http to https forward

I need to implement Apache as an https to http forwarder. I belive I need
to use
ProxyPass or Redirect, but am having difficulty figuring out the correct
configuration.
My scenario is as follows:

I have an appserver that needs to POST http requests to another company's
appserver. Unfortunately, the particular product we are using has issues
being able to send https, and the other company requires it. They have
issued us certificates to talk to them. I need to be able to send http POST
reqests to an Apache webserver, have it encrypt the request with the other
company's cert, and then pass the POST onto that company's server via https.
No browser involved. Eventually, I will need to do the same thing in
reverse, but initially I just need to be able to send in this direction.
Can you tell me what all specific entries needed in the conf file to
implement
this. Again, our server http to Apache, then encrypt using cert we were
given, and Apache to other
company's server via https.

Apache Vesion is currently 1.3.23 - will update for security issues once we
can implement this scenario.
Running on Suse Linux 8.0

Thanks,
David

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: http to https forward

Quoting David Iungerich :

> I need to implement Apache as an https to http forwarder. I belive I
> need
> to use
> ProxyPass or Redirect, but am having difficulty figuring out the
> correct
> configuration.


Just to clarify, I think you mean http to https forwarder, as in your subject;
Apache forwards https to http without any problems.

But for http to https, your problem isn't configuration; Apache+mod_ssl doesn't
have the code for initiation of HTTPS connections. I've looked!

Everybody told me it wouldn't work, I didn't believe them, I couldn't make it
work, I read the code, it's not there!

The only product I know of that might be able to do this is IBM EdgeServer, and
possibly Netscape. Have to say I don't like EdgeServer and I have no experience
of Netscape.

Is there no-one around who'd like to code this? There are quite a few people who
want to use Apache to initiate HTTPS connections. I don't have the time / coding
skills.
--
Web: http://sydb.dyndns.org
ICQ: 152392113 (New to ICQ? http://www.mirabilis.com)
IRC: #sydb on EFnet (New to IRC? http://www.irchelp.org)
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: http to https forward

> Quoting David Iungerich :
>
> > I need to implement Apache as an https to http forwarder. I belive I
> > need
> > to use
> > ProxyPass or Redirect, but am having difficulty figuring out the
> > correct
> > configuration.
>
>
> Just to clarify, I think you mean http to https forwarder, as in your subject;
> Apache forwards https to http without any problems.
>
> But for http to https, your problem isn't configuration; Apache+mod_ssl doesn't
> have the code for initiation of HTTPS connections. I've looked!
>
> Everybody told me it wouldn't work, I didn't believe them, I couldn't make it
> work, I read the code, it's not there!
>
> The only product I know of that might be able to do this is IBM EdgeServer, and
> possibly Netscape. Have to say I don't like EdgeServer and I have no experience
> of Netscape.
>
> Is there no-one around who'd like to code this? There are quite a few people who
> want to use Apache to initiate HTTPS connections. I don't have the time / coding
> skills.

Um, no, you can already do it

SSLProxyEngine on
ProxyPass / https://some.other.host

Daniel

--
Teach Yourself Apache 2 -- http://apacheworld.org/ty24/




____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: http to https forward

yes, that is correct. I meant http to https. So, there is no way to do
this with existing mods? I have to use something else? Java or Python
program? Anyone already have anything?

-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org]On Behalf Of Michael Pacey
Sent: Wednesday, July 24, 2002 3:29 PM
To: modssl-users@modssl.org
Subject: Re: http to https forward


Quoting David Iungerich :

> I need to implement Apache as an https to http forwarder. I belive I
> need
> to use
> ProxyPass or Redirect, but am having difficulty figuring out the
> correct
> configuration.


Just to clarify, I think you mean http to https forwarder, as in your
subject;
Apache forwards https to http without any problems.

But for http to https, your problem isn't configuration; Apache+mod_ssl
doesn't
have the code for initiation of HTTPS connections. I've looked!

Everybody told me it wouldn't work, I didn't believe them, I couldn't make
it
work, I read the code, it's not there!

The only product I know of that might be able to do this is IBM EdgeServer,
and
possibly Netscape. Have to say I don't like EdgeServer and I have no
experience
of Netscape.

Is there no-one around who'd like to code this? There are quite a few people
who
want to use Apache to initiate HTTPS connections. I don't have the time /
coding
skills.
--
Web: http://sydb.dyndns.org
ICQ: 152392113 (New to ICQ? http://www.mirabilis.com)
IRC: #sydb on EFnet (New to IRC? http://www.irchelp.org)
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: http to https forward

With the risk of booing and hissing but Microsoft ISA Server could do this
as well. It's capable of doing SSL Bridging, i.e. a full SSL proxy. It could
also be configured to have an HTTP session to the proxy and a HTTPS session
to the target platform.

Have a look at http://www.microsoft.com/isaserver and
http://www.isaserver.org/pages/articles.asp?art=157

hth

Meint



----- Original Message -----
From: "Michael Pacey"
To:
Sent: Wednesday, July 24, 2002 10:29 PM
Subject: Re: http to https forward


> Quoting David Iungerich :
>
> > I need to implement Apache as an https to http forwarder. I belive I
> > need
> > to use
> > ProxyPass or Redirect, but am having difficulty figuring out the
> > correct
> > configuration.
>
>
> Just to clarify, I think you mean http to https forwarder, as in your
subject;
> Apache forwards https to http without any problems.
>
> But for http to https, your problem isn't configuration; Apache+mod_ssl
doesn't
> have the code for initiation of HTTPS connections. I've looked!
>
> Everybody told me it wouldn't work, I didn't believe them, I couldn't make
it
> work, I read the code, it's not there!
>
> The only product I know of that might be able to do this is IBM
EdgeServer, and
> possibly Netscape. Have to say I don't like EdgeServer and I have no
experience
> of Netscape.
>
> Is there no-one around who'd like to code this? There are quite a few
people who
> want to use Apache to initiate HTTPS connections. I don't have the time /
coding
> skills.
> --
> Web: http://sydb.dyndns.org
> ICQ: 152392113 (New to ICQ? http://www.mirabilis.com)
> IRC: #sydb on EFnet (New to IRC? http://www.irchelp.org)
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: http to https forward

> yes, that is correct. I meant http to https. So, there is no way to do
> this with existing mods? I have to use something else? Java or Python
> program? Anyone already have anything?

You can already do it with Apache 2, and I am pretty sure you can do it with
Apache 1.3 too. The directives are just not documented, I am working on a
patch for the docs. But you are able to do

SSLProxyEngine on
ProxyPass / https://some.host.com

And you can also use other SSLProxy* directives like SSLProxyVerify, etc.

Daniel

--
Teach Yourself Apache 2 -- http://apacheworld.org/ty24/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: http to https forward

Stunnel can transform http requests into https requests.

http://www.stunnel.org/

- Geoff

> -----Original Message-----
> From: David Iungerich [mailto:david@iungerich.com]
> Sent: Wednesday, July 24, 2002 4:53 PM
> To: modssl-users@modssl.org
> Subject: RE: http to https forward
>
>
> yes, that is correct. I meant http to https. So, there is
> no way to do
> this with existing mods? I have to use something else? Java
> or Python
> program? Anyone already have anything?
>
> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org]On Behalf Of Michael Pacey
> Sent: Wednesday, July 24, 2002 3:29 PM
> To: modssl-users@modssl.org
> Subject: Re: http to https forward
>
>
> Quoting David Iungerich :
>
> > I need to implement Apache as an https to http forwarder.
> I belive I
> > need
> > to use
> > ProxyPass or Redirect, but am having difficulty figuring out the
> > correct
> > configuration.
>
>
> Just to clarify, I think you mean http to https forwarder, as in your
> subject;
> Apache forwards https to http without any problems.
>
> But for http to https, your problem isn't configuration;
> Apache+mod_ssl
> doesn't
> have the code for initiation of HTTPS connections. I've looked!
>
> Everybody told me it wouldn't work, I didn't believe them, I
> couldn't make
> it
> work, I read the code, it's not there!
>
> The only product I know of that might be able to do this is
> IBM EdgeServer,
> and
> possibly Netscape. Have to say I don't like EdgeServer and I have no
> experience
> of Netscape.
>
> Is there no-one around who'd like to code this? There are
> quite a few people
> who
> want to use Apache to initiate HTTPS connections. I don't
> have the time /
> coding
> skills.
> --
> Web: http://sydb.dyndns.org
> ICQ: 152392113 (New to ICQ? http://www.mirabilis.com)
> IRC: #sydb on EFnet (New to IRC? http://www.irchelp.org)
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: http to https forward

Quoting David Iungerich :

> yes, that is correct. I meant http to https. So, there is no way to
> do
> this with existing mods? I have to use something else? Java or
> Python
> program? Anyone already have anything?
>

I couldn't find anything to do this besides the two proprietary programs I
mentioned before. My impression is this is a big hole in the open-source
toolkit, and proprietary software is going to fill it if someone more capable
than me doesn't fix things...

I see this sort of thing being a requirement for more and more big companies who
have established functional ecommerce infrastructures but need to start worrying
about security for all sorts of reasons including regulatory requirements
(especially secure comms between internal networks and DMZ). I'm not saying
there's any law requiring specifically this but big financial companies are
legally bound to protect data and they like to cover their bottoms.

I searched Freshmeat and Sourceforge. I found things that you can wrap http
servers in to make them look like https servers to the outside world but that is
the opposite of what you (and I) want to achieve.


--
Web: http://sydb.dyndns.org
ICQ: 152392113 (New to ICQ? http://www.mirabilis.com)
IRC: #sydb on EFnet (New to IRC? http://www.irchelp.org)
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: http to https forward

This can be done with proxypass as long as the urls are relative. If urls
are imbedded in javascript, I have had to write a perl module to
re-write urls.

David Marshall

-----Original Message-----
From: David Iungerich [mailto:david@iungerich.com]
Sent: Wednesday, July 24, 2002 12:07 PM
To: modssl-users@modssl.org
Subject: http to https forward
Importance: High


I need to implement Apache as an https to http forwarder. I belive I need
to use
ProxyPass or Redirect, but am having difficulty figuring out the correct
configuration.
My scenario is as follows:

I have an appserver that needs to POST http requests to another company's
appserver. Unfortunately, the particular product we are using has issues
being able to send https, and the other company requires it. They have
issued us certificates to talk to them. I need to be able to send http POST
reqests to an Apache webserver, have it encrypt the request with the other
company's cert, and then pass the POST onto that company's server via https.
No browser involved. Eventually, I will need to do the same thing in
reverse, but initially I just need to be able to send in this direction.
Can you tell me what all specific entries needed in the conf file to
implement
this. Again, our server http to Apache, then encrypt using cert we were
given, and Apache to other
company's server via https.

Apache Vesion is currently 1.3.23 - will update for security issues once we
can implement this scenario.
Running on Suse Linux 8.0

Thanks,
David

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: http to https forward

Thanks Daniel. What all is needed as adjustments to my conf file? As I
understood it, there was an issue with Apach taking an http POST reqest and
encrypting it with a given cert, then sending it along via https. If you
could tell me exactly what I need version-wise and what to add/change in a
standard conf file, I'd greatly appreciate it.

-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org]On Behalf Of Daniel Lopez
Sent: Wednesday, July 24, 2002 4:30 PM
To: modssl-users@modssl.org
Subject: Re: http to https forward



> yes, that is correct. I meant http to https. So, there is no way to do
> this with existing mods? I have to use something else? Java or Python
> program? Anyone already have anything?

You can already do it with Apache 2, and I am pretty sure you can do it with
Apache 1.3 too. The directives are just not documented, I am working on a
patch for the docs. But you are able to do

SSLProxyEngine on
ProxyPass / https://some.host.com

And you can also use other SSLProxy* directives like SSLProxyVerify, etc.

Daniel

--
Teach Yourself Apache 2 -- http://apacheworld.org/ty24/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: http to https forward

On Wed, Jul 24, 2002 at 05:45:15PM -0500, David Iungerich wrote:
> Thanks Daniel. What all is needed as adjustments to my conf file? As I
> understood it, there was an issue with Apach taking an http POST reqest and
> encrypting it with a given cert, then sending it along via https. If you
> could tell me exactly what I need version-wise and what to add/change in a
> standard conf file, I'd greatly appreciate it.

I am not sure I understand what you mean with "encrypting it with a given
cert". I am guessing it means that your client must present a specific
client certificate to the remote server. This SSL functionality was present
in mod_ssl versions for 1.3 if you compiled with SSL_EXPERIMENTAL flag, but
was not working very well.
Apache 2.0 includes robust support for that functionality (thanks to Doug
MacEachern of mod_perl fame) and I recommend you use that. The directive you
want is SSLProxyMachineCertificateFile, for specifying the client
certificate(s) to present to the remote server. It is not documented
currently on the Apache project, but take a look at :
http://www.covalent.net/support/docs/faststart/2.0.0/usergui de/html/sslconfigure.php#1138492

Hope it helps

Daniel


> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org]On Behalf Of Daniel Lopez
> Sent: Wednesday, July 24, 2002 4:30 PM
> To: modssl-users@modssl.org
> Subject: Re: http to https forward
>
>
>
> > yes, that is correct. I meant http to https. So, there is no way to do
> > this with existing mods? I have to use something else? Java or Python
> > program? Anyone already have anything?
>
> You can already do it with Apache 2, and I am pretty sure you can do it with
> Apache 1.3 too. The directives are just not documented, I am working on a
> patch for the docs. But you are able to do
>
> SSLProxyEngine on
> ProxyPass / https://some.host.com
>
> And you can also use other SSLProxy* directives like SSLProxyVerify, etc.
>
> Daniel
>
> --
> Teach Yourself Apache 2 -- http://apacheworld.org/ty24/
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: http to https forward

On Wed, Jul 24, 2002 at 10:40:55PM +0100, Michael Pacey wrote:
> Quoting David Iungerich :
>
> > yes, that is correct. I meant http to https. So, there is no way to
> > do
> > this with existing mods? I have to use something else? Java or
> > Python
> > program? Anyone already have anything?
> >
>
> I couldn't find anything to do this besides the two proprietary programs I
> mentioned before. My impression is this is a big hole in the open-source
> toolkit, and proprietary software is going to fill it if someone more capable
> than me doesn't fix things...

Come on... his is the 4th mail I send in the last couple hours mentioning that this
capability exists already in Apache 1.3 and, improved and more robust, in
Apache 2.0 They are just not documented, see my other emails for links and
example. I am preparing a patch to the Apache documentation that includes
them. As other people mentioned, you can also use stunnel or similar
programs to set SSL tunneling (I have used it successfully in the past with
HTTP and POP3)


> I see this sort of thing being a requirement for more and more big companies who
> have established functional ecommerce infrastructures but need to start worrying
> about security for all sorts of reasons including regulatory requirements
> (especially secure comms between internal networks and DMZ). I'm not saying
> there's any law requiring specifically this but big financial companies are
> legally bound to protect data and they like to cover their bottoms.
>
> I searched Freshmeat and Sourceforge. I found things that you can wrap http
> servers in to make them look like https servers to the outside world but that is
> the opposite of what you (and I) want to achieve.
>
>
> --
> Web: http://sydb.dyndns.org
> ICQ: 152392113 (New to ICQ? http://www.mirabilis.com)
> IRC: #sydb on EFnet (New to IRC? http://www.irchelp.org)
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: http to https forward

Daniel,

Does your book or somewhere else give the specifics of what all I need to do
to get this done. If so I'll go buy it, or wherever I need to look. I've
got to get this thing implemented today. At this point, I'm thinking I'll
strip off the Apache 1.3.23 that came with Suse and install Apache 2.0.
Bear in mind with all of this, that I'm new to Apache and Linux, so any
specifics you can provide on what ALL is need to implment this would be
greatly appreciated.

Thanks again,
David

-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org]On Behalf Of Daniel Lopez
Sent: Wednesday, July 24, 2002 5:49 PM
To: modssl-users@modssl.org
Subject: Re: http to https forward


On Wed, Jul 24, 2002 at 05:45:15PM -0500, David Iungerich wrote:
> Thanks Daniel. What all is needed as adjustments to my conf file? As I
> understood it, there was an issue with Apach taking an http POST reqest
and
> encrypting it with a given cert, then sending it along via https. If you
> could tell me exactly what I need version-wise and what to add/change in a
> standard conf file, I'd greatly appreciate it.

I am not sure I understand what you mean with "encrypting it with a given
cert". I am guessing it means that your client must present a specific
client certificate to the remote server. This SSL functionality was present
in mod_ssl versions for 1.3 if you compiled with SSL_EXPERIMENTAL flag, but
was not working very well.
Apache 2.0 includes robust support for that functionality (thanks to Doug
MacEachern of mod_perl fame) and I recommend you use that. The directive you
want is SSLProxyMachineCertificateFile, for specifying the client
certificate(s) to present to the remote server. It is not documented
currently on the Apache project, but take a look at :
http://www.covalent.net/support/docs/faststart/2.0.0/usergui de/html/sslconfi
gure.php#1138492

Hope it helps

Daniel


> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org]On Behalf Of Daniel Lopez
> Sent: Wednesday, July 24, 2002 4:30 PM
> To: modssl-users@modssl.org
> Subject: Re: http to https forward
>
>
>
> > yes, that is correct. I meant http to https. So, there is no way to do
> > this with existing mods? I have to use something else? Java or Python
> > program? Anyone already have anything?
>
> You can already do it with Apache 2, and I am pretty sure you can do it
with
> Apache 1.3 too. The directives are just not documented, I am working on a
> patch for the docs. But you are able to do
>
> SSLProxyEngine on
> ProxyPass / https://some.host.com
>
> And you can also use other SSLProxy* directives like SSLProxyVerify, etc.
>
> Daniel
>
> --
> Teach Yourself Apache 2 -- http://apacheworld.org/ty24/
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: http to https forward

On Thu, Jul 25, 2002 at 10:14:22AM -0500, David Iungerich wrote:
> Daniel,
>
> Does your book or somewhere else give the specifics of what all I need to do

When the book was released, Doug (who sits 2 cubicles next to me :) had not
yet cleaned up and ported that functionality, so I mention it but could not
give any specifics.

> to get this done. If so I'll go buy it, or wherever I need to look. I've
> got to get this thing implemented today. At this point, I'm thinking I'll
> strip off the Apache 1.3.23 that came with Suse and install Apache 2.0.
> Bear in mind with all of this, that I'm new to Apache and Linux, so any
> specifics you can provide on what ALL is need to implment this would be
> greatly appreciated.

Yesterday I submitted a patch to the Apache docs@ mailing list documenting those
directives.
I can try and help you with the setup, first step is to get Apache compiled
with SSL support and understand how to generate certificates:
http://www.apacheworld.org/ty24/site.chapter17.html
and the mod_ssl docs/tutorial at apache.org

For the SSLProxy* directives these docs are old and for raven ssl, but apply
for the most part

http://www.covalent.net/support/docs/faststart/2.0.0/usergui de/html/sslconfigure.php#1138492

Cheers

Daniel

> Thanks again,
> David
>
> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org]On Behalf Of Daniel Lopez
> Sent: Wednesday, July 24, 2002 5:49 PM
> To: modssl-users@modssl.org
> Subject: Re: http to https forward
>
>
> On Wed, Jul 24, 2002 at 05:45:15PM -0500, David Iungerich wrote:
> > Thanks Daniel. What all is needed as adjustments to my conf file? As I
> > understood it, there was an issue with Apach taking an http POST reqest
> and
> > encrypting it with a given cert, then sending it along via https. If you
> > could tell me exactly what I need version-wise and what to add/change in a
> > standard conf file, I'd greatly appreciate it.
>
> I am not sure I understand what you mean with "encrypting it with a given
> cert". I am guessing it means that your client must present a specific
> client certificate to the remote server. This SSL functionality was present
> in mod_ssl versions for 1.3 if you compiled with SSL_EXPERIMENTAL flag, but
> was not working very well.
> Apache 2.0 includes robust support for that functionality (thanks to Doug
> MacEachern of mod_perl fame) and I recommend you use that. The directive you
> want is SSLProxyMachineCertificateFile, for specifying the client
> certificate(s) to present to the remote server. It is not documented
> currently on the Apache project, but take a look at :
> http://www.covalent.net/support/docs/faststart/2.0.0/usergui de/html/sslconfi
> gure.php#1138492
>
> Hope it helps
>
> Daniel
>
>
> > -----Original Message-----
> > From: owner-modssl-users@modssl.org
> > [mailto:owner-modssl-users@modssl.org]On Behalf Of Daniel Lopez
> > Sent: Wednesday, July 24, 2002 4:30 PM
> > To: modssl-users@modssl.org
> > Subject: Re: http to https forward
> >
> >
> >
> > > yes, that is correct. I meant http to https. So, there is no way to do
> > > this with existing mods? I have to use something else? Java or Python
> > > program? Anyone already have anything?
> >
> > You can already do it with Apache 2, and I am pretty sure you can do it
> with
> > Apache 1.3 too. The directives are just not documented, I am working on a
> > patch for the docs. But you are able to do
> >
> > SSLProxyEngine on
> > ProxyPass / https://some.host.com
> >
> > And you can also use other SSLProxy* directives like SSLProxyVerify, etc.
> >
> > Daniel
> >
> > --
> > Teach Yourself Apache 2 -- http://apacheworld.org/ty24/
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Moving server to SSL: which way?

I have a JDBC server running and would like to make it secure.
I am using XML to support an RMI-like functionality.
Should I implement the SSLSocketClient or use a servlet
and the URL API?

I want an easy (automated) install to the client machines
so do not want them to have to have a certificate,
only the server.

I already have Apache 2 running in SSL mode and JDK 1.4.
It is a prototype, so entensibility is not an issue.

Gary
--
Be careful about reading health books. You may die of a misprint.
-- Mark Twain
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: http to https forward

USE Stunnel it's Really simpe

Ido use it for exactly the same probleme

and i use reciproc - authentification (client&serveur)

good perf on *nix
no so bad on win32 ...

>I have an appserver that needs to POST http requests to another company's
>appserver. Unfortunately, the particular product we are using has issues
>being able to send https, and the other company requires it. They have
>issued us certificates to talk to them. I need to be able to send http POST
>reqests to an Apache webserver, have it encrypt the request with the other
>company's cert, and then pass the POST onto that company's server via https.
>No browser involved. Eventually, I will need to do the same thing in
>reverse, but initially I just need to be able to send in this direction.
>Can you tell me what all specific entries needed in the conf file to
>implement
>this. Again, our server http to Apache, then encrypt using cert we were
>given, and Apache to other
>company's server via https.
>
>Apache Vesion is currently 1.3.23 - will update for security issues once we
>can implement this scenario.
>Running on Suse Linux 8.0
>
>Thanks,
>David
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>


__________________________________________________
D O T E A S Y - "Join the web hosting revolution!"
http://www.doteasy.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: http to https forward

---------- Original Message ----------------------------------
From: "M.E. Post"
Reply-To: modssl-users@modssl.org
Date: Wed, 24 Jul 2002 23:10:15 +0200

BOOOOO
HISSSSSS
MICROSOSOFT
BULLSHIT ....

(you search for it :) don't teas me ;) )

>With the risk of booing and hissing but Microsoft ISA Server could do this
>as well. It's capable of doing SSL Bridging, i.e. a full SSL proxy. It could
>also be configured to have an HTTP session to the proxy and a HTTPS session
>to the target platform.
>
>Have a look at http://www.microsoft.com/isaserver and
>http://www.isaserver.org/pages/articles.asp?art=157
>
>hth
>
>Meint
>
>
>
>----- Original Message -----
>From: "Michael Pacey"
>To:
>Sent: Wednesday, July 24, 2002 10:29 PM
>Subject: Re: http to https forward
>
>
>> Quoting David Iungerich :
>>
>> > I need to implement Apache as an https to http forwarder. I belive I
>> > need
>> > to use
>> > ProxyPass or Redirect, but am having difficulty figuring out the
>> > correct
>> > configuration.
>>
>>
>> Just to clarify, I think you mean http to https forwarder, as in your
>subject;
>> Apache forwards https to http without any problems.
>>
>> But for http to https, your problem isn't configuration; Apache+mod_ssl
>doesn't
>> have the code for initiation of HTTPS connections. I've looked!
>>
>> Everybody told me it wouldn't work, I didn't believe them, I couldn't make
>it
>> work, I read the code, it's not there!
>>
>> The only product I know of that might be able to do this is IBM
>EdgeServer, and
>> possibly Netscape. Have to say I don't like EdgeServer and I have no
>experience
>> of Netscape.
>>
>> Is there no-one around who'd like to code this? There are quite a few
>people who
>> want to use Apache to initiate HTTPS connections. I don't have the time /
>coding
>> skills.
>> --
>> Web: http://sydb.dyndns.org
>> ICQ: 152392113 (New to ICQ? http://www.mirabilis.com)
>> IRC: #sydb on EFnet (New to IRC? http://www.irchelp.org)
>> ____________________________________________________________ __________
>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>> User Support Mailing List modssl-users@modssl.org
>> Automated List Manager majordomo@modssl.org
>>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>


__________________________________________________
D O T E A S Y - "Join the web hosting revolution!"
http://www.doteasy.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: http to https forward

Try looking at documentation for mod-rewrite. It is part of the mod_ssl
distribution. Right now we have a few servers that take any off-site http
request rewrite the URL to https.

http://www.modssl.org/docs/2.8/ssl_faq.html#relative-links

http://httpd.apache.org/docs/mod/mod_rewrite.html

Hope this helps.

Michael Clemente
Network Specialist
Network & System Services
Rowan University


-----Original Message-----
From: David Iungerich [mailto:david@iungerich.com]
Sent: Wednesday, July 24, 2002 3:07 PM
To: modssl-users@modssl.org
Subject: http to https forward
Importance: High


I need to implement Apache as an https to http forwarder. I belive I need
to use ProxyPass or Redirect, but am having difficulty figuring out the
correct configuration. My scenario is as follows:

I have an appserver that needs to POST http requests to another company's
appserver. Unfortunately, the particular product we are using has issues
being able to send https, and the other company requires it. They have
issued us certificates to talk to them. I need to be able to send http POST
reqests to an Apache webserver, have it encrypt the request with the other
company's cert, and then pass the POST onto that company's server via https.
No browser involved. Eventually, I will need to do the same thing in
reverse, but initially I just need to be able to send in this direction. Can
you tell me what all specific entries needed in the conf file to implement
this. Again, our server http to Apache, then encrypt using cert we were
given, and Apache to other company's server via https.

Apache Vesion is currently 1.3.23 - will update for security issues once we
can implement this scenario. Running on Suse Linux 8.0

Thanks,
David

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: http to https forward

Arcean,

I'm probably going to continue with my Apache 2.0.39 route, but what all
specifically is involved in the setup of Stunnel to do what I am looking
for? If it's quicker, I may take that route.

Thanks,
David

-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org]On Behalf Of arcean
Sent: Friday, July 26, 2002 4:56 AM
To: modssl-users@modssl.org
Subject: RE: http to https forward


USE Stunnel it's Really simpe

Ido use it for exactly the same probleme

and i use reciproc - authentification (client&serveur)

good perf on *nix
no so bad on win32 ...

>I have an appserver that needs to POST http requests to another company's
>appserver. Unfortunately, the particular product we are using has issues
>being able to send https, and the other company requires it. They have
>issued us certificates to talk to them. I need to be able to send http
POST
>reqests to an Apache webserver, have it encrypt the request with the other
>company's cert, and then pass the POST onto that company's server via
https.
>No browser involved. Eventually, I will need to do the same thing in
>reverse, but initially I just need to be able to send in this direction.
>Can you tell me what all specific entries needed in the conf file to
>implement
>this. Again, our server http to Apache, then encrypt using cert we were
>given, and Apache to other
>company's server via https.
>
>Apache Vesion is currently 1.3.23 - will update for security issues once we
>can implement this scenario.
>Running on Suse Linux 8.0
>
>Thanks,
>David
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>


__________________________________________________
D O T E A S Y - "Join the web hosting revolution!"
http://www.doteasy.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: http to https forward

Setting up the forwarding without a certificate is as easy as running:

stunnel -c -r www.paypal.com:443 -d 127.0.0.1:5555

Then you can connect to http://localhost:5555/ and it will forward your
request to www.paypal.com using SSL.

As far as setting up the certificate stuff, I haven't done it, but
http://www.stunnel.org/ seems to have good instructions.

- Geoff

> -----Original Message-----
> From: David Iungerich [mailto:david@iungerich.com]
> Sent: Friday, July 26, 2002 11:21 AM
> To: modssl-users@modssl.org
> Subject: RE: http to https forward
>
>
> Arcean,
>
> I'm probably going to continue with my Apache 2.0.39 route,
> but what all
> specifically is involved in the setup of Stunnel to do what I
> am looking
> for? If it's quicker, I may take that route.
>
> Thanks,
> David
>
> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org]On Behalf Of arcean
> Sent: Friday, July 26, 2002 4:56 AM
> To: modssl-users@modssl.org
> Subject: RE: http to https forward
>
>
> USE Stunnel it's Really simpe
>
> Ido use it for exactly the same probleme
>
> and i use reciproc - authentification (client&serveur)
>
> good perf on *nix
> no so bad on win32 ...
>
> >I have an appserver that needs to POST http requests to
> another company's
> >appserver. Unfortunately, the particular product we are
> using has issues
> >being able to send https, and the other company requires it.
> They have
> >issued us certificates to talk to them. I need to be able
> to send http
> POST
> >reqests to an Apache webserver, have it encrypt the request
> with the other
> >company's cert, and then pass the POST onto that company's server via
> https.
> >No browser involved. Eventually, I will need to do the same thing in
> >reverse, but initially I just need to be able to send in
> this direction.
> >Can you tell me what all specific entries needed in the conf file to
> >implement
> >this. Again, our server http to Apache, then encrypt using
> cert we were
> >given, and Apache to other
> >company's server via https.
> >
> >Apache Vesion is currently 1.3.23 - will update for security
> issues once we
> >can implement this scenario.
> >Running on Suse Linux 8.0
> >
> >Thanks,
> >David
> >
> >___________________________________________________________ __
> _________
> >Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>


__________________________________________________
D O T E A S Y - "Join the web hosting revolution!"
http://www.doteasy.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: http to https forward

I am away from the office until the Monday 5th August 2002

I will get back to you as soon as i can on my return.

If it's an urgent Online Learning Support Unit / Web/ MUBSWEB/ MUBS Online matter
that requires urgent attention then please contact either Sanjay1 or Jeff1
who should be able to help.

All the best
Alex
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org