You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Mark Moseley <mo...@gmail.com> on 2005/09/16 02:05:34 UTC
Masquerading requests as HTTPS
Greetings. I've been scouring the list and the net for a solution for this
but my apologies in advance if I didn't get the search terms right and
missed a RTFM answer.
I work for a web hosting company and we recently purchased a pair of BigIPs.
These have the ability to terminate SSL connections and then send regular
HTTP to the backend servers (running Apache 1.3.29/mod_perl 1.29 and making
heavy use of transhandlers).
My question for the list is this:
Is there any mod_perl-ish to pretend that a request is coming through SSL?
The main issue I'm facing is that I've got a couple hundred thousands users,
many using mod_rewrite in .htaccess files (and a potentially very very large
number and out of my control so modifying them is not an option). Since the
BigIP is retransmitting the request as HTTP, the scheme that the backend
server is using is 'http', not 'https'. So if a redirect is generated via
mod_rewrite, it's redirecting to http://the/url/etc, not https://the/url/etc.
Presumably people doing redirects via PHP would have the same issue. However
the URL scheme looks to be somewhat inaccessible from $r and if I parse it
with Apache::URI and use the scheme method there, I don't know of a $r
method to set the URI to the modified URI object.
I've tried setting $ENV{ HTTPS } to 'on', but that didn't help.
Anybody know of a method I might be missing that would help me out?
Basically what I'm trying to accomplish is if I see a request coming in on
port 443, I want to set $r->method( "https" ) -- and I know there's no
method called this, but for explanation sake ;)
Thanks!
Re: Masquerading requests as HTTPS
Posted by Mark Moseley <mo...@gmail.com>.
On 9/16/05, Torsten Foertsch <to...@gmx.net> wrote:
>
> Maybe in it is sufficient to set $r->subprocess_env(HTTPS=>'on') in a
> PostReadRequest handler. Maybe even PerlSetEnv outside any <Location> or
> <Directory> might help. This will also set environment variables very
> early.
> $ENV{HTTPS} is not good.
>
Ah, I'd neglected to mention that I was using subprocess_env as well in the
same spot. I just tried PerlSetEnv in the VirtualHost on the backend server
handling port 443 (as well as regular SetEnv for good measure) but same
story.
It's definitely getting set too, since I tacked the HTTPS env var onto the
redirected URL in mod_rewrite and ?on dutifully shows up.
So before the transhandling phase, is there any way to take the URL, futz
with it via Apache::URI, and then reinject that as the URL the subsequent
phases will see (assuming it's not just updating the URL in modperl alone
and that C-based modules can see the change as well, e.g. mod_rewrite)?
Re: Masquerading requests as HTTPS
Posted by Torsten Foertsch <to...@gmx.net>.
On Friday 16 September 2005 02:05, Mark Moseley wrote:
> Greetings. I've been scouring the list and the net for a solution for this
> but my apologies in advance if I didn't get the search terms right and
> missed a RTFM answer.
>
> I work for a web hosting company and we recently purchased a pair of
> BigIPs. These have the ability to terminate SSL connections and then send
> regular HTTP to the backend servers (running Apache 1.3.29/mod_perl 1.29
> and making heavy use of transhandlers).
>
> My question for the list is this:
> Is there any mod_perl-ish to pretend that a request is coming through SSL?
> The main issue I'm facing is that I've got a couple hundred thousands
> users, many using mod_rewrite in .htaccess files (and a potentially very
> very large number and out of my control so modifying them is not an
> option). Since the BigIP is retransmitting the request as HTTP, the scheme
> that the backend server is using is 'http', not 'https'. So if a redirect
> is generated via mod_rewrite, it's redirecting to http://the/url/etc, not
> https://the/url/etc. Presumably people doing redirects via PHP would have
> the same issue. However the URL scheme looks to be somewhat inaccessible
> from $r and if I parse it with Apache::URI and use the scheme method there,
> I don't know of a $r method to set the URI to the modified URI object.
>
> I've tried setting $ENV{ HTTPS } to 'on', but that didn't help.
>
> Anybody know of a method I might be missing that would help me out?
> Basically what I'm trying to accomplish is if I see a request coming in on
> port 443, I want to set $r->method( "https" ) -- and I know there's no
> method called this, but for explanation sake ;)
Maybe in it is sufficient to set $r->subprocess_env(HTTPS=>'on') in a
PostReadRequest handler. Maybe even PerlSetEnv outside any <Location> or
<Directory> might help. This will also set environment variables very early.
$ENV{HTTPS} is not good.
Torsten
Re: Masquerading requests as HTTPS
Posted by Mark Moseley <mo...@gmail.com>.
On 9/16/05, Carl Johnstone <mo...@fadetoblack.demon.co.uk> wrote:
>
> Can add my voice to the "BigIP should do this" school of thought. If it's
> effectively converting HTTPS into HTTP requests for you, then I would
> expect
> it should be able to rewrite redirects automatically for you too. Same way
> that apache does it in mod_proxy.
>
> However can I also point out that even if you catch redirects, you've
> still
> potentially got broken HTML etc etc to "fix".
>
That would be cool if it did, but I haven't seen or read about a feature in
it that does that. Even if it did, it might also incorrectly change
redirected URLs, i.e. where the user is explicitly redirecting to a non-SSL
absolute URL in the same domain, as opposed to my issue where something like
mod_rewrite is generating the full URL from part of a URL, e.g.
RewriteRule test1.htm /test2.htm [R,L]
Re: Masquerading requests as HTTPS
Posted by Carl Johnstone <mo...@fadetoblack.demon.co.uk>.
Can add my voice to the "BigIP should do this" school of thought. If it's
effectively converting HTTPS into HTTP requests for you, then I would expect
it should be able to rewrite redirects automatically for you too. Same way
that apache does it in mod_proxy.
However can I also point out that even if you catch redirects, you've still
potentially got broken HTML etc etc to "fix".
Carl
Re: Masquerading requests as HTTPS
Posted by Mark Moseley <mo...@gmail.com>.
On 9/16/05, Jeff <mo...@aquabolt.com> wrote:
>
> In your BigIPs Apache httpd.conf you might try:
>
> # bounce to https only)
> <VirtualHost *>
> ServerName www.mywebsite.com <http://www.mywebsite.com>
> Redirect permanent / https://www.mywebsite.com/
> </VirtualHost>
>
> Which tells your client browsers to use HTTPS for all requests for the
> relevant website.
>
Unfortunately, it doesn't have any configuration options like that. It's
basically a really fancy Layer 7-aware switch. It's got some neat things
like being able to use TCL to goof with the request, but it doesn't offer
much in the way of Apache-like configuration.
We also totally rely on transhandling to direct all Apache requests, so we
don't have separate vhosts for each user, since it's a shared architecture
and 200k+ vhosts would take some time to load ;)
Re: Masquerading requests as HTTPS
Posted by Jeff <mo...@aquabolt.com>.
>
> Wouldn't it be better to parse responses on BigIPs and replace 'http'
> with 'https' if redirect is detected? I have no idea how to do this, though.
>
In your BigIPs Apache httpd.conf you might try:
# bounce to https only)
<VirtualHost *>
ServerName www.mywebsite.com
Redirect permanent / https://www.mywebsite.com/
</VirtualHost>
Which tells your client browsers to use HTTPS for all requests for the
relevant website.
Regards
Jeff
Re: Masquerading requests as HTTPS
Posted by Mark Moseley <mo...@gmail.com>.
Damyan Ivanov wrote:
> Wouldn't it be better to parse responses on BigIPs and replace 'http'
> with 'https' if redirect is detected? I have no idea how to do this,
> though.
>
>
The BigIP has some TCL functions available during the response, but I'm
assuming that any regexing I do there would be not enough, and I can think
of scenarios where the user had redirected explicitly to http:// and I'd be
rewriting it when I shouldn't be. Plus there's also the matter of
dynamically created URLs embedded in the body, created by
perl/php/python/etc that were using the same scheme as the incoming URL.
However, it's definitely something to look further into.
Re: Masquerading requests as HTTPS
Posted by Damyan Ivanov <di...@creditreform.bg>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Moseley wrote:
> Howdy. Actually, I don't need any actual SSL functionality. All I need
> to do is to trick everything from the transhandler phase downwards that
> the URL's scheme is 'https' so that redirects have https://, not
> http://, since anyone doing a mod_rewrite or scripted redirect whilst in
> SSL would get shunted back to HTTP otherwise -- and no doubt harass our
> customer support ;)
Wouldn't it be better to parse responses on BigIPs and replace 'http'
with 'https' if redirect is detected? I have no idea how to do this, though.
dam
- --
Damyan Ivanov 0x9725F63B Creditreform Bulgaria
divanov@creditreform.bg http://www.creditreform.bg/
phone: +359(2)928-2611, 929-3993 fax: +359(2)920-0994
mob. +359(88)856-6067 ICQ 3028500 dam@jabber.minus273.org/Gaim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDKmO+Hqjlqpcl9jsRAjJsAJ9NTs21NvhER2ysYwsC4AXBrceaNACeIF5i
VnpHbJULu9LL5VSkR/dDmbg=
=AGvm
-----END PGP SIGNATURE-----
Re: Masquerading requests as HTTPS
Posted by Mark Moseley <mo...@gmail.com>.
Howdy. Actually, I don't need any actual SSL functionality. All I need to do
is to trick everything from the transhandler phase downwards that the URL's
scheme is 'https' so that redirects have https://, not http://, since anyone
doing a mod_rewrite or scripted redirect whilst in SSL would get shunted
back to HTTP otherwise -- and no doubt harass our customer support ;)
So nothing fancy and encrypted, since I'm doing the SSL offloading on the
BigIP (which is sweet). I want to keep the session between the bigIP and the
backend server in regular HTTP.
RE: Masquerading requests as HTTPS
Posted by Badai Aqrandista <ba...@hotmail.com>.
Hi Mark,
>From my limited knowledge, SSL handshake is processed prior doing the HTTP
request-response. Therefore, when apache or mod_perl accepts HTTPS requests,
it can't redirect it over HTTPS unless you create another HTTPS request with
LWP or WWW::Mechanize, for example.
But if you want to connect to a backend server, why do you need a secure
connection anyway?
However, other probably know better...
---
Badai Aqrandista
Cheepy (?)
>From: Mark Moseley <mo...@gmail.com>
>Reply-To: moseleymark@gmail.com
>To: modperl@perl.apache.org
>Subject: Masquerading requests as HTTPS
>Date: Thu, 15 Sep 2005 17:05:34 -0700
>
>Greetings. I've been scouring the list and the net for a solution for this
>but my apologies in advance if I didn't get the search terms right and
>missed a RTFM answer.
>
>I work for a web hosting company and we recently purchased a pair of
>BigIPs.
>These have the ability to terminate SSL connections and then send regular
>HTTP to the backend servers (running Apache 1.3.29/mod_perl 1.29 and making
>heavy use of transhandlers).
>
>My question for the list is this:
>Is there any mod_perl-ish to pretend that a request is coming through SSL?
>The main issue I'm facing is that I've got a couple hundred thousands
>users,
>many using mod_rewrite in .htaccess files (and a potentially very very
>large
>number and out of my control so modifying them is not an option). Since the
>BigIP is retransmitting the request as HTTP, the scheme that the backend
>server is using is 'http', not 'https'. So if a redirect is generated via
>mod_rewrite, it's redirecting to http://the/url/etc, not
>https://the/url/etc.
>Presumably people doing redirects via PHP would have the same issue.
>However
>the URL scheme looks to be somewhat inaccessible from $r and if I parse it
>with Apache::URI and use the scheme method there, I don't know of a $r
>method to set the URI to the modified URI object.
>
>I've tried setting $ENV{ HTTPS } to 'on', but that didn't help.
>
>Anybody know of a method I might be missing that would help me out?
>Basically what I'm trying to accomplish is if I see a request coming in on
>port 443, I want to set $r->method( "https" ) -- and I know there's no
>method called this, but for explanation sake ;)
>
>Thanks!
_________________________________________________________________
Sell your car for $9 on carpoint.com.au
http://www.carpoint.com.au/sellyourcar