You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tom Browder <to...@gmail.com> on 2022/02/21 16:11:16 UTC
[users@httpd] Re: Reverse proxy for TLS connections
On Sun, Feb 20, 2022 at 06:30 Tom Browder <to...@gmail.com> wrote:
> I am trying to integrate some Raku (formerly Perl 6) code to handle post
> TLS inputs (decrypted dat) to one of my websites. How can I get access to
> the decrypted input via a reverse proxy?
I think I see that can be done using RewriteCond and friends somehow.
Any examples around?
-Tom
Re: [users@httpd] Re: Reverse proxy for TLS connections
Posted by Tom Browder <to...@gmail.com>.
On Wed, Feb 23, 2022 at 16:04 Eric Covener <co...@gmail.com> wrote:
...
> It could be, the full unredacted error_log entries might have more details.
> I would test with curl/wget on the proxy and make sure the backend is
> reachable. If curl/wget don't work, the proxy server isn't going to
> work.
SOLVED
The reverse proxy setup was fine. My problem was my Raku listener program
on the backend was tied to localhost instead of the public IP address.
(Solved by Geoffrey Broadwell on IRC #cro.)
Now I need the reverse proxy to handle multiple virtual hosts on the same
IP using SNI.
I'll attempt that in another email.
Thank you very much, Eric.
Cheers!
-Tom
Re: [users@httpd] Re: Reverse proxy for TLS connections
Posted by Eric Covener <co...@gmail.com>.
On Wed, Feb 23, 2022 at 5:01 PM Tom Browder <to...@gmail.com> wrote:
>
> On Wed, Feb 23, 2022 at 06:03 Tom Browder <to...@gmail.com> wrote:
> …
>>
>> I seem to be making some progress. I can get an A from SSL Labs, but I'm getting a 503 response when I try to go to the website directly (https://gbumc.church).
>
>
> I turned on DumpIO input and output and see the following pairs errors for any attempt to access the proxied site:
>
> … AH00957: http: attempt to connect to …:10000 (gbumc.church) failed
> … AH01114: HTTP: failed to make connection to backend: gbumc.church
>
> Could that be a firewall issue for port 10000 even though it’s an internal use?
It could be, the full unredacted error_log entries might have more details.
I would test with curl/wget on the proxy and make sure the backend is
reachable. If curl/wget don't work, the proxy server isn't going to
work.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Reverse proxy for TLS connections
Posted by Tom Browder <to...@gmail.com>.
On Wed, Feb 23, 2022 at 06:03 Tom Browder <to...@gmail.com> wrote:
…
> I seem to be making some progress. I can get an A from SSL Labs, but I'm
> getting a 503 response when I try to go to the website directly (
> https://gbumc.church).
>
I turned on DumpIO input and output and see the following pairs errors for
any attempt to access the proxied site:
… AH00957: http: attempt to connect to …:10000 (gbumc.church) failed
… AH01114: HTTP: failed to make connection to backend: gbumc.church
Could that be a firewall issue for port 10000 even though it’s an internal
use?
-Tom
Re: [users@httpd] Re: Reverse proxy for TLS connections
Posted by Tom Browder <to...@gmail.com>.
On Tue, Feb 22, 2022 at 12:16 Tom Browder <to...@gmail.com> wrote:
> On Tue, Feb 22, 2022 at 11:59 Eric Covener <co...@gmail.com> wrote:
> ...
>
>> The server decrypts incoming requests the same way regardless of how
>> it will later handle the request (static file, CGI, proxy).
>
>
> Okay, thanks. I'll head in that direction and see if I can get it all to
> work.
>
I seem to be making some progress. I can get an A from SSL Labs, but I'm
getting a 503 response when I try to go to the website directly (
https://gbumc.church).
I'm presently using the following proxy lines for the site:
ProxyPass "/" "http://gbumc.church:10000/"
ProxyPassReverse "/" "http://gbumc.church:10000/"
Is there any problem with that syntax? If not I assume the problem is with
the code on the backend.
Thanks.
-Tom
Re: [users@httpd] Re: Reverse proxy for TLS connections
Posted by Tom Browder <to...@gmail.com>.
On Tue, Feb 22, 2022 at 11:59 Eric Covener <co...@gmail.com> wrote:
...
> The server decrypts incoming requests the same way regardless of how
> it will later handle the request (static file, CGI, proxy).
Okay, thanks. I'll head in that direction and see if I can get it all to
work.
Thank you very much, Eric, for your patience and help.
-Tom
Re: [users@httpd] Re: Reverse proxy for TLS connections
Posted by Eric Covener <co...@gmail.com>.
On Tue, Feb 22, 2022 at 12:43 PM Tom Browder <to...@gmail.com> wrote:
>
> On Tue, Feb 22, 2022 at 09:50 Eric Covener <co...@gmail.com> wrote:
>>
>> On Tue, Feb 22, 2022 at 10:44 AM Tom Browder <to...@gmail.com> wrote:
>> >
>> > On Mon, Feb 21, 2022 at 13:34 Tom Browder <to...@gmail.com> wrote:
>> >>
>> >> On Mon, Feb 21, 2022 at 10:16 Eric Covener <co...@gmail.com> wrote:
>> >
>> >
>> > Let me try to rephrase the situation and question:
>> >
>> > If I use a reverse proxy as in the basic example in the docs, does that handle https traffic also? Or does the the "http://www.example.com" lines have to be written as "https://www.example.com"?
>>
>> That argument affects whether the request sent from the proxy to the
>> backend uses HTTPS.
>> It's independent of the connection between the client and the proxy
>> server. If the client connection used HTTPS, its data decrypted prior
>> to any module (other than mod_ssl) seeing any of the data.
>
>
> I neglected to say those lines were inside a virtual host with SSL on. So how does that affect the same situation?
It means the frontend connection will use SSL.
The server decrypts incoming requests the same way regardless of how
it will later handle the request (static file, CGI, proxy).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Reverse proxy for TLS connections
Posted by Tom Browder <to...@gmail.com>.
On Tue, Feb 22, 2022 at 09:50 Eric Covener <co...@gmail.com> wrote:
> On Tue, Feb 22, 2022 at 10:44 AM Tom Browder <to...@gmail.com>
> wrote:
> >
> > On Mon, Feb 21, 2022 at 13:34 Tom Browder <to...@gmail.com> wrote:
> >>
> >> On Mon, Feb 21, 2022 at 10:16 Eric Covener <co...@gmail.com> wrote:
> >
> >
> > Let me try to rephrase the situation and question:
> >
> > If I use a reverse proxy as in the basic example in the docs, does that
> handle https traffic also? Or does the the "http://www.example.com" lines
> have to be written as "https://www.example.com"?
>
> That argument affects whether the request sent from the proxy to the
> backend uses HTTPS.
> It's independent of the connection between the client and the proxy
> server. If the client connection used HTTPS, its data decrypted prior
> to any module (other than mod_ssl) seeing any of the data.
I neglected to say those lines were inside a virtual host with SSL on. So
how does that affect the same situation?
-Tom
Re: [users@httpd] Re: Reverse proxy for TLS connections
Posted by Eric Covener <co...@gmail.com>.
On Tue, Feb 22, 2022 at 10:44 AM Tom Browder <to...@gmail.com> wrote:
>
> On Mon, Feb 21, 2022 at 13:34 Tom Browder <to...@gmail.com> wrote:
>>
>> On Mon, Feb 21, 2022 at 10:16 Eric Covener <co...@gmail.com> wrote:
>
>
> Let me try to rephrase the situation and question:
>
> If I use a reverse proxy as in the basic example in the docs, does that handle https traffic also? Or does the the "http://www.example.com" lines have to be written as "https://www.example.com"?
That argument affects whether the request sent from the proxy to the
backend uses HTTPS.
It's independent of the connection between the client and the proxy
server. If the client connection used HTTPS, its data decrypted prior
to any module (other than mod_ssl) seeing any of the data.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Reverse proxy for TLS connections
Posted by Tom Browder <to...@gmail.com>.
On Mon, Feb 21, 2022 at 13:34 Tom Browder <to...@gmail.com> wrote:
> On Mon, Feb 21, 2022 at 10:16 Eric Covener <co...@gmail.com> wrote:
Let me try to rephrase the situation and question:
If I use a reverse proxy as in the basic example in the docs, does that
handle https traffic also? Or does the the "http://www.example.com
<http://localhost>" lines have to be written as "https://www.example.com"?
Thanks.
-Tom
Re: [users@httpd] Re: Reverse proxy for TLS connections
Posted by Tom Browder <to...@gmail.com>.
On Mon, Feb 21, 2022 at 10:16 Eric Covener <co...@gmail.com> wrote:
...
> > I think I see that can be done using RewriteCond and friends somehow.
>
> It is not clear what you're asking about. Can you describe the
> topology in more detail and clarify what "input" (a header? a request
> body?) you need and where if anywhere your code runs today.
I am trying to get all TLS traffic to one virtual host decrypted prior
to hand off to the reverse proxy
chosen port and have responses re-encrypted. If I can do that, I can
have a Raku program listening
on that port and reply to inputs.
I think I've found a solution here:
<https://seeq.atlassian.net/wiki/spaces/KB/pages/116188360/Apache+Reverse+Proxy+for+HTTPS+on+Ubuntu>
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Reverse proxy for TLS connections
Posted by Eric Covener <co...@gmail.com>.
On Mon, Feb 21, 2022 at 11:11 AM Tom Browder <to...@gmail.com> wrote:
>
> On Sun, Feb 20, 2022 at 06:30 Tom Browder <to...@gmail.com> wrote:
>>
>> I am trying to integrate some Raku (formerly Perl 6) code to handle post TLS inputs (decrypted dat) to one of my websites. How can I get access to the decrypted input via a reverse proxy?
>
>
> I think I see that can be done using RewriteCond and friends somehow.
It is not clear what you're asking about. Can you describe the
topology in more detail and clarify what "input" (a header? a request
body?) you need and where if anywhere your code runs today.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org