You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Sebastian Reitenbach <it...@rapideye.de> on 2006/05/17 17:23:46 UTC

[users@httpd] mod_proxy and SSL

Hi,

I have an apache listening for SSL connections on port 443 behind a NAT 
firewall in the DMZ. Connections for one virtual host shall be reverse proxied 
to another host in the same DMZ, but it seems that I am unable to get it to 
work, for me it seems I must have missed sth. obvious.

I tried this with mod_proxy:

SSLProxyEngine On
ProxyRequests On
AllowCONNECT 443
ProxyPass / https://10.0.0.2/
ProxyPassReverse / https://10.0.0.2/

then I receive the following error messages at the proxy:
[Wed May 17 17:07:18 2006] [error] SSL Proxy requested for 
webgis.rapideye.de:80 but not enabled [Hint: SSLProxyEngine]
[Wed May 17 17:07:18 2006] [error] proxy: failed to enable ssl support for 
10.0.0.2:443 (0.0.0.2)
[Wed May 17 17:07:19 2006] [notice] child pid 28242 exit signal Segmentation 
fault (11)

because of the segmentation fault, I am not sure, whether it shall work that 
way or not, but I doubt it.

with the SSLProxyEngine enabled:
SSLProxyEngine On
ProxyRequests On
AllowCONNECT 443
ProxyPass / https://10.0.0.2/
ProxyPassReverse / https://10.0.0.2/

I have this message in the error_log of the proxy:
[Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet: 
proxy: request failed to 10.10.10.2:443 (10.0.0.2)
[Wed May 17 17:09:55 2006] [error] proxy: HTTP: previous connection is closed
[Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet: 
proxy: request failed to 10.0.0.2:443 (10.0.0.2)

and this in the error_log of the apache behind the proxy:
[Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request 
\x80|\x01\x03\x01
[Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request 
\x80|\x01\x03\x01


with only these in the virtual host of the proxy, it is working, but only 
without HTTPS

ProxyPass / http://10.0.0.2/
ProxyPassReverse / http://10.0.0.2/

Is there any way to access an HTTPS server behind a apache HTTPS proxy?

kind regards
Sebastian

-- 
Sebastian Reitenbach            Tel.: ++49-(0)3381-8904-451
RapidEye AG                     Fax: ++49-(0)3381-8904-101    
Molkenmarkt 30                  e-mail:reitenbach@rapideye.de     
D-14776 Brandenburg             web:http://www.rapideye.de 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_proxy and SSL

Posted by Emmanuel E <em...@gmx.net>.

if youre doing a reverse proxy you probably shouldnt have ProxyRequests On

Sebastian Reitenbach wrote:
> Hi,
>
> I have an apache listening for SSL connections on port 443 behind a NAT 
> firewall in the DMZ. Connections for one virtual host shall be reverse proxied 
> to another host in the same DMZ, but it seems that I am unable to get it to 
> work, for me it seems I must have missed sth. obvious.
>
> I tried this with mod_proxy:
>
> SSLProxyEngine On
> ProxyRequests On
> AllowCONNECT 443
> ProxyPass / https://10.0.0.2/
> ProxyPassReverse / https://10.0.0.2/
>
> then I receive the following error messages at the proxy:
> [Wed May 17 17:07:18 2006] [error] SSL Proxy requested for 
> webgis.rapideye.de:80 but not enabled [Hint: SSLProxyEngine]
> [Wed May 17 17:07:18 2006] [error] proxy: failed to enable ssl support for 
> 10.0.0.2:443 (0.0.0.2)
> [Wed May 17 17:07:19 2006] [notice] child pid 28242 exit signal Segmentation 
> fault (11)
>
> because of the segmentation fault, I am not sure, whether it shall work that 
> way or not, but I doubt it.
>
> with the SSLProxyEngine enabled:
> SSLProxyEngine On
> ProxyRequests On
> AllowCONNECT 443
> ProxyPass / https://10.0.0.2/
> ProxyPassReverse / https://10.0.0.2/
>
> I have this message in the error_log of the proxy:
> [Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet: 
> proxy: request failed to 10.10.10.2:443 (10.0.0.2)
> [Wed May 17 17:09:55 2006] [error] proxy: HTTP: previous connection is closed
> [Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet: 
> proxy: request failed to 10.0.0.2:443 (10.0.0.2)
>
> and this in the error_log of the apache behind the proxy:
> [Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request 
> \x80|\x01\x03\x01
> [Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request 
> \x80|\x01\x03\x01
>
>
> with only these in the virtual host of the proxy, it is working, but only 
> without HTTPS
>
> ProxyPass / http://10.0.0.2/
> ProxyPassReverse / http://10.0.0.2/
>
> Is there any way to access an HTTPS server behind a apache HTTPS proxy?
>
> kind regards
> Sebastian
>
>   

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_proxy and SSL

Posted by Krist van Besien <kr...@gmail.com>.

On 5/17/06, Sebastian Reitenbach <it...@rapideye.de> wrote:
> Hi,
>
> I have an apache listening for SSL connections on port 443 behind a NAT
> firewall in the DMZ. Connections for one virtual host shall be reverse proxied
> to another host in the same DMZ, but it seems that I am unable to get it to
> work, for me it seems I must have missed sth. obvious.
>
> I tried this with mod_proxy:
>
> SSLProxyEngine On
> ProxyRequests On
> AllowCONNECT 443
> ProxyPass / https://10.0.0.2/
> ProxyPassReverse / https://10.0.0.2/
>
> then I receive the following error messages at the proxy:
> [Wed May 17 17:07:18 2006] [error] SSL Proxy requested for
> webgis.rapideye.de:80 but not enabled [Hint: SSLProxyEngine]
> [Wed May 17 17:07:18 2006] [error] proxy: failed to enable ssl support for
> 10.0.0.2:443 (0.0.0.2)
> [Wed May 17 17:07:19 2006] [notice] child pid 28242 exit signal Segmentation
> fault (11)
>
> because of the segmentation fault, I am not sure, whether it shall work that
> way or not, but I doubt it.
>
> with the SSLProxyEngine enabled:
> SSLProxyEngine On
> ProxyRequests On
> AllowCONNECT 443
> ProxyPass / https://10.0.0.2/
> ProxyPassReverse / https://10.0.0.2/
>
> I have this message in the error_log of the proxy:
> [Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet:
> proxy: request failed to 10.10.10.2:443 (10.0.0.2)
> [Wed May 17 17:09:55 2006] [error] proxy: HTTP: previous connection is closed
> [Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet:
> proxy: request failed to 10.0.0.2:443 (10.0.0.2)
>
> and this in the error_log of the apache behind the proxy:
> [Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request
> \x80|\\x03\x01
> [Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request
> \x80|\x01\x03\x01
>
>
> with only these in the virtual host of the proxy, it is working, but only
> without HTTPS
>
> ProxyPass / http://10.0.0.2/
> ProxyPassReverse / http://10.0.0.2/
>
> Is there any way to access an HTTPS server behind a apache HTTPS proxy?

Firstly: You  don't need
 ProxyRequests On
 AllowCONNECT 443

First this. This is to allow clients to use your server as a _forward_
proxy to HTTPS hosts. Do not put "ProxyRequests On" in your config
file if you are only doing reverse proxying.

Proxying to a HTTPS server is possible. (I do this on one of my
systems), but it requires a bit more than just adding SSLProxyEngine
On on most installations. This is because when forwarding requests to
an HTTPS server Apache has to behave as an https _client_. For this is
requires a few files that are usually not present on a stock Apache
install.

This is how I would do it,

SSLProxyEngine On
SSLProxyCACertificateFile /usr/local/apache/conf/cacerts.crt
ProxyPass / https://10.0.0.2/
ProxyPassReverse / https://10.0.0.2/


You need to create the filey /usr/local/apache/conf/cacerts.crt, and
in it you put the (PEM encoded) certificate used to sign the
certificate your 10.0.0.2 server uses. This way apache can complete
the SSL handshake with your server.

For more info read the mod_ssl documentation, specifically the
SSLProxy* directives. The docs are not that obvious, but they do
contain the answers you are looking for.

Krist
-- 
krist.vanbesien@gmail.com
Solothurn, Switzerland

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org