ssl proxy

Hello,
Can a httpd be set up as a "secure proxy"? Ie.: forward requests from a
client (a client that doesn't get involved with any ssl stuff itself) on
to an HTTPS site?

-george


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: ssl proxy

On Fri, 17 May 2002, Petryczka, George wrote:

> Can a httpd be set up as a "secure proxy"? Ie.: forward requests from a
> client (a client that doesn't get involved with any ssl stuff itself) on
> to an HTTPS site?

Yes. With Apache 1.3 / mod_ssl 2.8.x, you _might_ have to enable
SSL_EXPERIMENTAL or something like that, I'm not sure. But it can be
done.

--Cliff

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: ssl proxy

> > Can a httpd be set up as a "secure proxy"? Ie.: forward requests
> > from a client (a client that doesn't get involved with any ssl
> > stuff itself) on to an HTTPS site?
>
> Yes. With Apache 1.3 / mod_ssl 2.8.x, you _might_ have to enable
> SSL_EXPERIMENTAL or something like that, I'm not sure. But it can be
> done.
No special compile flags are necessary in 1.3.22+ and mod_ssl 2.8
Aryeh

---
Aryeh Katz
VASCO
www.vasco.com

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: ssl proxy

As a followup to below, what directives would be needed to accomplish this
"proxy" or "tunnel" or whatever i should call it? Incidentally, if it
matters, the client here is not a browser - it's just a c-program that
writes raw http-headered request messages directly. An illustrative example
would be great!


> > Can a httpd be set up as a "secure proxy"? Ie.: forward requests
> > from a client (a client that doesn't get involved with any ssl
> > stuff itself) on to an HTTPS site?
>
> Yes. With Apache 1.3 / mod_ssl 2.8.x, you _might_ have to enable
> SSL_EXPERIMENTAL or something like that, I'm not sure. But it can be
> done.
No special compile flags are necessary in 1.3.22+ and mod_ssl 2.8
Aryeh

---
Aryeh Katz
VASCO
www.vasco.com

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: ssl proxy

> As a followup to below, what directives would be needed to accomplish
> this "proxy" or "tunnel" or whatever i should call it? Incidentally,
> if it matters, the client here is not a browser - it's just a
> c-program that writes raw http-headered request messages directly. An
> illustrative example would be great!
In either a virtual host, or whole server:

ProxyPass / https://login.passport.com/
ProxyPassReverse / https://login.passport.com/
---
Aryeh Katz
VASCO
www.vasco.com

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: ssl proxy

Tried ProxyPass and ProxyPassReverse on my proxy box and my test fails
(even with just plain http) with 404. To test I use MSIE against the proxy
host:
http://www.myprox.com:8080/cgi-bin/myscript

It does work when i point directly at the destination host:
http://www.mydest.com:8080/cgi-bin/myscript

so it does seem just the proxy is not set up right.
Maybe I need some special settings on the destination host too? Oh and i
get no access.log entries on the destination box at all.


-----Original Message-----
From: Aryeh Katz [mailto:aryeh@vasco.com]
Sent: Monday, May 27, 2002 9:11 AM
To: modssl-users@modssl.org
Subject: RE: ssl proxy


> As a followup to below, what directives would be needed to accomplish
> this "proxy" or "tunnel" or whatever i should call it? Incidentally,
> if it matters, the client here is not a browser - it's just a
> c-program that writes raw http-headered request messages directly. An
> illustrative example would be great!
In either a virtual host, or whole server:

ProxyPass / https://login.passport.com/
ProxyPassReverse / https://login.passport.com/
---
Aryeh Katz
VASCO
www.vasco.com

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: ssl proxy

"Petryczka, George" wrote:
>
> Tried ProxyPass and ProxyPassReverse on my proxy box and my test fails
> (even with just plain http) with 404. To test I use MSIE against the proxy
> host:
> http://www.myprox.com:8080/cgi-bin/myscript
>
> It does work when i point directly at the destination host:
> http://www.mydest.com:8080/cgi-bin/myscript

What do you want to type in the browser?
What do you want it to produce?
What do your proxy directives look like?

rgds,

Owen Boyle.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: ssl proxy

> Tried ProxyPass and ProxyPassReverse on my proxy box and my test fails
> (even with just plain http) with 404. To test I use MSIE against the
> proxy host: http://www.myprox.com:8080/cgi-bin/myscript
>
> It does work when i point directly at the destination host:
> http://www.mydest.com:8080/cgi-bin/myscript
I thought you said that your destination host was ssl. shouldn't that be
httpS://www.mydest.com?
Anyway, make sure mod_ssl is loaded, and enabled (-DSSL) in your proxy,
then it should be able to connect via ssl.
---
Aryeh Katz
VASCO
www.vasco.com

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: ssl proxy

Owen,
The browser is just for test to verify that proxy is working. My ultimate
goal does not involve browsers at all - just an app pumping http messages
into a proxy that converts to SSL and forwards to an https client.

Anyway, for the test, the only settings i have changed from the default conf
file (aside from domain names and emails) is :
on the target: No change
on the proxy: ProxyPass and ProxyPassReverse
as was suggested to me by Aryeh. Also on the proxy: the Ifmodule
Mod_proxy.c clause is uncommented, Proxy Reqeusts On is set, and httpd -l
shows proxy.c module is compiled in.

(And i'm not even trying this with HTTPS/SSL yet, though that is ultimately
my goal - i just want to keep it as simple as i can for first test.)

What i type in the browser is the url to myscript (see original note
below).

What i want displayed is simply the output of myscript (which i DO get
successfully if i point directly at the destination, again, as i note below.

-george

-----Original Message-----
From: Owen Boyle [mailto:obo@bourse.ch]
Sent: Tuesday, May 28, 2002 11:18 AM
To: modssl-users@modssl.org
Subject: Re: ssl proxy


"Petryczka, George" wrote:
>
> Tried ProxyPass and ProxyPassReverse on my proxy box and my test fails
> (even with just plain http) with 404. To test I use MSIE against the
proxy
> host:
> http://www.myprox.com:8080/cgi-bin/myscript
>
> It does work when i point directly at the destination host:
> http://www.mydest.com:8080/cgi-bin/myscript

What do you want to type in the browser?
What do you want it to produce?
What do your proxy directives look like?

rgds,

Owen Boyle.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: ssl proxy

> What i type in the browser is the url to myscript (see original note
> below).
>
> What i want displayed is simply the output of myscript (which i DO
> get successfully if i point directly at the destination, again, as i
> note below.
>
> -george
If you show us your exact proxy directive, it would help. You are probably missing the port.
Thus, your ProxyPass (and ProxyPassReverse) should say:
ProxyPass / http://my.dest.com:8080/
Aryeh
---
Aryeh Katz
VASCO
www.vasco.com

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org