You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Daniel Frank <da...@gmail.com> on 2017/02/27 23:16:48 UTC
[users@httpd] Forward Proxy on behalf of the client instead of as a tunnel
All,
I am trying to set Apache up as a forward proxy to help solve an issue that
we have where an HTTP Client in our application does not support TLS 1.2
but an API that we need to consume only supports TLS 1.2. What I am
attempting to do is use Apache to talk HTTPS/TLS 1.2 to the target API but
allow my internal client to talk to the proxy over HTTP.
I had it in my head that this was what a forward proxy was going to give me
so after having set up a forward proxy and configuring my application to
use it I was surprised to see that I was getting exactly the same behavior
that I was getting when I had no proxy configured (failure of my internal
client to speak TLS 1.2).
So my question is; can Apache be configured as a FORWARD proxy to speak
HTTP with the caller but HTTPS to the callee?
I have spent a lot of time searching and I did check the mailing list
archives but it's entirely possible that I just dont even know what to
search for to get a good answer so if this is a dumb question I sincerely
apologize for wasting the groups time.
Thanks in advance for any help.
-Dan
Re: [users@httpd] Forward Proxy on behalf of the client instead of as a tunnel
Posted by Marat Khalili <mk...@rqc.ru>.
> I spent some time looking at the P option for mod_rewrite but I got the impression that it would only work in the case of the reverse proxy situation. I was not able to get it to work but I wanted to make sure you thought there was potential for that to help with my forward proxy issue before I spent a lot more time on it.
I think it's a matter of definitions: I'd call it forward proxy already if client decides what services to connect to, and proxy server is specified on it as, well, proxy. In any case, it does not matter much how you call it.
In your case you'll need rather simple rewrite rule that changes URLs of all requests from http to https, with P option, and that's all. It is hard to say more without doing experiments.
--
With Best Regards,
Marat Khalili
Re: [users@httpd] Forward Proxy on behalf of the client instead of as
a tunnel
Posted by Daniel Frank <da...@gmail.com>.
Marat,
Thank you again for your response. You are correct, I cannot enumerate all
of the targets because we do not know about any of them and they could
potentially be any IP or URI reachable by the system.
I spent some time looking at the P option for mod_rewrite but I got the
impression that it would only work in the case of the reverse proxy
situation. I was not able to get it to work but I wanted to make sure you
thought there was potential for that to help with my forward proxy issue
before I spent a lot more time on it.
-Dan
On Tue, Feb 28, 2017 at 11:05 AM, Marat Khalili <mk...@rqc.ru> wrote:
> Solution using reverse proxy does not require any control over proxied
> services, but you'll need to enumerate them all in your proxy
> configuration. Proxy will discriminate requests by hostname and port and
> forward them to specified services. This will give you additional control
> and security at the cost of management overhead.
>
> If you cannot or wish not enumerate all your target services, looks like
> you can use "P" option of mod_rewrite: https://httpd.apache.org/docs/
> 2.4/rewrite/flags.html#flag_p . I do not have much experience with it,
> but it might work.
> --
>
> With Best Regards,
> Marat Khalili
>
> On February 28, 2017 6:39:38 PM GMT+03:00, Daniel Frank <
> danthehitman@gmail.com> wrote:
>>
>> I see how my original question made it sound like a single service. I
>> was trying to keep the scenario as simple as possible and probably over
>> simplified it. The reality is that the endpoint we will be connecting to
>> will be many appliances at many different IPs.
>>
>> Regarding using a reverse proxy, even if it were one service I dont see
>> how the reverse proxy would work since we dont control that service or
>> where it is running. Maybe I am misunderstanding how the reverse proxy
>> works as well.
>>
>> Thanks for the response. Regarding the original question, is what I am
>> asking possible?
>>
>> -Dan
>>
>> On Tue, Feb 28, 2017 at 12:19 AM, Marat Khalili <mk...@rqc.ru> wrote:
>>
>>> Why are you calling it _forward_ proxy if it's only going to connect to
>>> one service? Your problem can easily be solved with _reverse_ proxy.
>>>
>>> --
>>>
>>> With Best Regards,
>>> Marat Khalili
>>>
>>> On 28/02/17 02:16, Daniel Frank wrote:
>>>
>>> All,
>>>
>>> I am trying to set Apache up as a forward proxy to help solve an issue
>>> that we have where an HTTP Client in our application does not support TLS
>>> 1.2 but an API that we need to consume only supports TLS 1.2. What I am
>>> attempting to do is use Apache to talk HTTPS/TLS 1.2 to the target API but
>>> allow my internal client to talk to the proxy over HTTP.
>>>
>>> I had it in my head that this was what a forward proxy was going to give
>>> me so after having set up a forward proxy and configuring my application to
>>> use it I was surprised to see that I was getting exactly the same behavior
>>> that I was getting when I had no proxy configured (failure of my internal
>>> client to speak TLS 1.2).
>>>
>>> So my question is; can Apache be configured as a FORWARD proxy to speak
>>> HTTP with the caller but HTTPS to the callee?
>>>
>>> I have spent a lot of time searching and I did check the mailing list
>>> archives but it's entirely possible that I just dont even know what to
>>> search for to get a good answer so if this is a dumb question I sincerely
>>> apologize for wasting the groups time.
>>>
>>> Thanks in advance for any help.
>>>
>>> -Dan
>>>
>>>
>>>
>>
Re: [users@httpd] Forward Proxy on behalf of the client instead of as a tunnel
Posted by Marat Khalili <mk...@rqc.ru>.
Solution using reverse proxy does not require any control over proxied services, but you'll need to enumerate them all in your proxy configuration. Proxy will discriminate requests by hostname and port and forward them to specified services. This will give you additional control and security at the cost of management overhead.
If you cannot or wish not enumerate all your target services, looks like you can use "P" option of mod_rewrite: https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_p . I do not have much experience with it, but it might work.
--
With Best Regards,
Marat Khalili
On February 28, 2017 6:39:38 PM GMT+03:00, Daniel Frank <da...@gmail.com> wrote:
>I see how my original question made it sound like a single service. I
>was
>trying to keep the scenario as simple as possible and probably over
>simplified it. The reality is that the endpoint we will be connecting
>to
>will be many appliances at many different IPs.
>
>Regarding using a reverse proxy, even if it were one service I dont see
>how
>the reverse proxy would work since we dont control that service or
>where it
>is running. Maybe I am misunderstanding how the reverse proxy works as
>well.
>
>Thanks for the response. Regarding the original question, is what I am
>asking possible?
>
>-Dan
>
>On Tue, Feb 28, 2017 at 12:19 AM, Marat Khalili <mk...@rqc.ru> wrote:
>
>> Why are you calling it _forward_ proxy if it's only going to connect
>to
>> one service? Your problem can easily be solved with _reverse_ proxy.
>>
>> --
>>
>> With Best Regards,
>> Marat Khalili
>>
>> On 28/02/17 02:16, Daniel Frank wrote:
>>
>> All,
>>
>> I am trying to set Apache up as a forward proxy to help solve an
>issue
>> that we have where an HTTP Client in our application does not support
>TLS
>> 1.2 but an API that we need to consume only supports TLS 1.2. What I
>am
>> attempting to do is use Apache to talk HTTPS/TLS 1.2 to the target
>API but
>> allow my internal client to talk to the proxy over HTTP.
>>
>> I had it in my head that this was what a forward proxy was going to
>give
>> me so after having set up a forward proxy and configuring my
>application to
>> use it I was surprised to see that I was getting exactly the same
>behavior
>> that I was getting when I had no proxy configured (failure of my
>internal
>> client to speak TLS 1.2).
>>
>> So my question is; can Apache be configured as a FORWARD proxy to
>speak
>> HTTP with the caller but HTTPS to the callee?
>>
>> I have spent a lot of time searching and I did check the mailing list
>> archives but it's entirely possible that I just dont even know what
>to
>> search for to get a good answer so if this is a dumb question I
>sincerely
>> apologize for wasting the groups time.
>>
>> Thanks in advance for any help.
>>
>> -Dan
>>
>>
>>
Re: [users@httpd] Forward Proxy on behalf of the client instead of as
a tunnel
Posted by Daniel Frank <da...@gmail.com>.
I see how my original question made it sound like a single service. I was
trying to keep the scenario as simple as possible and probably over
simplified it. The reality is that the endpoint we will be connecting to
will be many appliances at many different IPs.
Regarding using a reverse proxy, even if it were one service I dont see how
the reverse proxy would work since we dont control that service or where it
is running. Maybe I am misunderstanding how the reverse proxy works as
well.
Thanks for the response. Regarding the original question, is what I am
asking possible?
-Dan
On Tue, Feb 28, 2017 at 12:19 AM, Marat Khalili <mk...@rqc.ru> wrote:
> Why are you calling it _forward_ proxy if it's only going to connect to
> one service? Your problem can easily be solved with _reverse_ proxy.
>
> --
>
> With Best Regards,
> Marat Khalili
>
> On 28/02/17 02:16, Daniel Frank wrote:
>
> All,
>
> I am trying to set Apache up as a forward proxy to help solve an issue
> that we have where an HTTP Client in our application does not support TLS
> 1.2 but an API that we need to consume only supports TLS 1.2. What I am
> attempting to do is use Apache to talk HTTPS/TLS 1.2 to the target API but
> allow my internal client to talk to the proxy over HTTP.
>
> I had it in my head that this was what a forward proxy was going to give
> me so after having set up a forward proxy and configuring my application to
> use it I was surprised to see that I was getting exactly the same behavior
> that I was getting when I had no proxy configured (failure of my internal
> client to speak TLS 1.2).
>
> So my question is; can Apache be configured as a FORWARD proxy to speak
> HTTP with the caller but HTTPS to the callee?
>
> I have spent a lot of time searching and I did check the mailing list
> archives but it's entirely possible that I just dont even know what to
> search for to get a good answer so if this is a dumb question I sincerely
> apologize for wasting the groups time.
>
> Thanks in advance for any help.
>
> -Dan
>
>
>
Re: [users@httpd] Forward Proxy on behalf of the client instead of as
a tunnel
Posted by Daniel Frank <da...@gmail.com>.
I see how my original question made it sound like a single service. I was
trying to keep the scenario as simple as possible and probably over
simplified it. The reality is that the endpoint we will be connecting to
will be many appliances at many different IPs.
Regarding using a reverse proxy, even if it were one service I dont see how
the reverse proxy would work since we dont control that service or where it
is running. Maybe I am misunderstanding how the reverse proxy works as
well.
Thanks for the response. Regarding the original question, is what I am
asking possible?
-Dan
On Tue, Feb 28, 2017 at 8:09 AM, Daniel Frank <da...@comcast.net>
wrote:
> I see how my original question made it sound like a single service. I was
> trying to keep the scenario as simple as possible and probably over
> simplified it. The reality is that the endpoint we will be connecting to
> will be many appliances at many different IPs.
>
> Regarding using a reverse proxy, even if it were one service I dont see
> how the reverse proxy would work since we dont control that service or
> where it is running. Maybe I am misunderstanding how the reverse proxy
> works as well.
>
> Thanks for the response. Regarding the original question, is what I am
> asking possible?
>
> -Dan
>
> On Tue, Feb 28, 2017 at 12:19 AM, Marat Khalili <mk...@rqc.ru> wrote:
>
>> Why are you calling it _forward_ proxy if it's only going to connect to
>> one service? Your problem can easily be solved with _reverse_ proxy.
>>
>> --
>>
>> With Best Regards,
>> Marat Khalili
>>
>> On 28/02/17 02:16, Daniel Frank wrote:
>>
>> All,
>>
>> I am trying to set Apache up as a forward proxy to help solve an issue
>> that we have where an HTTP Client in our application does not support TLS
>> 1.2 but an API that we need to consume only supports TLS 1.2. What I am
>> attempting to do is use Apache to talk HTTPS/TLS 1.2 to the target API but
>> allow my internal client to talk to the proxy over HTTP.
>>
>> I had it in my head that this was what a forward proxy was going to give
>> me so after having set up a forward proxy and configuring my application to
>> use it I was surprised to see that I was getting exactly the same behavior
>> that I was getting when I had no proxy configured (failure of my internal
>> client to speak TLS 1.2).
>>
>> So my question is; can Apache be configured as a FORWARD proxy to speak
>> HTTP with the caller but HTTPS to the callee?
>>
>> I have spent a lot of time searching and I did check the mailing list
>> archives but it's entirely possible that I just dont even know what to
>> search for to get a good answer so if this is a dumb question I sincerely
>> apologize for wasting the groups time.
>>
>> Thanks in advance for any help.
>>
>> -Dan
>>
>>
>>
>
Re: [users@httpd] Forward Proxy on behalf of the client instead of as
a tunnel
Posted by Marat Khalili <mk...@rqc.ru>.
Why are you calling it _forward_ proxy if it's only going to connect to
one service? Your problem can easily be solved with _reverse_ proxy.
--
With Best Regards,
Marat Khalili
On 28/02/17 02:16, Daniel Frank wrote:
> All,
>
> I am trying to set Apache up as a forward proxy to help solve an issue
> that we have where an HTTP Client in our application does not support
> TLS 1.2 but an API that we need to consume only supports TLS 1.2.
> What I am attempting to do is use Apache to talk HTTPS/TLS 1.2 to the
> target API but allow my internal client to talk to the proxy over HTTP.
>
> I had it in my head that this was what a forward proxy was going to
> give me so after having set up a forward proxy and configuring my
> application to use it I was surprised to see that I was getting
> exactly the same behavior that I was getting when I had no proxy
> configured (failure of my internal client to speak TLS 1.2).
>
> So my question is; can Apache be configured as a FORWARD proxy to
> speak HTTP with the caller but HTTPS to the callee?
>
> I have spent a lot of time searching and I did check the mailing list
> archives but it's entirely possible that I just dont even know what to
> search for to get a good answer so if this is a dumb question I
> sincerely apologize for wasting the groups time.
>
> Thanks in advance for any help.
>
> -Dan