You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by John Oliver <jo...@john-oliver.net> on 2009/04/08 19:37:44 UTC
[users@httpd] "tee" SSL traffic?
Is it possible for an instance of httpd to basically copy all traffic it
receives to another instance of httpd on another host?
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] "tee" SSL traffic?
Posted by André Warnier <aw...@ice-sa.com>.
Eric Covener wrote:
> On Wed, Apr 8, 2009 at 6:19 PM, Eric Covener <co...@gmail.com> wrote:
>> Seems like a simple proxy reverse proxy might be sufficient
>
> One too many proxies!
>
What do you do with the responses from both servers though ?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] "tee" SSL traffic?
Posted by Eric Covener <co...@gmail.com>.
On Wed, Apr 8, 2009 at 6:19 PM, Eric Covener <co...@gmail.com> wrote:
> Seems like a simple proxy reverse proxy might be sufficient
One too many proxies!
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] "tee" SSL traffic?
Posted by Eric Covener <co...@gmail.com>.
On Wed, Apr 8, 2009 at 6:09 PM, André Warnier <aw...@ice-sa.com> wrote:
> John Oliver wrote:
>>
>> On Wed, Apr 08, 2009 at 04:16:32PM -0400, Eric Covener wrote:
>>>
>>> On Wed, Apr 8, 2009 at 1:37 PM, John Oliver <jo...@john-oliver.net>
>>> wrote:
>>>>
>>>> Is it possible for an instance of httpd to basically copy all traffic it
>>>> receives to another instance of httpd on another host?
>>>
>>> No -- You want something much lower-level, like a TCP tunnel or a load
>>> balancer. Apache will always decrypt/re-encrypt if you put it between
>>> a client and an SSL origin server.
>>
>> It would actually be quite OK for httpd to decrypt the traffic first,
>> since it'll be sent to one other host, on a local segment, re-encrypted
>> by a private keypair.
>>
> Continuing on the above, I don't know of any way that you could achieve what
> you want using only standard Apache config or modules.
> It is after all quite unusual as a requirement.
Seems like a simple proxy reverse proxy might be sufficient
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] "tee" SSL traffic?
Posted by André Warnier <aw...@ice-sa.com>.
John Oliver wrote:
> On Wed, Apr 08, 2009 at 04:16:32PM -0400, Eric Covener wrote:
>> On Wed, Apr 8, 2009 at 1:37 PM, John Oliver <jo...@john-oliver.net> wrote:
>>> Is it possible for an instance of httpd to basically copy all traffic it
>>> receives to another instance of httpd on another host?
>> No -- You want something much lower-level, like a TCP tunnel or a load
>> balancer. Apache will always decrypt/re-encrypt if you put it between
>> a client and an SSL origin server.
>
> It would actually be quite OK for httpd to decrypt the traffic first,
> since it'll be sent to one other host, on a local segment, re-encrypted
> by a private keypair.
>
Continuing on the above, I don't know of any way that you could achieve
what you want using only standard Apache config or modules.
It is after all quite unusual as a requirement.
It is relatively easy to achieve this with mod_perl though.
One of the issues you are facing is that the request to the second host
is going to return an answer (also, just like the "main" one). So you
have to read this answer and deal with it somehow at the httpd level,
you can't just return it to the browser or it will get confused getting
two times an answer to a single request.
Schematically :
implement a request filter, that will capture the request at the same
time as letting it through transparently to whatever its original
destination is.
When the request is entirely captured, the filter forwards this request
to the second server (not necessarily via HTTPS), gets the answer and
saves it somewhere. You may have a practical problem if the requests or
responses are very large. It may also get more complicated if the
requests/responses include some kind of "state", like cookies.
With mod_perl and the LWP module, it is quite doable.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] "tee" SSL traffic?
Posted by John Oliver <jo...@john-oliver.net>.
On Wed, Apr 08, 2009 at 04:16:32PM -0400, Eric Covener wrote:
> On Wed, Apr 8, 2009 at 1:37 PM, John Oliver <jo...@john-oliver.net> wrote:
> > Is it possible for an instance of httpd to basically copy all traffic it
> > receives to another instance of httpd on another host?
>
> No -- You want something much lower-level, like a TCP tunnel or a load
> balancer. Apache will always decrypt/re-encrypt if you put it between
> a client and an SSL origin server.
It would actually be quite OK for httpd to decrypt the traffic first,
since it'll be sent to one other host, on a local segment, re-encrypted
by a private keypair.
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] "tee" SSL traffic?
Posted by Eric Covener <co...@gmail.com>.
On Wed, Apr 8, 2009 at 1:37 PM, John Oliver <jo...@john-oliver.net> wrote:
> Is it possible for an instance of httpd to basically copy all traffic it
> receives to another instance of httpd on another host?
No -- You want something much lower-level, like a TCP tunnel or a load
balancer. Apache will always decrypt/re-encrypt if you put it between
a client and an SSL origin server.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] "tee" SSL traffic?
Posted by John Oliver <jo...@john-oliver.net>.
On Wed, Apr 08, 2009 at 07:56:39PM +0200, André Warnier wrote:
> Ok, part of my answer below is because I missed the subject of your
> post. It still does not seem to make much sense hhowever, so explain a
> bit more.
>
> André Warnier wrote:
> >John Oliver wrote:
> >>Is it possible for an instance of httpd to basically copy all traffic it
> >>receives to another instance of httpd on another host?
> >>
> >As put, the question just deserves a "yes".
Har-dee-har... :-)
> >I'll be nice though :
> >That's certainly possible, most of the time. But why would you want to
> >do that, rather than just direct the traffic to the other host in the
> >first place ? I mean, on the face of it, it would just adds overhead.
> >
> >If you want finer answers, you'll have to provide a bit more detail,
> >such as
> >- is this httpd an Apache httpd, which one, which platform ?
> >- what are you trying to achieve, and maybe why ?
> >- is there something that prevents requests going to the other host
> >directly ?
httpd-2.2.3-11.el5_2.4 on RHEL5
I'm afraid that going into "why" is going to not be relevant to the
answer, and will probably evoke a lot of, "Well, that's just silly!",
but...
I'm dealing with a Java web application that accepts data from one
source, formats it, and sends it off to a destination. The app is
hardcoded to send to one destination... yes, that sucks, but that's the
way it is, and nobody has time to untangle it. The source is going to
send data to one IP. Yes, they could send to 2, but they won't, I don't
know why, and it would take weeks to go through US government bureacracy
to find out why with little hope of changing that. But, we want to make
the formatted data available to two different messaging buses. So, we
would like one instance of httpd to not only proxy the traffic in to
Tomcat, but also "copy" it off to a second VM that runs another instance
of the app, which will format the data and send it off to a second
messaging bus.
I know folks are going to be screaming that this is all wrong, the app
sucks, the *real* answer is to do X Y or Z... but we have a deadline,
and I was hoping to do this in httpd rather than have one of the
developers cobble up the code to do this at the application layer.
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] "tee" SSL traffic?
Posted by André Warnier <aw...@ice-sa.com>.
Ok, part of my answer below is because I missed the subject of your
post. It still does not seem to make much sense hhowever, so explain a
bit more.
André Warnier wrote:
> John Oliver wrote:
>> Is it possible for an instance of httpd to basically copy all traffic it
>> receives to another instance of httpd on another host?
>>
> As put, the question just deserves a "yes".
>
> I'll be nice though :
> That's certainly possible, most of the time. But why would you want to
> do that, rather than just direct the traffic to the other host in the
> first place ? I mean, on the face of it, it would just adds overhead.
>
> If you want finer answers, you'll have to provide a bit more detail,
> such as
> - is this httpd an Apache httpd, which one, which platform ?
> - what are you trying to achieve, and maybe why ?
> - is there something that prevents requests going to the other host
> directly ?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] "tee" SSL traffic?
Posted by André Warnier <aw...@ice-sa.com>.
John Oliver wrote:
> Is it possible for an instance of httpd to basically copy all traffic it
> receives to another instance of httpd on another host?
>
As put, the question just deserves a "yes".
I'll be nice though :
That's certainly possible, most of the time. But why would you want to
do that, rather than just direct the traffic to the other host in the
first place ? I mean, on the face of it, it would just adds overhead.
If you want finer answers, you'll have to provide a bit more detail,
such as
- is this httpd an Apache httpd, which one, which platform ?
- what are you trying to achieve, and maybe why ?
- is there something that prevents requests going to the other host
directly ?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org