You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Stephen Hu <ti...@gmail.com> on 2008/04/24 17:14:47 UTC
[users@httpd] How to encrypt traffic between client and apache proxy server
Hi,
I was trying to setup a forward proxy solution with apache, but via
port 443(SSL) rather than just via 80. So I hope it should work as the
following diagram:
Client(IP1:Random) (IP2:443)Apache(IP2:Random) (IP3:443)Web Server
1 |--------SSL Hand Shake-----(443)|
2 |-CONNECT IP3:443 HTTP/1.1->(443)|
3 |----TCP hand shake---(443)|
4 |<-HTTP/1.0 200 Established-(443)|
6 |----------------------SSL Hand Shake------------------(443)|
7 |------GET / HTTP/1.1------>(443)|----GET / HTTP/1.1-->(443)|
8 |<------------HTML----------(443)|<---------HTML-------(443)|
So I configured my apache server like this:
<VirtualHost _default_:443>
ProxyRequests On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
I did the following test. It looks like apache works, after SSL hand
shake, I sent "CONNECT IP3:443 HTTP/1.1" to apache proxy(encrypted), apache
decrypted the CONNECT instruction correctly and tried to connect IP3 and
returned "HTTP/1.0 200 Connection Established..", BUT the only problem is
apache returned the HTTP/1.0 200 in PLAN TEXT, so my client doesn't
understand it and stops. Here is the test log:
1. Connect to proxy:
openssl s_client -connect IP2:443 -state -debug
SSL handshake has read 1361 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
FC2A51765458493165B386D05A1DAF2CEAE4C762078D534ADD862E1802381486
Session-ID-ctx:
Master-Key:
695B9E094F07F7ECD0B73EC8E0FC0A441B8A96C41CE2B85E771C85DC5AADC5BBB41F1DDA7F38
7D62B0C808A6411BFDB6
Key-Arg : None
Krb5 Principal: None
Start Time: 1209048482
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
2. I sent CONNECT instruction:
CONNECT 209.47.41.27:443 HTTP/1.1
Host: www.testhost.com
SSL3 alert write:fatal:protocol version
32713:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:288:
SSL3 alert write:warning:close notify
I traced on proxy server, actually, it returned: "HTTP/1.0 200
Connection Established.." in PLAN TEXT and caused this problem.
Very Best Regards!
Stephen
RE: [users@httpd] How to encrypt traffic between client and apache proxy server
Posted by Stephen Hu <ti...@gmail.com>.
Thank you so much Emmanuel. I applied patch. Everything is working good now.
Perfect!
Very Best Regards!
Stephen
From: Emmanuel E [mailto:emmanuel.e@gmx.net]
Sent: April 24, 2008 1:15 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] How to encrypt traffic between client and apache
proxy server
check out https://issues.apache.org/bugzilla/show_bug.cgi?id=29744
and use the patch available there.
its a pity that this patch still wont make it to the main tree...
----- Original Message -----
From: Stephen Hu <ma...@gmail.com>
To: users@httpd.apache.org
Sent: Thursday, April 24, 2008 8:44 PM
Subject: [users@httpd] How to encrypt traffic between client and apache
proxy server
Hi,
I was trying to setup a forward proxy solution with apache, but via
port 443(SSL) rather than just via 80. So I hope it should work as the
following diagram:
Client(IP1:Random) (IP2:443)Apache(IP2:Random) (IP3:443)Web Server
1 |--------SSL Hand Shake-----(443)|
2 |-CONNECT IP3:443 HTTP/1.1->(443)|
3 |----TCP hand shake---(443)|
4 |<-HTTP/1.0 200 Established-(443)|
6 |----------------------SSL Hand Shake------------------(443)|
7 |------GET / HTTP/1.1------>(443)|----GET / HTTP/1.1-->(443)|
8 |<------------HTML----------(443)|<---------HTML-------(443)|
So I configured my apache server like this:
<VirtualHost _default_:443>
ProxyRequests On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
I did the following test. It looks like apache works, after SSL hand
shake, I sent "CONNECT IP3:443 HTTP/1.1" to apache proxy(encrypted), apache
decrypted the CONNECT instruction correctly and tried to connect IP3 and
returned "HTTP/1.0 200 Connection Established..", BUT the only problem is
apache returned the HTTP/1.0 200 in PLAN TEXT, so my client doesn't
understand it and stops. Here is the test log:
1. Connect to proxy:
openssl s_client -connect IP2:443 -state -debug
SSL handshake has read 1361 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
FC2A51765458493165B386D05A1DAF2CEAE4C762078D534ADD862E1802381486
Session-ID-ctx:
Master-Key:
695B9E094F07F7ECD0B73EC8E0FC0A441B8A96C41CE2B85E771C85DC5AADC5BBB41F1DDA7F38
7D62B0C808A6411BFDB6
Key-Arg : None
Krb5 Principal: None
Start Time: 1209048482
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
2. I sent CONNECT instruction:
CONNECT 209.47.41.27:443 HTTP/1.1
Host: www.testhost.com
SSL3 alert write:fatal:protocol version
32713:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:288:
SSL3 alert write:warning:close notify
I traced on proxy server, actually, it returned: "HTTP/1.0 200
Connection Established.." in PLAN TEXT and caused this problem.
Very Best Regards!
Stephen
Re: [users@httpd] How to encrypt traffic between client and apache proxy server
Posted by Emmanuel E <em...@gmx.net>.
check out https://issues.apache.org/bugzilla/show_bug.cgi?id=29744
and use the patch available there.
its a pity that this patch still wont make it to the main tree...
----- Original Message -----
From: Stephen Hu
To: users@httpd.apache.org
Sent: Thursday, April 24, 2008 8:44 PM
Subject: [users@httpd] How to encrypt traffic between client and apache proxy server
Hi,
I was trying to setup a forward proxy solution with apache, but via port 443(SSL) rather than just via 80. So I hope it should work as the following diagram:
Client(IP1:Random) (IP2:443)Apache(IP2:Random) (IP3:443)Web Server
1 |--------SSL Hand Shake-----(443)|
2 |-CONNECT IP3:443 HTTP/1.1->(443)|
3 |----TCP hand shake---(443)|
4 |<-HTTP/1.0 200 Established-(443)|
6 |----------------------SSL Hand Shake------------------(443)|
7 |------GET / HTTP/1.1------>(443)|----GET / HTTP/1.1-->(443)|
8 |<------------HTML----------(443)|<---------HTML-------(443)|
So I configured my apache server like this:
<VirtualHost _default_:443>
ProxyRequests On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
I did the following test. It looks like apache works, after SSL hand shake, I sent "CONNECT IP3:443 HTTP/1.1" to apache proxy(encrypted), apache decrypted the CONNECT instruction correctly and tried to connect IP3 and returned "HTTP/1.0 200 Connection Established..", BUT the only problem is apache returned the HTTP/1.0 200 in PLAN TEXT, so my client doesn't understand it and stops. Here is the test log:
1. Connect to proxy:
openssl s_client -connect IP2:443 -state -debug
SSL handshake has read 1361 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: FC2A51765458493165B386D05A1DAF2CEAE4C762078D534ADD862E1802381486
Session-ID-ctx:
Master-Key: 695B9E094F07F7ECD0B73EC8E0FC0A441B8A96C41CE2B85E771C85DC5AADC5BBB41F1DDA7F387D62B0C808A6411BFDB6
Key-Arg : None
Krb5 Principal: None
Start Time: 1209048482
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
2. I sent CONNECT instruction:
CONNECT 209.47.41.27:443 HTTP/1.1
Host: www.testhost.com
SSL3 alert write:fatal:protocol version
32713:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:288:
SSL3 alert write:warning:close notify
I traced on proxy server, actually, it returned: "HTTP/1.0 200 Connection Established.." in PLAN TEXT and caused this problem.
Very Best Regards!
Stephen