You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by frank rittinger <fr...@virtual-identity.com> on 2006/12/14 11:56:40 UTC

[users@httpd] Problem using apache as a reverse proxy for https

Hello list,

I'm trying to get apache2 working as a reverse proxy. 

Regular HTTP requests just work fine, but I can't get it working for
HTTPS requests.

On startup of apache, I get the following error in the logs:
You configured HTTP(80) on the standard HTTPS(443) port!

Although, I just want to pass on the requests, do I still have to set up
SSL support properly? 

I have such a vhosts definition:

<VirtualHost 10.1.2.45:443>
      SSLProxyEngine on
	ProxyRequests Off
      ProxyPreserveHost On
      ProxyPass / https://10.1.2.27:443/
      ProxyPassReverse / https://10.1.2.27:443/
      ServerName test.com:443
</VirtualHost>

Apache 2.0.x on SuSE Linux 9.3. With modules proxy, ssl, proxy_connect,
proxy_http.

I searched the web for a while now and can't find any relevant answers.

Am I missing something, or does just not work?

Thanks in advance,

Frank Rittinger

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem using apache as a reverse proxy for https

Posted by Joshua Slive <jo...@slive.ca>.

On 12/15/06, frank rittinger <fr...@virtual-identity.com> wrote:
>
> > -----Ursprüngliche Nachricht-----
> > Von: jslive@gmail.com [mailto:jslive@gmail.com] Im Auftrag
> > >
> >
> > If you don't want the proxy decrypting the traffic, then you
> > don't want an HTTP proxy, you want a port-forwarder.  Just
> > tell your OS or firewall to forward port 443 on to the
> > back-end server.  But remember that a certificate is
> > associated with a particular hostname, so you'll need to be
> > careful to get that right.
>
> I think that port forwarding will not work, based on domain names (I have multiple domains pointing to the same IP address).
>
> I guess, I have to use properly configured certificates and decrypt/encrypt at the proxy...

Well, in general you can't have multiple names on the same IP address
when vhosting SSL anyway, since there is no way for the correct
certificate to be negotiated.  So unless you are doing something very
special, you're going to need to rethink the whole strategy.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

AW: [users@httpd] Problem using apache as a reverse proxy for https

Posted by frank rittinger <fr...@virtual-identity.com>.

> -----Ursprüngliche Nachricht-----
> Von: jslive@gmail.com [mailto:jslive@gmail.com] Im Auftrag 
> >
> 
> If you don't want the proxy decrypting the traffic, then you 
> don't want an HTTP proxy, you want a port-forwarder.  Just 
> tell your OS or firewall to forward port 443 on to the 
> back-end server.  But remember that a certificate is 
> associated with a particular hostname, so you'll need to be 
> careful to get that right.

I think that port forwarding will not work, based on domain names (I have multiple domains pointing to the same IP address).

I guess, I have to use properly configured certificates and decrypt/encrypt at the proxy...

Thanks a lot,

Frank

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem using apache as a reverse proxy for https

Posted by Joshua Slive <jo...@slive.ca>.

On 12/14/06, frank rittinger <fr...@virtual-identity.com> wrote:
> Thanks for the answer,
>
> As far as I understand it, this would mean that the client talks to my proxy with one certificate and then the proxy decrypts and encrypts the request and uses the original servers certificate to communicate with the original server, i.e.
>
> Client ----- cert A ---> Proxy ----> cert B ----> Server
>
> What I would like is:
>
> Client ----- cert B ---> Proxy ----> cert B ----> Server
>
> Without the Proxy "reading" the request, simply passing it on.
>
> Is this possible at all?
>
> I have to put the proxy in the middle without changing certificates.

This goes a little beyond my level of expertise, but...

If you don't want the proxy decrypting the traffic, then you don't
want an HTTP proxy, you want a port-forwarder.  Just tell your OS or
firewall to forward port 443 on to the back-end server.  But remember
that a certificate is associated with a particular hostname, so you'll
need to be careful to get that right.

(In the case of a foward-proxy, there is actually a specific provision
for this in the form of the CONNECT method.  But that won't work in a
reverse-proxy situation.)

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Problem using apache as a reverse proxy for https

Posted by frank rittinger <fr...@virtual-identity.com>.

Thanks for the answer,

As far as I understand it, this would mean that the client talks to my proxy with one certificate and then the proxy decrypts and encrypts the request and uses the original servers certificate to communicate with the original server, i.e.

Client ----- cert A ---> Proxy ----> cert B ----> Server

What I would like is:

Client ----- cert B ---> Proxy ----> cert B ----> Server

Without the Proxy "reading" the request, simply passing it on.

Is this possible at all?

I have to put the proxy in the middle without changing certificates.

Cheers, Frank

> -----Ursprüngliche Nachricht-----
> Von: jslive@gmail.com [mailto:jslive@gmail.com] Im Auftrag 
> von Joshua Slive
> Gesendet: Donnerstag, 14. Dezember 2006 16:01
> An: users@httpd.apache.org
> Betreff: Re: [users@httpd] Problem using apache as a reverse 
> proxy for https
> 
> On 12/14/06, frank rittinger 
> <fr...@virtual-identity.com> wrote:
> > Hello list,
> >
> > I'm trying to get apache2 working as a reverse proxy.
> >
> > Regular HTTP requests just work fine, but I can't get it 
> working for 
> > HTTPS requests.
> >
> > On startup of apache, I get the following error in the logs:
> > You configured HTTP(80) on the standard HTTPS(443) port!
> >
> > Although, I just want to pass on the requests, do I still 
> have to set 
> > up SSL support properly?
> >
> > I have such a vhosts definition:
> >
> > <VirtualHost 10.1.2.45:443>
> >       SSLProxyEngine on
> >         ProxyRequests Off
> >       ProxyPreserveHost On
> >       ProxyPass / https://10.1.2.27:443/
> >       ProxyPassReverse / https://10.1.2.27:443/
> >       ServerName test.com:443
> > </VirtualHost>
> >
> > Apache 2.0.x on SuSE Linux 9.3. With modules proxy, ssl, 
> > proxy_connect, proxy_http.
> 
> You configured SSL for the proxy->backend connection, but you 
> haven't configured SSL for the client->proxy connection.  You 
> would need at least SSLEngine On in the vhost (and perhaps a 
> bunch of other stuff for certificates, etc, depending on the config).
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem using apache as a reverse proxy for https

Posted by Joshua Slive <jo...@slive.ca>.

On 12/14/06, frank rittinger <fr...@virtual-identity.com> wrote:
> Hello list,
>
> I'm trying to get apache2 working as a reverse proxy.
>
> Regular HTTP requests just work fine, but I can't get it working for
> HTTPS requests.
>
> On startup of apache, I get the following error in the logs:
> You configured HTTP(80) on the standard HTTPS(443) port!
>
> Although, I just want to pass on the requests, do I still have to set up
> SSL support properly?
>
> I have such a vhosts definition:
>
> <VirtualHost 10.1.2.45:443>
>       SSLProxyEngine on
>         ProxyRequests Off
>       ProxyPreserveHost On
>       ProxyPass / https://10.1.2.27:443/
>       ProxyPassReverse / https://10.1.2.27:443/
>       ServerName test.com:443
> </VirtualHost>
>
> Apache 2.0.x on SuSE Linux 9.3. With modules proxy, ssl, proxy_connect,
> proxy_http.

You configured SSL for the proxy->backend connection, but you haven't
configured SSL for the client->proxy connection.  You would need at
least SSLEngine On in the vhost (and perhaps a bunch of other stuff
for certificates, etc, depending on the config).

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org