You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by James Ellis <el...@hotmail.com> on 2008/03/18 18:38:36 UTC

[users@httpd] Reverse Proxy HTTPS

I am trying to get a reverse proxy working for the following architecture:
Browser -->  HTTPS --> ServerA --> HTTPS --> Server B
I can get a half-a$$ solution working like this:
 
<VirtualHost _default_:443>SSLProxyEngine onSSLEngine onSSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.crt"SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.key"ProxyPass /clustertest   https://XXX.XXX.X.XXX:444/clustertest</VirtualHost>                  
                
...but this isn't exactly how I want it.  It's taking the certificate from ServerA and encrypting request, but then creating a new SSL session to talk to ServerB.  
 
I would like to be able to take the certificate from ServerB, encrypt the request and have ServerA just "pass on" the whole encrypted request to ServerB.
 
Is this possible?
 
I followed the instructions in this link:  http://mail-archives.apache.org/mod_mbox/httpd-users/200605.mbox/%3C6ed6382b0605180048k4db72569gfee97d6ecd87cf9f@mail.gmail.com%3E
...but to no avail.  I keep getting the "Invalid method in request \x16\x03\x01" error which makes me think that ServerA is saying "why isn't this request encrypted...this must be an error".

Re: [users@httpd] Reverse Proxy HTTPS

Posted by Joshua Slive <jo...@slive.ca>.

On Tue, Mar 18, 2008 at 2:54 PM, James Ellis <el...@hotmail.com> wrote:
>
>  Joshua,
>
>  Thank you for your feedback.
>
>
>  > You can do simple port-forwarding (not HTTP proxying) to pass along
> > the encrypted stream, but then you have to do it for the whole server,
> > not just the /clustertest path.
>
>  Could you tell me which modules in Apache I'd use for port forwarding?

You wouldn't do that in apache. Your firewall or OS most likely has
simple tools to forward ports.

But be careful here as well: your client must believe it is talking to
serverB in order to use the right certificate, even if the connection
goes through serverA.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] Reverse Proxy HTTPS

Posted by James Ellis <el...@hotmail.com>.

Joshua,
 
Thank you for your feedback. 
 
> You can do simple port-forwarding (not HTTP proxying) to pass along> the encrypted stream, but then you have to do it for the whole server,> not just the /clustertest path.
Could you tell me which modules in Apache I'd use for port forwarding?Thanks,Jim
 
 
 
> Date: Tue, 18 Mar 2008 14:41:28 -0400> From: joshua@slive.ca> To: users@httpd.apache.org> Subject: Re: [users@httpd] Reverse Proxy HTTPS> > On Tue, Mar 18, 2008 at 1:38 PM, James Ellis <el...@hotmail.com> wrote:> >> > I am trying to get a reverse proxy working for the following architecture:> >> > Browser --> HTTPS --> ServerA --> HTTPS --> Server B> >> > I can get a half-a$$ solution working like this:> >> > <VirtualHost _default_:443>> > SSLProxyEngine on> > SSLEngine on> > SSLCertificateFile "C:/Program Files/Apache Software> > Foundation/Apache2.2/conf/server.crt"> > SSLCertificateKeyFile "C:/Program Files/Apache Software> > Foundation/Apache2.2/conf/server.key"> > ProxyPass /clustertest https://XXX.XXX.X.XXX:444/clustertest> > </VirtualHost>> >> > ...but this isn't exactly how I want it. It's taking the certificate from> > ServerA and encrypting request, but then creating a new SSL session to talk> > to ServerB.> >> > I would like to be able to take the certificate from ServerB, encrypt the> > request and have ServerA just "pass on" the whole encrypted request to> > ServerB.> >> > Is this possible?> > What you want can't work because the path information is inside the> encrypted request and that will only be available to ServerA if it> decrypts the request.> > You can do simple port-forwarding (not HTTP proxying) to pass along> the encrypted stream, but then you have to do it for the whole server,> not just the /clustertest path.> > Joshua.> > ---------------------------------------------------------------------> The official User-To-User support forum of the Apache HTTP Server Project.> See <URL:http://httpd.apache.org/userslist.html> for more info.> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org> " from the digest: users-digest-unsubscribe@httpd.apache.org> For additional commands, e-mail: users-help@httpd.apache.org>

Re: [users@httpd] Reverse Proxy HTTPS

Posted by Joshua Slive <jo...@slive.ca>.

On Tue, Mar 18, 2008 at 1:38 PM, James Ellis <el...@hotmail.com> wrote:
>
>  I am trying to get a reverse proxy working for the following architecture:
>
> Browser -->  HTTPS --> ServerA --> HTTPS --> Server B
>
> I can get a half-a$$ solution working like this:
>
>  <VirtualHost _default_:443>
> SSLProxyEngine on
> SSLEngine on
> SSLCertificateFile "C:/Program Files/Apache Software
> Foundation/Apache2.2/conf/server.crt"
> SSLCertificateKeyFile "C:/Program Files/Apache Software
> Foundation/Apache2.2/conf/server.key"
> ProxyPass /clustertest   https://XXX.XXX.X.XXX:444/clustertest
> </VirtualHost>
>
>  ...but this isn't exactly how I want it.  It's taking the certificate from
> ServerA and encrypting request, but then creating a new SSL session to talk
> to ServerB.
>
>  I would like to be able to take the certificate from ServerB, encrypt the
> request and have ServerA just "pass on" the whole encrypted request to
> ServerB.
>
>  Is this possible?

What you want can't work because the path information is inside the
encrypted request and that will only be available to ServerA if it
decrypts the request.

You can do simple port-forwarding (not HTTP proxying) to pass along
the encrypted stream, but then you have to do it for the whole server,
not just the /clustertest path.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org