You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by mortee <mo...@kavemalna.hu> on 2011/09/08 11:41:46 UTC
[users@httpd] Re: mod_proxy SSL forward proxy
Hello,
Is there a way to enable both SSLEngine and plain HTTP forward proxying
on the same port / virtual host?
To be specific, I want my Apache to serve usual HTTPS on port 443, but
also act as a proxy server using the ProxyRequests directive on the same
port. That's because I don't have another IP address so I have to use
the same, and I want to use my server for CONNECT tunneling, which is
restricted to port 443 by the corporate firewall.
thx
mortee
On 08/24/2011 14:56, Bill Moseley wrote:
> On Wed, Aug 24, 2011 at 2:14 PM, Björn Zettergren
> <bjorn.zettergren@basefarm.se <ma...@basefarm.se>> wrote:
>
> Hi Bill,
>
> I tried your config and i can recreate your problem. But as Eric
> just said in another mail, your browser is not using https to speak
> to https proxy. And i verified that wget speaks http when you point
> out the "https_proxy" environment variable.
>
>
>
> Ah, ok. I saw the CONNECT in a wireshark trace and just assumed I
> needed SSL enabled. Turning off SSLEngine and all woks as expected.
>
> Thanks,
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: mod_proxy SSL forward proxy
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 9/21/2011 5:32 PM, mortee wrote:
>
> Any ideas about this topic?
>
> On 09/08/2011 11:41, mortee wrote:
>>
>> Hello,
>>
>> Is there a way to enable both SSLEngine and plain HTTP forward proxying
>> on the same port / virtual host?
>>
>> To be specific, I want my Apache to serve usual HTTPS on port 443, but
>> also act as a proxy server using the ProxyRequests directive on the same
>> port. That's because I don't have another IP address so I have to use
>> the same, and I want to use my server for CONNECT tunneling, which is
>> restricted to port 443 by the corporate firewall.
You can only connect to a given port as plain http or as ssl/tls https.
You can enable upgrade on the plain http connection; no (or very few)
browsers support this semantic (rfc2817).
You can CONNECT once you've established any of these connnections to
either crypted or unencrypted backends. You can proxy requests to http,
https, or even ftp servers once you established any of these connections.
So set up 443 as a crypted proxy, end of story.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Antw.: [users@httpd] Re: mod_proxy SSL forward proxy
Posted by Tom Evans <te...@googlemail.com>.
On Fri, Sep 23, 2011 at 6:40 AM, <Ro...@swisscom.com> wrote:
> On 09/22/2011 02:12, Eric Covener wrote:
>> On Wed, Sep 21, 2011 at 6:32 PM, mortee<mo...@kavemalna.hu> wrote:
>>>
>>> Any ideas about this topic?
>>
>> Can't do it.
>
> Why is it sooo really impossible? It can recognise a plain HTTP request
> attempt on the SSL port, and it can return a reasonable error message.
> Then what's the main reason it can't just handle the request?
>
Patches welcome.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Antw.: [users@httpd] Re: mod_proxy SSL forward proxy
Posted by Ro...@swisscom.com.
Gesendet mit meinem HTC
----- Reply message -----
Von: "mortee" <mo...@kavemalna.hu>
An: "users@httpd.apache.org" <us...@httpd.apache.org>
Betreff: [users@httpd] Re: mod_proxy SSL forward proxy
Datum: Fr., Sep. 23, 2011 05:02
On 09/22/2011 02:12, Eric Covener wrote:
> On Wed, Sep 21, 2011 at 6:32 PM, mortee<mo...@kavemalna.hu> wrote:
>>
>> Any ideas about this topic?
>
> Can't do it.
Why is it sooo really impossible? It can recognise a plain HTTP request
attempt on the SSL port, and it can return a reasonable error message.
Then what's the main reason it can't just handle the request?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: mod_proxy SSL forward proxy
Posted by Eric Covener <co...@gmail.com>.
Nobody has spent their time implementing such a thing, so you cannot do it.
On Sep 22, 2011 11:02 PM, "mortee" <mo...@kavemalna.hu> wrote:
>
> On 09/22/2011 02:12, Eric Covener wrote:
>>
>> On Wed, Sep 21, 2011 at 6:32 PM, mortee<mo...@kavemalna.hu>
wrote:
>>>
>>>
>>> Any ideas about this topic?
>>
>>
>> Can't do it.
>
>
> Why is it sooo really impossible? It can recognise a plain HTTP request
attempt on the SSL port, and it can return a reasonable error message. Then
what's the main reason it can't just handle the request?
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
[users@httpd] Re: mod_proxy SSL forward proxy
Posted by mortee <mo...@kavemalna.hu>.
On 09/22/2011 02:12, Eric Covener wrote:
> On Wed, Sep 21, 2011 at 6:32 PM, mortee<mo...@kavemalna.hu> wrote:
>>
>> Any ideas about this topic?
>
> Can't do it.
Why is it sooo really impossible? It can recognise a plain HTTP request
attempt on the SSL port, and it can return a reasonable error message.
Then what's the main reason it can't just handle the request?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: mod_proxy SSL forward proxy
Posted by Eric Covener <co...@gmail.com>.
On Wed, Sep 21, 2011 at 6:32 PM, mortee <mo...@kavemalna.hu> wrote:
>
> Any ideas about this topic?
Can't do it.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: mod_proxy SSL forward proxy
Posted by mortee <mo...@kavemalna.hu>.
Any ideas about this topic?
On 09/08/2011 11:41, mortee wrote:
>
> Hello,
>
> Is there a way to enable both SSLEngine and plain HTTP forward proxying
> on the same port / virtual host?
>
> To be specific, I want my Apache to serve usual HTTPS on port 443, but
> also act as a proxy server using the ProxyRequests directive on the same
> port. That's because I don't have another IP address so I have to use
> the same, and I want to use my server for CONNECT tunneling, which is
> restricted to port 443 by the corporate firewall.
>
> thx
> mortee
>
> On 08/24/2011 14:56, Bill Moseley wrote:
>> On Wed, Aug 24, 2011 at 2:14 PM, Björn Zettergren
>> <bjorn.zettergren@basefarm.se <ma...@basefarm.se>>
>> wrote:
>>
>> Hi Bill,
>>
>> I tried your config and i can recreate your problem. But as Eric
>> just said in another mail, your browser is not using https to speak
>> to https proxy. And i verified that wget speaks http when you point
>> out the "https_proxy" environment variable.
>>
>>
>>
>> Ah, ok. I saw the CONNECT in a wireshark trace and just assumed I
>> needed SSL enabled. Turning off SSLEngine and all woks as expected.
>>
>> Thanks,
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org