You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Nikolaus Rath <Ni...@rath.org> on 2013/09/10 17:23:13 UTC
[users@httpd] Using CONNECT with SSL Proxy
Hello,
I would like to establish a TLS connection to my apache proxy and then
use the CONNECT method. I have configured a virtual host with
"ProxyRequests On" and "SSLProxyEngine On".
Accessing the proxy over TLS works fine, but as soon as I issue the
CONNECT command, the TLS connection breaks down. If I disable the
mod_proxy_connect module, I'm getting a proper error message instead.
Is it possible that the mod_proxy_connect module bypasses the TLS
layer and tries to forward data directly to the client? That's pretty
much the only explanation I can come up with.
Is there any way to get this to work?
I'm using Apache 2.2.
Thanks,
Nikolaus
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it alive?
Posted by Mauricio Tavares <ra...@gmail.com>.
On Tue, Sep 17, 2013 at 6:15 PM, Smith, Burton
<Bu...@williams.com> wrote:
> I'm told "there are no firewall issues", but firewall does make the most sense.
>
Have you tried to connect to it from localhost?
> I'll have to look up the apachectrl. I don't think it is working correctly it says:
> * [root@dxnpb2 extra]# /usr/sbin/apachectl status
> * ELinks: SSL error
> * [root@dxnpb2 extra]# /usr/sbin/apachectl fullstatus
> * ELinks: SSL error
>
That does not look like firewall issue to me. maybe missing certs?
> Nothing useful in the logs. That is another known concern.
>
You probably could go to your virtual host config and tell
apache to blab nonstop.
> Tcpdump is only showing the ICMP rejects.
>
Does netstat show it listening to the ports you configured?
> This new configuration is identical to two other machines I am running, but it has several quirks.
>
> ---
> Thanks,
> Burton L. Smith
> w:801-584-6164
> c:801-201-2897
>
> -----Original Message-----
> From: Jim Barchuk [mailto:jb@jbarchuk.com]
> Sent: Tuesday, September 17, 2013 3:14 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Is it alive?
>
> HiHi!
>
>> How do you tell if a server is running apache?
>> * I can see processes running.
>> * I can't surf to it - website is online but isn't responding to connection attempts.
>
> apachectl status will tell you if it's running. apachectl fullstatus will give more details and info about current connections.
>
> The logs will tell you about attempted/successful/failed connections (for requests that reach the server.)
>
> If there's no log info then that means no connections were attempted and as was suggested a firewall (router or software) may have blocked it.
>
> It's even possible to configure the server such that it's running but told to not respond to any requests.
>
> ping www.domain should produce a response, again though as long as nothing blocks it and the server is not configured to ignore them.
>
> tcpdump can show if traffic is at least attempting to knock on the server's door.
>
> Did it -used- to work, but now it fails, or is this a new install/config?
>
> Have a :) day!
>
> jb
>
> --
> Jim Barchuk
> jb@jbarchuk.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it alive?
Posted by Peter Kühnlein <pe...@function2form.net>.
Am 18.09.2013 00:15, schrieb Smith, Burton:
> I'm told "there are no firewall issues", but firewall does make the most sense.
>
> I'll have to look up the apachectrl. I don't think it is working correctly it says:
> * [root@dxnpb2 extra]# /usr/sbin/apachectl status
> * ELinks: SSL error
> * [root@dxnpb2 extra]# /usr/sbin/apachectl fullstatus
> * ELinks: SSL error
>
> Nothing useful in the logs. That is another known concern.
if you got nmap installed, you might as well try
nmap (subnet or ip-address)
e.g., i use
nmap 192.168.2.* to check all machines on that local subnet
--
http://function2form.net
http://peter-kuehnlein.net
"As Yasuda Ukyo said about offering the last wine cup, only the end of things is important. One's whole life should be like this."
(Hagakure)
Re: [users@httpd] Is it alive?
Posted by Vincenzo D'Amore <v....@gmail.com>.
if you try:
# netstat -nltp
you should see all listening sockets and related processes
So you should see if apache is listening where is listening.
if you see something like this:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
984/apache2
or this:
tcp6 0 0 :::80 :::* LISTEN
984/apache2
apache is listening on localhost too. So you could try something easy like:
# curl localhost
And see if actually you have a firewall problem
2013/9/18 Peter Kühnlein <pe...@function2form.net>
> Am 18.09.2013 00:15, schrieb Smith, Burton:
>
> I'm told "there are no firewall issues", but firewall does make the most sense.
>
> I'll have to look up the apachectrl. I don't think it is working correctly it says:
> * [root@dxnpb2 extra]# /usr/sbin/apachectl status
> * ELinks: SSL error
> * [root@dxnpb2 extra]# /usr/sbin/apachectl fullstatus
> * ELinks: SSL error
>
> Nothing useful in the logs. That is another known concern.
>
> Tcpdump is only showing the ICMP rejects.
>
> This new configuration is identical to two other machines I am running, but it has several quirks.
>
> ps ax | grep http
>
> what does that tell?
>
> --
> http://function2form.nethttp://peter-kuehnlein.net
>
> "As Yasuda Ukyo said about offering the last wine cup, only the end of things is important. One's whole life should be like this."
> (Hagakure)
>
>
--
Vincenzo D'Amore
email: v.damore@gmail.com
skype: free.dev
mobile: +39 349 8513251
Re: [users@httpd] Is it alive?
Posted by Peter Kühnlein <pe...@function2form.net>.
Am 18.09.2013 00:15, schrieb Smith, Burton:
> I'm told "there are no firewall issues", but firewall does make the most sense.
>
> I'll have to look up the apachectrl. I don't think it is working correctly it says:
> * [root@dxnpb2 extra]# /usr/sbin/apachectl status
> * ELinks: SSL error
> * [root@dxnpb2 extra]# /usr/sbin/apachectl fullstatus
> * ELinks: SSL error
>
> Nothing useful in the logs. That is another known concern.
>
> Tcpdump is only showing the ICMP rejects.
>
> This new configuration is identical to two other machines I am running, but it has several quirks.
ps ax | grep http
what does that tell?
--
http://function2form.net
http://peter-kuehnlein.net
"As Yasuda Ukyo said about offering the last wine cup, only the end of things is important. One's whole life should be like this."
(Hagakure)
RE: [users@httpd] Is it alive?
Posted by "Smith, Burton" <Bu...@Williams.com>.
I'm told "there are no firewall issues", but firewall does make the most sense.
I'll have to look up the apachectrl. I don't think it is working correctly it says:
* [root@dxnpb2 extra]# /usr/sbin/apachectl status
* ELinks: SSL error
* [root@dxnpb2 extra]# /usr/sbin/apachectl fullstatus
* ELinks: SSL error
Nothing useful in the logs. That is another known concern.
Tcpdump is only showing the ICMP rejects.
This new configuration is identical to two other machines I am running, but it has several quirks.
---
Thanks,
Burton L. Smith
w:801-584-6164
c:801-201-2897
-----Original Message-----
From: Jim Barchuk [mailto:jb@jbarchuk.com]
Sent: Tuesday, September 17, 2013 3:14 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Is it alive?
HiHi!
> How do you tell if a server is running apache?
> * I can see processes running.
> * I can't surf to it - website is online but isn't responding to connection attempts.
apachectl status will tell you if it's running. apachectl fullstatus will give more details and info about current connections.
The logs will tell you about attempted/successful/failed connections (for requests that reach the server.)
If there's no log info then that means no connections were attempted and as was suggested a firewall (router or software) may have blocked it.
It's even possible to configure the server such that it's running but told to not respond to any requests.
ping www.domain should produce a response, again though as long as nothing blocks it and the server is not configured to ignore them.
tcpdump can show if traffic is at least attempting to knock on the server's door.
Did it -used- to work, but now it fails, or is this a new install/config?
Have a :) day!
jb
--
Jim Barchuk
jb@jbarchuk.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it alive?
Posted by Jim Barchuk <jb...@jbarchuk.com>.
HiHi!
> How do you tell if a server is running apache?
> * I can see processes running.
> * I can't surf to it - website is online but isn't responding to connection attempts.
apachectl status will tell you if it's running. apachectl fullstatus will
give more details and info about current connections.
The logs will tell you about attempted/successful/failed connections (for
requests that reach the server.)
If there's no log info then that means no connections were attempted and
as was suggested a firewall (router or software) may have blocked it.
It's even possible to configure the server such that it's running but told
to not respond to any requests.
ping www.domain should produce a response, again though as long as nothing
blocks it and the server is not configured to ignore them.
tcpdump can show if traffic is at least attempting to knock on the
server's door.
Did it -used- to work, but now it fails, or is this a new install/config?
Have a :) day!
jb
--
Jim Barchuk
jb@jbarchuk.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it alive?
Posted by Lester Caine <le...@lsces.co.uk>.
Smith, Burton wrote:
> How do you tell if a server is running apache?
> * I can see processes running.
> * I can't surf to it - website is online but isn't responding to connection attempts.
Firewall?
Is it working as localhost on the machine.
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Is it alive?
Posted by "Smith, Burton" <Bu...@Williams.com>.
How do you tell if a server is running apache?
* I can see processes running.
* I can't surf to it - website is online but isn't responding to connection attempts.
---
Thanks,
Burton L. Smith
w:801-584-6164
c:801-201-2897
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Using CONNECT with SSL Proxy
Posted by Nikolaus Rath <Ni...@rath.org>.
Hi Eric,
Do you have a link? I'm not able to find it on
https://issues.apache.org/bugzilla/ (tried searching for
mod_proxy_connect, proxy + connect + ssl, proxy + connect + tls, proxy +
connect).
Thanks!
-Nikolaus
On 09/10/2013 08:27 AM, Eric Covener wrote:
> please search bugzilla, there is a long-standing issue.
>
> On Tue, Sep 10, 2013 at 11:23 AM, Nikolaus Rath <Ni...@rath.org> wrote:
>> Hello,
>>
>> I would like to establish a TLS connection to my apache proxy and then
>> use the CONNECT method. I have configured a virtual host with
>> "ProxyRequests On" and "SSLProxyEngine On".
>>
>> Accessing the proxy over TLS works fine, but as soon as I issue the
>> CONNECT command, the TLS connection breaks down. If I disable the
>> mod_proxy_connect module, I'm getting a proper error message instead.
>>
>> Is it possible that the mod_proxy_connect module bypasses the TLS
>> layer and tries to forward data directly to the client? That's pretty
>> much the only explanation I can come up with.
>>
>> Is there any way to get this to work?
>>
>> I'm using Apache 2.2.
>>
>> Thanks,
>> Nikolaus
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Using CONNECT with SSL Proxy
Posted by Eric Covener <co...@gmail.com>.
please search bugzilla, there is a long-standing issue.
On Tue, Sep 10, 2013 at 11:23 AM, Nikolaus Rath <Ni...@rath.org> wrote:
> Hello,
>
> I would like to establish a TLS connection to my apache proxy and then
> use the CONNECT method. I have configured a virtual host with
> "ProxyRequests On" and "SSLProxyEngine On".
>
> Accessing the proxy over TLS works fine, but as soon as I issue the
> CONNECT command, the TLS connection breaks down. If I disable the
> mod_proxy_connect module, I'm getting a proper error message instead.
>
> Is it possible that the mod_proxy_connect module bypasses the TLS
> layer and tries to forward data directly to the client? That's pretty
> much the only explanation I can come up with.
>
> Is there any way to get this to work?
>
> I'm using Apache 2.2.
>
> Thanks,
> Nikolaus
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org