You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Sebastian Reitenbach <it...@rapideye.de> on 2006/05/17 17:23:46 UTC
[users@httpd] mod_proxy and SSL
Hi,
I have an apache listening for SSL connections on port 443 behind a NAT
firewall in the DMZ. Connections for one virtual host shall be reverse proxied
to another host in the same DMZ, but it seems that I am unable to get it to
work, for me it seems I must have missed sth. obvious.
I tried this with mod_proxy:
SSLProxyEngine On
ProxyRequests On
AllowCONNECT 443
ProxyPass / https://10.0.0.2/
ProxyPassReverse / https://10.0.0.2/
then I receive the following error messages at the proxy:
[Wed May 17 17:07:18 2006] [error] SSL Proxy requested for
webgis.rapideye.de:80 but not enabled [Hint: SSLProxyEngine]
[Wed May 17 17:07:18 2006] [error] proxy: failed to enable ssl support for
10.0.0.2:443 (0.0.0.2)
[Wed May 17 17:07:19 2006] [notice] child pid 28242 exit signal Segmentation
fault (11)
because of the segmentation fault, I am not sure, whether it shall work that
way or not, but I doubt it.
with the SSLProxyEngine enabled:
SSLProxyEngine On
ProxyRequests On
AllowCONNECT 443
ProxyPass / https://10.0.0.2/
ProxyPassReverse / https://10.0.0.2/
I have this message in the error_log of the proxy:
[Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet:
proxy: request failed to 10.10.10.2:443 (10.0.0.2)
[Wed May 17 17:09:55 2006] [error] proxy: HTTP: previous connection is closed
[Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet:
proxy: request failed to 10.0.0.2:443 (10.0.0.2)
and this in the error_log of the apache behind the proxy:
[Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request
\x80|\x01\x03\x01
[Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request
\x80|\x01\x03\x01
with only these in the virtual host of the proxy, it is working, but only
without HTTPS
ProxyPass / http://10.0.0.2/
ProxyPassReverse / http://10.0.0.2/
Is there any way to access an HTTPS server behind a apache HTTPS proxy?
kind regards
Sebastian
--
Sebastian Reitenbach Tel.: ++49-(0)3381-8904-451
RapidEye AG Fax: ++49-(0)3381-8904-101
Molkenmarkt 30 e-mail:reitenbach@rapideye.de
D-14776 Brandenburg web:http://www.rapideye.de
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_proxy and SSL
Posted by Emmanuel E <em...@gmx.net>.
if youre doing a reverse proxy you probably shouldnt have ProxyRequests On
Sebastian Reitenbach wrote:
> Hi,
>
> I have an apache listening for SSL connections on port 443 behind a NAT
> firewall in the DMZ. Connections for one virtual host shall be reverse proxied
> to another host in the same DMZ, but it seems that I am unable to get it to
> work, for me it seems I must have missed sth. obvious.
>
> I tried this with mod_proxy:
>
> SSLProxyEngine On
> ProxyRequests On
> AllowCONNECT 443
> ProxyPass / https://10.0.0.2/
> ProxyPassReverse / https://10.0.0.2/
>
> then I receive the following error messages at the proxy:
> [Wed May 17 17:07:18 2006] [error] SSL Proxy requested for
> webgis.rapideye.de:80 but not enabled [Hint: SSLProxyEngine]
> [Wed May 17 17:07:18 2006] [error] proxy: failed to enable ssl support for
> 10.0.0.2:443 (0.0.0.2)
> [Wed May 17 17:07:19 2006] [notice] child pid 28242 exit signal Segmentation
> fault (11)
>
> because of the segmentation fault, I am not sure, whether it shall work that
> way or not, but I doubt it.
>
> with the SSLProxyEngine enabled:
> SSLProxyEngine On
> ProxyRequests On
> AllowCONNECT 443
> ProxyPass / https://10.0.0.2/
> ProxyPassReverse / https://10.0.0.2/
>
> I have this message in the error_log of the proxy:
> [Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet:
> proxy: request failed to 10.10.10.2:443 (10.0.0.2)
> [Wed May 17 17:09:55 2006] [error] proxy: HTTP: previous connection is closed
> [Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet:
> proxy: request failed to 10.0.0.2:443 (10.0.0.2)
>
> and this in the error_log of the apache behind the proxy:
> [Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request
> \x80|\x01\x03\x01
> [Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request
> \x80|\x01\x03\x01
>
>
> with only these in the virtual host of the proxy, it is working, but only
> without HTTPS
>
> ProxyPass / http://10.0.0.2/
> ProxyPassReverse / http://10.0.0.2/
>
> Is there any way to access an HTTPS server behind a apache HTTPS proxy?
>
> kind regards
> Sebastian
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_proxy and SSL
Posted by Krist van Besien <kr...@gmail.com>.
On 5/17/06, Sebastian Reitenbach <it...@rapideye.de> wrote:
> Hi,
>
> I have an apache listening for SSL connections on port 443 behind a NAT
> firewall in the DMZ. Connections for one virtual host shall be reverse proxied
> to another host in the same DMZ, but it seems that I am unable to get it to
> work, for me it seems I must have missed sth. obvious.
>
> I tried this with mod_proxy:
>
> SSLProxyEngine On
> ProxyRequests On
> AllowCONNECT 443
> ProxyPass / https://10.0.0.2/
> ProxyPassReverse / https://10.0.0.2/
>
> then I receive the following error messages at the proxy:
> [Wed May 17 17:07:18 2006] [error] SSL Proxy requested for
> webgis.rapideye.de:80 but not enabled [Hint: SSLProxyEngine]
> [Wed May 17 17:07:18 2006] [error] proxy: failed to enable ssl support for
> 10.0.0.2:443 (0.0.0.2)
> [Wed May 17 17:07:19 2006] [notice] child pid 28242 exit signal Segmentation
> fault (11)
>
> because of the segmentation fault, I am not sure, whether it shall work that
> way or not, but I doubt it.
>
> with the SSLProxyEngine enabled:
> SSLProxyEngine On
> ProxyRequests On
> AllowCONNECT 443
> ProxyPass / https://10.0.0.2/
> ProxyPassReverse / https://10.0.0.2/
>
> I have this message in the error_log of the proxy:
> [Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet:
> proxy: request failed to 10.10.10.2:443 (10.0.0.2)
> [Wed May 17 17:09:55 2006] [error] proxy: HTTP: previous connection is closed
> [Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet:
> proxy: request failed to 10.0.0.2:443 (10.0.0.2)
>
> and this in the error_log of the apache behind the proxy:
> [Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request
> \x80|\\x03\x01
> [Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request
> \x80|\x01\x03\x01
>
>
> with only these in the virtual host of the proxy, it is working, but only
> without HTTPS
>
> ProxyPass / http://10.0.0.2/
> ProxyPassReverse / http://10.0.0.2/
>
> Is there any way to access an HTTPS server behind a apache HTTPS proxy?
Firstly: You don't need
ProxyRequests On
AllowCONNECT 443
First this. This is to allow clients to use your server as a _forward_
proxy to HTTPS hosts. Do not put "ProxyRequests On" in your config
file if you are only doing reverse proxying.
Proxying to a HTTPS server is possible. (I do this on one of my
systems), but it requires a bit more than just adding SSLProxyEngine
On on most installations. This is because when forwarding requests to
an HTTPS server Apache has to behave as an https _client_. For this is
requires a few files that are usually not present on a stock Apache
install.
This is how I would do it,
SSLProxyEngine On
SSLProxyCACertificateFile /usr/local/apache/conf/cacerts.crt
ProxyPass / https://10.0.0.2/
ProxyPassReverse / https://10.0.0.2/
You need to create the filey /usr/local/apache/conf/cacerts.crt, and
in it you put the (PEM encoded) certificate used to sign the
certificate your 10.0.0.2 server uses. This way apache can complete
the SSL handshake with your server.
For more info read the mod_ssl documentation, specifically the
SSLProxy* directives. The docs are not that obvious, but they do
contain the answers you are looking for.
Krist
--
krist.vanbesien@gmail.com
Solothurn, Switzerland
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org