</IfModule>
<VirtualHost _default_:443>
SSLEngine on
SSLProxyEngine on
SetHandler modperl
PerlOutputFilterHandler
MyApache::FilterSnoop::connection
AllowCONNECT 80 443 563 1200 1300
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile
/usr/local/apache2/conf/ssl.crt/server.crt
SSLCertificateKeyFile
/usr/local/apache2/conf/ssl.key/server.key
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x
\"%r\" %b"
</VirtualHost>
--- Stas Bekman <st...@stason.org> wrote:
> Ilia Rassadzin wrote:
> > Hello,
> >
> >
> > I am trying to filter DECRYPTED, PLAIN TEXT data.
> I
> > attached my two configuration files. If more
> > information needed i can send my logs.
> > Ideally I want to make a setup where
> > encryption/decryption being done twice in order to
> > filter DECRYPTED, PLAIN TEXT data(correct me if I
> am
> > wrong)
> > Like SSL-enabled browser <-> Proxy (SSL, Apache)
> <->
> > Proxy (non SSL, Apache, here goes filtering) <->
> > another Proxy ( SSL, Apache) <-> Server (SSL)
>
> So you try to use mod_perl 2.0 as a proxy, which
> decrypts the stream, does
> something to it, encrypts it back and sends it
> further? I'm not sure whether
> this should work, aren't you suppose to somehow
> reconstruct the keys in order
> for this to work?
>
> What would be the minimal setup to setup a test
> environment?
>
> > At this time i made some little perl script
> > and it works for GET, having some troubles with
> POST,
> > so if you are aware about this problem SSL + proxy
> +
> > POST, please let me know (sorry for offtopic)
> >
> > #!/usr/bin/perl -w
> >
> > use URI::URL;
> > use LWP::UserAgent;
> > use HTTP::Request;
> > use HTTP::Request::Common;
> > use HTTP::Request::Form;
> > use HTML::TreeBuilder 3.0;
> > use HTTP::Cookies;
> >
> > my $ua = LWP::UserAgent->new;
> > $ua->proxy('https','https://localhost');
> > my $url = url 'https://some.server.com:1200/';
> > my $cookie_jar = HTTP::Cookies->new();
> > my $res = $ua->request(GET $url);
> > my $tree = HTML::TreeBuilder->new;
> > $tree->parse($res->content);
> > $tree->eof();
> >
> > my @forms = $tree->find_by_tag_name('FORM');
> > my $f = HTTP::Request::Form->new($forms[0], $url);
> > $f->field("nm", "user");
> > $f->field("pwd", "password");
> > my $response = $ua->request($f->press("submit"));
> > $cookie_jar->extract_cookies($response);
> > $cookie_jar->save();
> > print $response->content if $response->is_success;
> >
> > ie, non-SSL browser <-> proxy + mod_ssl + mod_perl
> > filter <-> server works for me for GET
> >
> > If I do the same with IE, ie Tools->Internet
> > Options->Connections->Lan Settings->use a proxy
> server
> >
> > and put here address of my apache server, I am
> getting
> > 403 Forbidden.
> > I cannot explain this.
> > Any help, ideas, etc are highly appreciated.
>
> I'm not sure how this script helps to understand
> your problem with filtering.
> Neither a huge config file, most of it irrelevant to
> the problem.
>
> What we need is a set of short script/handlers and a
> minimal config file with
> which we can reproduce the problem.
>
> Ideally, if you can submit patches to our test suite
> to accomplish this setup
> that would be the simplest. All we will have to do
> is to make it working.
>
>
__________________________________________________________________
> Stas Bekman JAm_pH ------> Just Another
> mod_perl Hacker
> http://stason.org/ mod_perl Guide --->
> http://perl.apache.org
> mailto:stas@stason.org http://use.perl.org
> http://apacheweek.com
> http://modperlbook.org http://apache.org
> http://ticketmaster.com
>
>
>
> --
> Reporting bugs: http://perl.apache.org/bugs/
> Mail list info:
> http://perl.apache.org/maillist/modperl.html
>
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Apache 2.0, mod_perl filter question
Posted by Stas Bekman <st...@stason.org>.
Ilia Rassadzin wrote:
> Hello,
>
>
> I am trying to filter DECRYPTED, PLAIN TEXT data. I
> attached my two configuration files. If more
> information needed i can send my logs.
> Ideally I want to make a setup where
> encryption/decryption being done twice in order to
> filter DECRYPTED, PLAIN TEXT data(correct me if I am
> wrong)
> Like SSL-enabled browser <-> Proxy (SSL, Apache) <->
> Proxy (non SSL, Apache, here goes filtering) <->
> another Proxy ( SSL, Apache) <-> Server (SSL)
So you try to use mod_perl 2.0 as a proxy, which decrypts the stream, does
something to it, encrypts it back and sends it further? I'm not sure whether
this should work, aren't you suppose to somehow reconstruct the keys in order
for this to work?
What would be the minimal setup to setup a test environment?
> At this time i made some little perl script
> and it works for GET, having some troubles with POST,
> so if you are aware about this problem SSL + proxy +
> POST, please let me know (sorry for offtopic)
>
> #!/usr/bin/perl -w
>
> use URI::URL;
> use LWP::UserAgent;
> use HTTP::Request;
> use HTTP::Request::Common;
> use HTTP::Request::Form;
> use HTML::TreeBuilder 3.0;
> use HTTP::Cookies;
>
> my $ua = LWP::UserAgent->new;
> $ua->proxy('https','https://localhost');
> my $url = url 'https://some.server.com:1200/';
> my $cookie_jar = HTTP::Cookies->new();
> my $res = $ua->request(GET $url);
> my $tree = HTML::TreeBuilder->new;
> $tree->parse($res->content);
> $tree->eof();
>
> my @forms = $tree->find_by_tag_name('FORM');
> my $f = HTTP::Request::Form->new($forms[0], $url);
> $f->field("nm", "user");
> $f->field("pwd", "password");
> my $response = $ua->request($f->press("submit"));
> $cookie_jar->extract_cookies($response);
> $cookie_jar->save();
> print $response->content if $response->is_success;
>
> ie, non-SSL browser <-> proxy + mod_ssl + mod_perl
> filter <-> server works for me for GET
>
> If I do the same with IE, ie Tools->Internet
> Options->Connections->Lan Settings->use a proxy server
>
> and put here address of my apache server, I am getting
> 403 Forbidden.
> I cannot explain this.
> Any help, ideas, etc are highly appreciated.
I'm not sure how this script helps to understand your problem with filtering.
Neither a huge config file, most of it irrelevant to the problem.
What we need is a set of short script/handlers and a minimal config file with
which we can reproduce the problem.
Ideally, if you can submit patches to our test suite to accomplish this setup
that would be the simplest. All we will have to do is to make it working.
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Apache 2.0, mod_perl filter question
Posted by Gedanken <ge...@io.com>.
To the best of my knowledge, the 'proxy' that is used in LWP still cannot
support CONNECT style SSL proxies, meaning its very hit or miss if it
works - roughly 50/50 for the few hundred proxies ive checked recently.
try replacing *all* your $UA->proxy lines with
$ENV{HTTPS_PROXY} = "http://localhost:80";
this will work assuming you have Crypt::SSLeay installed (libwwwperl works
with either IO SOCKET SSL or crypt ssleay... but crypt ssleay is the one
that gives you low level proxy stuff.)
check out the docs on crypt::ssleay for more info on using proxies with
LWP, it was an eye opener.
as a side note, you may want to undef $ENV{HTTPS_PROXY} before creating
your agent. I dont use UserAgent much but i use WWW::Mechanize a ton
(sunbclass) and it has code to automagically set $ua->proxy if it detects
the ENV is set. which immediately breaks the ENV proxy since they are not
compatible... boo Mechanize =). I think that code is in Mechanize and not
UserAgent however so you should be safe - but im not positive.
The only downsides to this approach:
- UserAgent will report itself as not being proxied even though it is,
since its done at a lower level than its aware. for my code, i couldnt
care less.
- you have to https everything, since I havent found a way to use the
env-set style https proxy for ssl, but something different for http. you
cant mix and match the LWP style and the Crypt::SSL style proxies - the
lwp one will clobber whatever goodness is in crypt::ssleay's with stuff
that doesnt work.
I have no clue why you are getting 403 errors in a browser...
--
gedanken
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html
Re: Apache 2.0, mod_perl filter question
Posted by Ilia Rassadzin <il...@yahoo.com>.
Hello,
I am trying to filter DECRYPTED, PLAIN TEXT data. I
attached my two configuration files. If more
information needed i can send my logs.
Ideally I want to make a setup where
encryption/decryption being done twice in order to
filter DECRYPTED, PLAIN TEXT data(correct me if I am
wrong)
Like SSL-enabled browser <-> Proxy (SSL, Apache) <->
Proxy (non SSL, Apache, here goes filtering) <->
another Proxy ( SSL, Apache) <-> Server (SSL)
At this time i made some little perl script
and it works for GET, having some troubles with POST,
so if you are aware about this problem SSL + proxy +
POST, please let me know (sorry for offtopic)
#!/usr/bin/perl -w
use URI::URL;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Request::Common;
use HTTP::Request::Form;
use HTML::TreeBuilder 3.0;
use HTTP::Cookies;
my $ua = LWP::UserAgent->new;
$ua->proxy('https','https://localhost');
my $url = url 'https://some.server.com:1200/';
my $cookie_jar = HTTP::Cookies->new();
my $res = $ua->request(GET $url);
my $tree = HTML::TreeBuilder->new;
$tree->parse($res->content);
$tree->eof();
my @forms = $tree->find_by_tag_name('FORM');
my $f = HTTP::Request::Form->new($forms[0], $url);
$f->field("nm", "user");
$f->field("pwd", "password");
my $response = $ua->request($f->press("submit"));
$cookie_jar->extract_cookies($response);
$cookie_jar->save();
print $response->content if $response->is_success;
ie, non-SSL browser <-> proxy + mod_ssl + mod_perl
filter <-> server works for me for GET
If I do the same with IE, ie Tools->Internet
Options->Connections->Lan Settings->use a proxy server
and put here address of my apache server, I am getting
403 Forbidden.
I cannot explain this.
Any help, ideas, etc are highly appreciated.
Thanks,
Ilia
--- Stas Bekman <st...@stason.org> wrote:
> Ilia Rassadzin wrote:
> > Hello mod_perl,
> >
> > I have some problems with filtering HTTPS traffic.
> > I modified for my needs FilterSnoop module from
> Stas
> > Bekman filter tutorial. It perfectly sees HTTP
> data,
> > but not HTTPS.
> > Does anyone have any suggestions(ideas) about how
> to
> > implement a filter which will see HTTPS?
> >
> > Thanks in advance
>
> I need more input from you. Are you trying to filter
> an encrypted data stream?
>
> mod_perl connection filters, happen after the
> incoming data has been decrypted
> and the outgoing data hasn't been yet encrypted.
>
>
__________________________________________________________________
> Stas Bekman JAm_pH ------> Just Another
> mod_perl Hacker
> http://stason.org/ mod_perl Guide --->
> http://perl.apache.org
> mailto:stas@stason.org http://use.perl.org
> http://apacheweek.com
> http://modperlbook.org http://apache.org
> http://ticketmaster.com
>
>
>
> --
> Reporting bugs: http://perl.apache.org/bugs/
> Mail list info:
> http://perl.apache.org/maillist/modperl.html
>
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
Re: Apache 2.0, mod_perl filter question
Posted by Stas Bekman <st...@stason.org>.
Ilia Rassadzin wrote:
> Hello mod_perl,
>
> I have some problems with filtering HTTPS traffic.
> I modified for my needs FilterSnoop module from Stas
> Bekman filter tutorial. It perfectly sees HTTP data,
> but not HTTPS.
> Does anyone have any suggestions(ideas) about how to
> implement a filter which will see HTTPS?
>
> Thanks in advance
I need more input from you. Are you trying to filter an encrypted data stream?
mod_perl connection filters, happen after the incoming data has been decrypted
and the outgoing data hasn't been yet encrypted.
__________________________________________________________________
Stas Bekman JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org http://ticketmaster.com
--
Reporting bugs: http://perl.apache.org/bugs/
Mail list info: http://perl.apache.org/maillist/modperl.html