You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Hendrik Schmieder <he...@jedox.com> on 2010/10/18 11:03:10 UTC
[users@httpd] HTTPS over mod_proxy
Hello,
with http over a proxy (like Apache mod_proxy) I send something like
<request>
GET http://192.168.2.234:7777/server/info HTTP/1.1
Content-Length: 0
Host: 192.168.2.234:7777
Connection: Keep-Alive
Accept-Encoding: identity, *;q=0
</request>
But I'm not sure what to send in case of HTTPS over proxy.
The same or should I replace 'http' by 'https' ?
TIA
Hendrik
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTPS over mod_proxy
Posted by Rainer Jung <ra...@kippdata.de>.
On 18.10.2010 16:30, Hendrik Schmieder wrote:
> Rainer Jung schrieb:
>> Sorry, I meant:
>>
>> CONNECT 192.168.2.234:7777 HTTP/1.1
>>
>> (no path)
>>
>> Regards,
>>
>> Rainer
>>
>
> OK,
>
> I hope I get it know:
>
> I make the following sequence:
>
> <request>
> CONNECT http://192.168.2.234:7777 HTTP/1.1
>
> </request>
>
> wait for response
>
> if response.statuscode == 200 send
>
> <request>
> GET http://192.168.2.234:7777/server/info HTTP/1.1
> Content-Length: 0
> Host: 192.168.2.234:7777
> Connection: Keep-Alive
> Accept-Encoding: identity, *;q=0
>
> </request>
Hmm, after the CONNECT you are supposed to talk whatever protocol
192.168.2.234 expects on port 7777. So if that is https, no more clear
text :)
The proxy only forwards the raw packets. You wanted end-to-end security,
you got it :)
And if the back-end realy talks http (no "s"), then it would be
GET /server/info HTTP/1.1
Regards,
Rainer
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTPS over mod_proxy
Posted by Hendrik Schmieder <he...@jedox.com>.
Rainer Jung schrieb:
> Sorry, I meant:
>
> CONNECT 192.168.2.234:7777 HTTP/1.1
>
> (no path)
>
> Regards,
>
> Rainer
>
OK,
I hope I get it know:
I make the following sequence:
<request>
CONNECT http://192.168.2.234:7777 HTTP/1.1
</request>
wait for response
if response.statuscode == 200 send
<request>
GET http://192.168.2.234:7777/server/info HTTP/1.1
Content-Length: 0
Host: 192.168.2.234:7777
Connection: Keep-Alive
Accept-Encoding: identity, *;q=0
</request>
best regards
Hendrik
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTPS over mod_proxy
Posted by Rainer Jung <ra...@kippdata.de>.
Sorry, I meant:
CONNECT 192.168.2.234:7777 HTTP/1.1
(no path)
Regards,
Rainer
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTPS over mod_proxy
Posted by Rainer Jung <ra...@kippdata.de>.
On 18.10.2010 14:29, Hendrik Schmieder wrote:
> Rainer Jung schrieb:
>> On 18.10.2010 11:17, Hendrik Schmieder wrote:
>>> Joost de Heer schrieb:
>>>> On 10/18/2010 11:03 AM, Hendrik Schmieder wrote:
>>>>> Hello,
>>>>>
>>>>> with http over a proxy (like Apache mod_proxy) I send something like
>>>>>
>>>>> <request>
>>>>> GET http://192.168.2.234:7777/server/info HTTP/1.1
>>>>> Content-Length: 0
>>>>> Host: 192.168.2.234:7777
>>>>> Connection: Keep-Alive
>>>>> Accept-Encoding: identity, *;q=0
>>>>>
>>>>> </request>
>>>>>
>>>>> But I'm not sure what to send in case of HTTPS over proxy.
>>>>>
>>>>> The same or should I replace 'http' by 'https' ?
>>>>
>>>> No, you use the CONNECT method.
>>>>
>>>
>>> Maybe I was not clear enough.
>>>
>>> I send the lines between
>>> <request> and </request>
>>> to the proxy.
>>
>> You are talking about a forward proxy. There are two ways you can do
>> https using a forward proxy.
>>
>> Either you want end-to-end security. Then the proxy simply provides a
>> tunnel to the back-end server and browser and back-end directly
>> communicate over https (ssl handshake etc.). In order to make this work,
>> the client/browser send a special request to the proxy, indicating to
>> which server and port it wants the proxy to open the tunnel. The HTTP
>> method used here is named "CONNECT". Apache supports it, but it is off
>> by default.
>>
>> Or you actually want to talk http to the proxy and the proxy should talk
>> https to the back-end. This mode is not supported by "normal" clients
>> like e.g. browsers. As soon as you configure an https proxy for them,
>> they will use the CONNECT method. If you have full control over the
>> clint you can nevertheless use this method. Not that it obvously doesn't
>> provide end-to-end security. Apache does support this mode as well. And
>> yes, that is the mode that works like you suggested, using "https" as
>> the scheme in the URL provided in the first reuest line.
>>
>> If you want to use either of the two methods, you should make sure you
>> are using Apache 2.2.
>>
>> Regards,
>>
>> Rainer
>>
>
> I'm talking about Apache 2.2 and end-to-end security.
> I tried to understand RFC 2616, but failed for CONNECT.
>
>
> 9.9 CONNECT
> This specification reserves the method name CONNECT for use with a proxy
> that can dynamically switch to being a
> tunnel (e.g. SSL tunneling [44]).
>
> [44] Luotonen, A., “Tunneling TCP based protocols through Web proxy
> servers,” Work in Progress.
>
>
> So should I send
>
> <request>
> CONNECT http://192.168.2.234:7777/server/info HTTP/1.1
> Content-Length: 0
> Host: 192.168.2.234:7777
> Connection: Keep-Alive
> Accept-Encoding: identity, *;q=0
> </request>
Not sure about the final specification for CONNECT, but the citation
given in RFC 2616 ist best aproximated by
http://tools.ietf.org/id/draft-luotonen-web-proxy-tunneling-01.txt
In this document - and several other places - a slghtly differet form
ist being used:
CONNECT 192.168.2.234:7777/server/info HTTP/1.1
Which seems OK, because the proxy doesn't really use http, it simply
creates a tcp connection. The rest of the HTTP headers should IMHO
belong to the request for the proxy, not the opaque back-end request
(e.g. the host header).
See also
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#allowconnect about
needed modules and allowing non-default ports for CONNECT.
Regards,
Rainer
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTPS over mod_proxy
Posted by Hendrik Schmieder <he...@jedox.com>.
Rainer Jung schrieb:
> On 18.10.2010 11:17, Hendrik Schmieder wrote:
>> Joost de Heer schrieb:
>>> On 10/18/2010 11:03 AM, Hendrik Schmieder wrote:
>>>> Hello,
>>>>
>>>> with http over a proxy (like Apache mod_proxy) I send something like
>>>>
>>>> <request>
>>>> GET http://192.168.2.234:7777/server/info HTTP/1.1
>>>> Content-Length: 0
>>>> Host: 192.168.2.234:7777
>>>> Connection: Keep-Alive
>>>> Accept-Encoding: identity, *;q=0
>>>>
>>>> </request>
>>>>
>>>> But I'm not sure what to send in case of HTTPS over proxy.
>>>>
>>>> The same or should I replace 'http' by 'https' ?
>>>
>>> No, you use the CONNECT method.
>>>
>>
>> Maybe I was not clear enough.
>>
>> I send the lines between
>> <request> and </request>
>> to the proxy.
>
> You are talking about a forward proxy. There are two ways you can do
> https using a forward proxy.
>
> Either you want end-to-end security. Then the proxy simply provides a
> tunnel to the back-end server and browser and back-end directly
> communicate over https (ssl handshake etc.). In order to make this work,
> the client/browser send a special request to the proxy, indicating to
> which server and port it wants the proxy to open the tunnel. The HTTP
> method used here is named "CONNECT". Apache supports it, but it is off
> by default.
>
> Or you actually want to talk http to the proxy and the proxy should talk
> https to the back-end. This mode is not supported by "normal" clients
> like e.g. browsers. As soon as you configure an https proxy for them,
> they will use the CONNECT method. If you have full control over the
> clint you can nevertheless use this method. Not that it obvously doesn't
> provide end-to-end security. Apache does support this mode as well. And
> yes, that is the mode that works like you suggested, using "https" as
> the scheme in the URL provided in the first reuest line.
>
> If you want to use either of the two methods, you should make sure you
> are using Apache 2.2.
>
> Regards,
>
> Rainer
>
I'm talking about Apache 2.2 and end-to-end security.
I tried to understand RFC 2616, but failed for CONNECT.
9.9 CONNECT
This specification reserves the method name CONNECT for use with a proxy
that can dynamically switch to being a
tunnel (e.g. SSL tunneling [44]).
[44] Luotonen, A., “Tunneling TCP based protocols through Web proxy
servers,” Work in Progress.
So should I send
<request>
CONNECT http://192.168.2.234:7777/server/info HTTP/1.1
Content-Length: 0
Host: 192.168.2.234:7777
Connection: Keep-Alive
Accept-Encoding: identity, *;q=0
</request>
best regards
Hendrik
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTPS over mod_proxy
Posted by Rainer Jung <ra...@kippdata.de>.
On 18.10.2010 11:17, Hendrik Schmieder wrote:
> Joost de Heer schrieb:
>> On 10/18/2010 11:03 AM, Hendrik Schmieder wrote:
>>> Hello,
>>>
>>> with http over a proxy (like Apache mod_proxy) I send something like
>>>
>>> <request>
>>> GET http://192.168.2.234:7777/server/info HTTP/1.1
>>> Content-Length: 0
>>> Host: 192.168.2.234:7777
>>> Connection: Keep-Alive
>>> Accept-Encoding: identity, *;q=0
>>>
>>> </request>
>>>
>>> But I'm not sure what to send in case of HTTPS over proxy.
>>>
>>> The same or should I replace 'http' by 'https' ?
>>
>> No, you use the CONNECT method.
>>
>
> Maybe I was not clear enough.
>
> I send the lines between
> <request> and </request>
> to the proxy.
You are talking about a forward proxy. There are two ways you can do
https using a forward proxy.
Either you want end-to-end security. Then the proxy simply provides a
tunnel to the back-end server and browser and back-end directly
communicate over https (ssl handshake etc.). In order to make this work,
the client/browser send a special request to the proxy, indicating to
which server and port it wants the proxy to open the tunnel. The HTTP
method used here is named "CONNECT". Apache supports it, but it is off
by default.
Or you actually want to talk http to the proxy and the proxy should talk
https to the back-end. This mode is not supported by "normal" clients
like e.g. browsers. As soon as you configure an https proxy for them,
they will use the CONNECT method. If you have full control over the
clint you can nevertheless use this method. Not that it obvously doesn't
provide end-to-end security. Apache does support this mode as well. And
yes, that is the mode that works like you suggested, using "https" as
the scheme in the URL provided in the first reuest line.
If you want to use either of the two methods, you should make sure you
are using Apache 2.2.
Regards,
Rainer
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache mod_jk redundancy
Posted by Tom Evans <te...@googlemail.com>.
On Mon, Oct 18, 2010 at 10:57 AM, Renato Oliveira
<re...@grant.co.uk> wrote:
> Guys,
>
> I thank you for all your help in advance.
>
> I have a bit of problem.
>
> We have a setup which is as follows:
>
> * Apache + mod_jk setup as a load balancer for 2 jboss servers.
> * As you can see we have redundancy at the back with two jboss servers.
> * the other day the Apache + mod_jk went down because of a network card problem
> * This prompt us to think of redundancy for this front end load balancing server.
>
> How do you guys deal with redundancy for this setup, The Apache + mod_jk?
> What would be the best approach?
> Do you guys have any recommendations that could actually mirror the Apache server and give me some sort of HA failover?
>
> Thank you very much for all your comments, suggestions and help I very much appreciate it.
>
> Thank you
>
> Renato
>
We use a pair of apache servers as reverse proxies, each with a pair
of High Availability IP addresses. If either box goes down, the other
box takes over the HA address. Requests are round-robin routed to the
HA addresses using a pair of routers (and that part of it the
configuration is beyond me).
Every (good) OS has an implementation of HA IP addresses. We use
FreeBSD, which offers CARP [1] as a solution.
Cheers
Tom
[1] http://en.wikipedia.org/wiki/Common_Address_Redundancy_Protocol
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Apache mod_jk redundancy
Posted by Renato Oliveira <re...@grant.co.uk>.
Guys,
I thank you for all your help in advance.
I have a bit of problem.
We have a setup which is as follows:
* Apache + mod_jk setup as a load balancer for 2 jboss servers.
* As you can see we have redundancy at the back with two jboss servers.
* the other day the Apache + mod_jk went down because of a network card problem
* This prompt us to think of redundancy for this front end load balancing server.
How do you guys deal with redundancy for this setup, The Apache + mod_jk?
What would be the best approach?
Do you guys have any recommendations that could actually mirror the Apache server and give me some sort of HA failover?
Thank you very much for all your comments, suggestions and help I very much appreciate it.
Thank you
Renato
Renato Oliveira
Linux System Administrator
e-mail: renato.oliveira@grant.co.uk
Tel: +44 (0)1763 260811
Fax: +44 (0)1763 262410
http://www.grant.co.uk/
Grant will be exhibiting at:
http://www.pittcon.org/index.php
Grant Instruments (Cambridge) Ltd
Company registered in England, registration number 658133
Registered office address:
29 Station Road,
Shepreth,
CAMBS SG8 6GB
UK
P Please consider the environment before printing this email
CONFIDENTIALITY: The information in this e-mail and any attachments is confidential. It is intended only for the named recipients(s). If you are not the named recipient please notify the sender immediately and do not disclose the contents to another person or take copies.
VIRUSES: The contents of this e-mail or attachment(s) may contain viruses which could damage your own computer system. Whilst Grant Instruments (Cambridge) Ltd has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should therefore carry out your own virus checks before opening the attachment(s).
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTPS over mod_proxy
Posted by Hendrik Schmieder <he...@jedox.com>.
Joost de Heer schrieb:
> On 10/18/2010 11:03 AM, Hendrik Schmieder wrote:
>> Hello,
>>
>> with http over a proxy (like Apache mod_proxy) I send something like
>>
>> <request>
>> GET http://192.168.2.234:7777/server/info HTTP/1.1
>> Content-Length: 0
>> Host: 192.168.2.234:7777
>> Connection: Keep-Alive
>> Accept-Encoding: identity, *;q=0
>>
>> </request>
>>
>> But I'm not sure what to send in case of HTTPS over proxy.
>>
>> The same or should I replace 'http' by 'https' ?
>
> No, you use the CONNECT method.
>
Maybe I was not clear enough.
I send the lines between
<request> and </request>
to the proxy.
best regards
Hendrik
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] HTTPS over mod_proxy
Posted by Joost de Heer <jo...@sanguis.xs4all.nl>.
On 10/18/2010 11:03 AM, Hendrik Schmieder wrote:
> Hello,
>
> with http over a proxy (like Apache mod_proxy) I send something like
>
> <request>
> GET http://192.168.2.234:7777/server/info HTTP/1.1
> Content-Length: 0
> Host: 192.168.2.234:7777
> Connection: Keep-Alive
> Accept-Encoding: identity, *;q=0
>
> </request>
>
> But I'm not sure what to send in case of HTTPS over proxy.
>
> The same or should I replace 'http' by 'https' ?
No, you use the CONNECT method.
Joost
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org