You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Eric Covener <co...@gmail.com> on 2009/08/23 18:47:57 UTC
Re: [users@httpd] (internal app) --http-->apache---https--->(external
app)
On Sun, Aug 23, 2009 at 12:04 PM, pe uni<pe...@yahoo.com> wrote:
> Hi,
> I have a scenario to configure apache to handle
> (internal app)--http-->apache---https--->(external app)
>
> My internal app cannot handle SSL and can only handle HTTP connections.
>
> How do i set up apache to handle such a scenario?
> I tried creating a virtual host listening on port 10001 and then used the rewrite rule to change the url to https. This works on a browser but fails on my applicatin as it cannot handle the HTTPS traffic.
You need to proxy, via mod_rewrite with the "P" flag or ProxyPass.
I assume your "my application" in the final sentence refers to the
internal app, not the external app -- otherwise it's a lost cause.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] downstream server wanted client certificate but
none are configured
Posted by Eric Covener <co...@gmail.com>.
On Mon, Aug 24, 2009 at 7:47 PM, pe uni<pe...@yahoo.com> wrote:
> I see the following message in the error_log
>
> Proxy client certificate callback: downstream server wanted client certificate but none are configured
>
> I have the following directives in my proxy virtual host...
> ---------------------------
> SSLProxyCACertificateFile /etc/httpd/ssl/CA/CA-bundle.crt
> SSLCertificateFile /etc/httpd/ssl/servercerts/server.CRT
> SSLCertificateKeyFile /etc/httpd/ssl/servercerts/server.KEY
> SSLProxyMachineCertificateFile /etc/httpd/ssl/clientcerts/client.p12
> SSLProxyCACertificatePath /etc/httpd/ssl/CA
> -------------------------
> For some some reason apache is unable to pickup the client certificate and send it to the server.
> Please advise.
> Regards,
> Pe
>
Is PKCS12 legit there? Example has a pem-formatted file -- try splitting yours?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] downstream server wanted client certificate but none are configured
Posted by pe uni <pe...@yahoo.com>.
I see the following message in the error_log
Proxy client certificate callback: downstream server wanted client certificate but none are configured
I have the following directives in my proxy virtual host...
---------------------------
SSLProxyCACertificateFile /etc/httpd/ssl/CA/CA-bundle.crt
SSLCertificateFile /etc/httpd/ssl/servercerts/server.CRT
SSLCertificateKeyFile /etc/httpd/ssl/servercerts/server.KEY
SSLProxyMachineCertificateFile /etc/httpd/ssl/clientcerts/client.p12
SSLProxyCACertificatePath /etc/httpd/ssl/CA
-------------------------
For some some reason apache is unable to pickup the client certificate and send it to the server.
Please advise.
Regards,
Pe
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] (internal app) --http-->apache---https--->(external app)
Posted by pe uni <pe...@yahoo.com>.
Hi Eric,
I tried the hint - SSLProxyEngine On. The https connection works with websites/applications that don't require a certificate.
For websites/applications that require a certificate, it fails. Please verify if the below config makes sense?
I included the following SSL directives in the virtualhost port.
<VirtualHost my_ipaddr:44444>
---
SSLProxyEngine On
SSLEngine On SSLCertificateFile /etc/httpd/ssl/servercerts/server.CRT SSLCertificateKeyFile /etc/httpd/ssl/servercerts/server.KEY SSLProxyMachineCertificateFile /etc/httpd/ssl/clientcerts/client-cert.p12
--
</VirtualHost>
------------------------------
[Mon Aug 24 10:31:11 2009] [debug] ssl_engine_kernel.c(1765): OpenSSL: Read: SSLv3 read finished A
[Mon Aug 24 10:31:11 2009] [debug] ssl_engine_kernel.c(1784): OpenSSL: Exit: failed in SSLv3 read finished A
[Mon Aug 24 10:31:11 2009] [info] [client ip_addr1] SSL library error 1 reading data
[Mon Aug 24 10:31:11 2009] [info] SSL Library Error: 336151568 error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Mon Aug 24 10:31:11 2009] [info] SSL Library Error: 336150757 error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
[Mon Aug 24 10:31:11 2009] [error] [client ip_addr2] (20014)Internal error: proxy: error reading status line from remote server webapplication_server
[Mon Aug 24 10:31:11 2009] [debug] mod_proxy_http.c(1466): [client 199.130.193.102] proxy: NOT Closing connection to client although reading from backend server webapplication_server failed.
-----------------------------
--- On Sun, 8/23/09, Eric Covener <co...@gmail.com> wrote:
> From: Eric Covener <co...@gmail.com>
> Subject: Re: [users@httpd] (internal app) --http-->apache---https--->(external app)
> To: users@httpd.apache.org
> Date: Sunday, August 23, 2009, 9:17 PM
> > [Sun Aug 23 12:24:39 2009]
> [error] [client 73.155.40.73] SSL Proxy requested for
> my_proxyserver:80 but not enabled [Hint: SSLProxyEngine]
>
> Tried the hint?
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more
> info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] (internal app) --http-->apache---https--->(external
app)
Posted by Eric Covener <co...@gmail.com>.
> [Sun Aug 23 12:24:39 2009] [error] [client 73.155.40.73] SSL Proxy requested for my_proxyserver:80 but not enabled [Hint: SSLProxyEngine]
Tried the hint?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] (internal app) --http-->apache---https--->(external
app)
Posted by Krist van Besien <kr...@gmail.com>.
On Sun, Aug 23, 2009 at 8:30 PM, pe uni<pe...@yahoo.com> wrote:
> Hi Eric, below is the excerpt from the apache log
> ------------------------------
> [Sun Aug 23 12:24:39 2009] [debug] mod_proxy_http.c(56): proxy: HTTP: canonicalising URL //www.techmed.com/VENDOR/vendor.asmx
> [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(1507): [client interapp_ipaddr] proxy: *: found reverse proxy worker for https://www.techmed.com/VENDOR/vendor.asmx
> [Sun Aug 23 12:24:39 2009] [debug] mod_proxy.c(966): Running scheme https handler (attempt 0)
> [Sun Aug 23 12:24:39 2009] [debug] mod_proxy_http.c(1960): proxy: HTTP: serving URL https://www.techmed.com/VENDOR/vendor.asmx
> [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2044): proxy: HTTPS: has acquired connection for (*)
> [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2102): proxy: connecting https://www.techmed.com/VENDOR/vendor.asmx to www.techmed.com:443
> [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2195): proxy: connected /VENDOR/vendor.asmx to www.techmed.com:443
> [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2347): proxy: HTTPS: fam 2 socket created to connect to *
> [Sun Aug 23 12:24:39 2009] [error] [client 73.155.40.73] SSL Proxy requested for my_proxyserver:80 but not enabled [Hint: SSLProxyEngine]
> [Sun Aug 23 12:24:39 2009] [error] proxy: HTTPS: failed to enable ssl support for 73.155.40.73:443 (www.techmed.com)
> [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2062): proxy: HTTPS: has released connection for (*)
> --------------------------------------------------
When proxying http to https you need to configure apache as an ssl
_client_. Apache will not function as an SSL client out of the box.
This question comes up regularly, and this is what I answered last
time it came up:
You need to add the following to your config.
# turn on SSL proxying.
SSLProxyEngine On
# to tell Apache where to find CA certificates to check remote server
certificates with:
# (You can choose yourself where you put these certificates)
SSLProxyCACertificatePath /path/to/ca/certificates.
Then in this path you need to put the CA certificate(s) used to sign
the certificate(s) used by the server(s) you communicate with. If you
want to talk to a server that uses a "self signed" certificate you
will need to put it in this dir too.
Once you've done that you need to run "c_rehash" in that directory.
c_rehash is part of a standard openssl distribution. c_rehash creates
hashed aliases in this dir. Apache needs these.
In order to test if everything is there you can do the following:
openssl s_client -CApath /path/to/ca/certificates -connect remoteserver:8443
if the conenction succeeds just try to do a
GET /abc/
and see if you get something. If this test is succesfull apache should work too.
You can now add the ReWriteRule or Proxy statements to forward the
connections to your https server.
Krist
--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] (internal app) --http-->apache---https--->(external app)
Posted by pe uni <pe...@yahoo.com>.
Hi Eric, below is the excerpt from the apache log
------------------------------
[Sun Aug 23 12:24:39 2009] [debug] mod_proxy_http.c(56): proxy: HTTP: canonicalising URL //www.techmed.com/VENDOR/vendor.asmx
[Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(1507): [client interapp_ipaddr] proxy: *: found reverse proxy worker for https://www.techmed.com/VENDOR/vendor.asmx
[Sun Aug 23 12:24:39 2009] [debug] mod_proxy.c(966): Running scheme https handler (attempt 0)
[Sun Aug 23 12:24:39 2009] [debug] mod_proxy_http.c(1960): proxy: HTTP: serving URL https://www.techmed.com/VENDOR/vendor.asmx
[Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2044): proxy: HTTPS: has acquired connection for (*)
[Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2102): proxy: connecting https://www.techmed.com/VENDOR/vendor.asmx to www.techmed.com:443
[Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2195): proxy: connected /VENDOR/vendor.asmx to www.techmed.com:443
[Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2347): proxy: HTTPS: fam 2 socket created to connect to *
[Sun Aug 23 12:24:39 2009] [error] [client 73.155.40.73] SSL Proxy requested for my_proxyserver:80 but not enabled [Hint: SSLProxyEngine]
[Sun Aug 23 12:24:39 2009] [error] proxy: HTTPS: failed to enable ssl support for 73.155.40.73:443 (www.techmed.com)
[Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2062): proxy: HTTPS: has released connection for (*)
--------------------------------------------------
--- On Sun, 8/23/09, pe uni <pe...@yahoo.com> wrote:
> From: pe uni <pe...@yahoo.com>
> Subject: Re: [users@httpd] (internal app) --http-->apache---https--->(external app)
> To: users@httpd.apache.org
> Date: Sunday, August 23, 2009, 2:22 PM
> Hi Eric, thanks for the reply.
> "my application" is the internal application.
> I tried the rewrite rule with P option, still doesn't
> work.
>
> Internal application has the target URL set as
> www.techmed.com/VENDOR/vendor.asmx with port 80 and is
> configured to use
> my_proxy_server : 44444 as the proxy
>
> Goal is --- (my internal appln) ----http--->apache
> ---https with client
> certs---->(www.techmed.com/VENDOR/vendor.asmx)
>
> Here is my httpd.conf... apache logs show
> error "proxy: HTTPS: failed to enable ssl support for
> my_ipaddr:443"
> --------------------------------------
> <VirtualHost my_ipaddr:44444>
> ServerName my_proxy_server
> Options +FollowSymlinks
> ProxyRequests off
>
> RewriteEngine On
> RewriteLogLevel 9
> RewriteLog
> /etc/httpd/logs/rewrite_80_log
> RewriteRule ^/(.*)$
> https://%{HTTP_HOST}%{REQUEST_URI} [P,L]
> </VirtualHost>
>
> <VirtualHost my_ipaddr:443>
> ServerName my_proxy_server
> ServerAlias my_proxy_server
> LogLevel debug
> ProxyRequests Off
> CustomLog /etc/httpd/logs/access_log common
> ErrorLog "|/usr/sbin/rotatelogs
> /etc/httpd/logs/error_log 86400 common"
> TransferLog /etc/httpd/logs/ssl_access_log
>
> SSLEngine On
> SSLCertificateFile
> /etc/httpd/ssl/servercerts/server.CRT
> SSLCertificateKeyFile
> /etc/httpd/ssl/servercerts/server.KEY
> SSLProxyMachineCertificateFile
> /etc/httpd/ssl/clientcerts/client-cert.p12
>
> Proxypass /VENDOR https://www.techmed.com/VENDOR/vendor.asmx
> ProxypassReverse /VENDOR https://www.techmed.com/VENDOR/vendor.asmx
> </VirtualHost>
> ---------------------------------------
> Thanks,
> Pe
>
> --- On Sun, 8/23/09, Eric Covener <co...@gmail.com>
> wrote:
>
> > From: Eric Covener <co...@gmail.com>
> > Subject: Re: [users@httpd] (internal app)
> --http-->apache---https--->(external app)
> > To: users@httpd.apache.org
> > Date: Sunday, August 23, 2009, 12:47 PM
> > On Sun, Aug 23, 2009 at 12:04 PM, pe
> > uni<pe...@yahoo.com>
> > wrote:
> > > Hi,
> > > I have a scenario to configure apache to
> handle
> > > (internal
> > app)--http-->apache---https--->(external app)
> > >
> > > My internal app cannot handle SSL and can only
> handle
> > HTTP connections.
> > >
> > > How do i set up apache to handle such a
> scenario?
> > > I tried creating a virtual host listening on
> port
> > 10001 and then used the rewrite rule to change the url
> to
> > https. This works on a browser but fails on my
> applicatin as
> > it cannot handle the HTTPS traffic.
> >
> > You need to proxy, via mod_rewrite with the "P" flag
> or
> > ProxyPass.
> >
> > I assume your "my application" in the final sentence
> refers
> > to the
> > internal app, not the external app -- otherwise it's a
> lost
> > cause.
> >
> >
> > --
> > Eric Covener
> > covener@gmail.com
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache
> HTTP
> > Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more
> > info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more
> info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] (internal app) --http-->apache---https--->(external app)
Posted by pe uni <pe...@yahoo.com>.
Hi Eric, thanks for the reply.
"my application" is the internal application.
I tried the rewrite rule with P option, still doesn't work.
Internal application has the target URL set as www.techmed.com/VENDOR/vendor.asmx with port 80 and is configured to use
my_proxy_server : 44444 as the proxy
Goal is --- (my internal appln) ----http--->apache ---https with client certs---->(www.techmed.com/VENDOR/vendor.asmx)
Here is my httpd.conf... apache logs show error "proxy: HTTPS: failed to enable ssl support for my_ipaddr:443"
--------------------------------------
<VirtualHost my_ipaddr:44444>
ServerName my_proxy_server
Options +FollowSymlinks
ProxyRequests off
RewriteEngine On
RewriteLogLevel 9
RewriteLog /etc/httpd/logs/rewrite_80_log
RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [P,L]
</VirtualHost>
<VirtualHost my_ipaddr:443>
ServerName my_proxy_server
ServerAlias my_proxy_server
LogLevel debug
ProxyRequests Off
CustomLog /etc/httpd/logs/access_log common
ErrorLog "|/usr/sbin/rotatelogs /etc/httpd/logs/error_log 86400 common"
TransferLog /etc/httpd/logs/ssl_access_log
SSLEngine On
SSLCertificateFile /etc/httpd/ssl/servercerts/server.CRT
SSLCertificateKeyFile /etc/httpd/ssl/servercerts/server.KEY
SSLProxyMachineCertificateFile /etc/httpd/ssl/clientcerts/client-cert.p12
Proxypass /VENDOR https://www.techmed.com/VENDOR/vendor.asmx ProxypassReverse /VENDOR https://www.techmed.com/VENDOR/vendor.asmx
</VirtualHost>
---------------------------------------
Thanks,
Pe
--- On Sun, 8/23/09, Eric Covener <co...@gmail.com> wrote:
> From: Eric Covener <co...@gmail.com>
> Subject: Re: [users@httpd] (internal app) --http-->apache---https--->(external app)
> To: users@httpd.apache.org
> Date: Sunday, August 23, 2009, 12:47 PM
> On Sun, Aug 23, 2009 at 12:04 PM, pe
> uni<pe...@yahoo.com>
> wrote:
> > Hi,
> > I have a scenario to configure apache to handle
> > (internal
> app)--http-->apache---https--->(external app)
> >
> > My internal app cannot handle SSL and can only handle
> HTTP connections.
> >
> > How do i set up apache to handle such a scenario?
> > I tried creating a virtual host listening on port
> 10001 and then used the rewrite rule to change the url to
> https. This works on a browser but fails on my applicatin as
> it cannot handle the HTTPS traffic.
>
> You need to proxy, via mod_rewrite with the "P" flag or
> ProxyPass.
>
> I assume your "my application" in the final sentence refers
> to the
> internal app, not the external app -- otherwise it's a lost
> cause.
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more
> info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org