1 certificate for several sites using redirection ?

am 12.06.2002 11:17:47 von Wim Godden

Hi,

I'd like to use a certificate to secure several of our subdomains...
buying hundreds of certificates is simply too expensive.
Is there some way to do this :

- Install certificate on secure.ourdomain.com
- Let people surf to
https://secure.ourdomain.com/other-subdomain.ourdomain.com/w hat-ever-page.html

Thanks in advance.

Greetings,

Wim Godden

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: 1 certificate for several sites using redirection ?

am 12.06.2002 11:23:39 von Peter Viertel

You could do that using reverse proxy, ie mod_proxy.
Redirects are not going to help.

Wim Godden wrote:

>Hi,
>
>I'd like to use a certificate to secure several of our subdomains...
>buying hundreds of certificates is simply too expensive.
>Is there some way to do this :
>
>- Install certificate on secure.ourdomain.com
>- Let people surf to
>https://secure.ourdomain.com/other-subdomain.ourdomain.com/ what-ever-page.html
>
>Thanks in advance.
>
>
>Greetings,
>
>Wim Godden
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: 1 certificate for several sites using redirection ?

am 12.06.2002 11:27:53 von John.Airey

There's always the possibility of a wildcard certificate, but you'd need to
have the same domain name throughout. Some browsers don't work with them.

See www.thawte.com for details.

-
John Airey
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

Is the statement 'There is no such thing as truth' true?

> -----Original Message-----
> From: Peter Viertel [mailto:peter.viertel@itaction.co.uk]
> Sent: 12 June 2002 10:24
> To: modssl-users@modssl.org
> Subject: Re: 1 certificate for several sites using redirection ?
>
>
> You could do that using reverse proxy, ie mod_proxy.
> Redirects are not going to help.
>
> Wim Godden wrote:
>
> >Hi,
> >
> >I'd like to use a certificate to secure several of our subdomains...
> >buying hundreds of certificates is simply too expensive.
> >Is there some way to do this :
> >
> >- Install certificate on secure.ourdomain.com
> >- Let people surf to
> >https://secure.ourdomain.com/other-subdomain.ourdomain.com/ wh
> at-ever-page.html
> >
> >Thanks in advance.
> >
> >
> >Greetings,
> >
> >Wim Godden
> >
> >___________________________________________________________ __
> _________
> >Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk

14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
find out all about it.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: 1 certificate for several sites using redirection ?

am 12.06.2002 12:06:15 von Wim Godden

proxypass /test http://other-subdomain.ourdomain.com
doesn't work properly... I get errors about the images being insecure and all links
point to the wrong position.

Peter Viertel wrote:

> You could do that using reverse proxy, ie mod_proxy.
> Redirects are not going to help.
>
> Wim Godden wrote:
>
> >Hi,
> >
> >I'd like to use a certificate to secure several of our subdomains...
> >buying hundreds of certificates is simply too expensive.
> >Is there some way to do this :
> >
> >- Install certificate on secure.ourdomain.com
> >- Let people surf to
> >https://secure.ourdomain.com/other-subdomain.ourdomain.com/ what-ever-page.html
> >
> >Thanks in advance.
> >
> >
> >Greetings,
> >
> >Wim Godden
> >
> >___________________________________________________________ ___________
> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >User Support Mailing List modssl-users@modssl.org
> >Automated List Manager majordomo@modssl.org
> >
> >
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

--
------
Adverteren.be - 100% Nederlandstalig adverteren op kwalitatief hoogstaande sites !

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: 1 certificate for several sites using redirection ?

am 12.06.2002 12:21:19 von John.Airey

Sounds like you have some absolute links rather than relative links. You can
also use
proxypass /test https://other-subdomain.ourdomain.com

If the data needs to be secured between the proxy and the destination
server.

-
John Airey
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

Is the statement 'There is no such thing as truth' true?

> -----Original Message-----
> From: Wim Godden [mailto:wim@godden.net]
> Sent: 12 June 2002 11:06
> To: modssl-users@modssl.org
> Subject: Re: 1 certificate for several sites using redirection ?
>
>
> proxypass /test http://other-subdomain.ourdomain.com
> doesn't work properly... I get errors about the images being
> insecure and all links
> point to the wrong position.
>
>
> Peter Viertel wrote:
>
> > You could do that using reverse proxy, ie mod_proxy.
> > Redirects are not going to help.
> >
> > Wim Godden wrote:
> >
> > >Hi,
> > >
> > >I'd like to use a certificate to secure several of our
> subdomains...
> > >buying hundreds of certificates is simply too expensive.
> > >Is there some way to do this :
> > >
> > >- Install certificate on secure.ourdomain.com
> > >- Let people surf to
> >
> >https://secure.ourdomain.com/other-subdomain.ourdomain.com/ wh
at-ever-page.html
> >
> >Thanks in advance.
> >
> >
> >Greetings,
> >
> >Wim Godden
> >
> >___________________________________________________________ ___________
> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >User Support Mailing List modssl-users@modssl.org
> >Automated List Manager majordomo@modssl.org
> >
> >
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

--
------
Adverteren.be - 100% Nederlandstalig adverteren op kwalitatief hoogstaande
sites !

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk

14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
find out all about it.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: 1 certificate for several sites using redirection ?

am 12.06.2002 12:21:19 von John.Airey

Re: 1 certificate for several sites using redirection ?

am 12.06.2002 13:50:12 von Peter Viertel

yes, i think thats whats happening - you need to review the website
content you are pointing at. For this to work you can't have any
absolute hrefs, and also the backend site may issue redirects, for these
to work you need a ProxyPassReverse which will rewrite the Location:
header on any redirects the backend site may send.

For example:

ProxyPass /test http://other.subdomain.ourdomain.com/
ProxyPassReverse /test http://other.subdomain.ourdomain.com/

proxypassreverse unfortunately is not case insensitive, and the backend
webserver may refer to itself canonically, so the location headers may
have another hostname. Either fix up the backend webserver to match the
proxypassreverse, or add extra proxypassreverse lines.

The most common cause of redirects is the / bug handlers of tomcat, and
IIS which kick in if your url ends with / and that resolves to a
directory, then the webserver looks up what the directoryindex script is
(eg. index.html) and sends a redirect. This is something to do with
early revision browser releases, I have no idea which ones or if it
matters anymore.

Also note that mod_proxy got a big upgrade at apache release 1.3.23 that
may help things along too in certain cases.

John.Airey@rnib.org.uk wrote:

>Sounds like you have some absolute links rather than relative links. You can
>also use
>proxypass /test https://other-subdomain.ourdomain.com
>
>If the data needs to be secured between the proxy and the destination
>server.
>
>-
>John Airey
>Internet systems support officer, ITCSD, Royal National Institute of the
>Blind,
>Bakewell Road, Peterborough PE2 6XU,
>Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk
>
>Is the statement 'There is no such thing as truth' true?
>
>
>
>
>>-----Original Message-----
>>From: Wim Godden [mailto:wim@godden.net]
>>Sent: 12 June 2002 11:06
>>To: modssl-users@modssl.org
>>Subject: Re: 1 certificate for several sites using redirection ?
>>
>>
>>proxypass /test http://other-subdomain.ourdomain.com
>>doesn't work properly... I get errors about the images being
>>insecure and all links
>>point to the wrong position.
>>
>>
>>Peter Viertel wrote:
>>
>>
>>
>>>You could do that using reverse proxy, ie mod_proxy.
>>>Redirects are not going to help.
>>>
>>>Wim Godden wrote:
>>>
>>>
>>>
>>>>Hi,
>>>>
>>>>I'd like to use a certificate to secure several of our
>>>>
>>>>
>>subdomains...
>>
>>
>>>>buying hundreds of certificates is simply too expensive.
>>>>Is there some way to do this :
>>>>
>>>>- Install certificate on secure.ourdomain.com
>>>>- Let people surf to
>>>>
>>>>
>>>https://secure.ourdomain.com/other-subdomain.ourdomain.co m/wh
>>>
>>>
>at-ever-page.html
>
>
>>>Thanks in advance.
>>>
>>>
>>>Greetings,
>>>
>>>Wim Godden
>>>
>>>_________________________________________________________ _____________
>>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>>User Support Mailing List modssl-users@modssl.org
>>>Automated List Manager majordomo@modssl.org
>>>
>>>
>>>
>>>
>>__________________________________________________________ ____________
>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>User Support Mailing List modssl-users@modssl.org
>>Automated List Manager majordomo@modssl.org
>>
>>
>
>--
>------
>Adverteren.be - 100% Nederlandstalig adverteren op kwalitatief hoogstaande
>sites !
>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>-
>
>NOTICE: The information contained in this email and any attachments is
>confidential and may be legally privileged. If you are not the
>intended recipient you are hereby notified that you must not use,
>disclose, distribute, copy, print or rely on this email's content. If
>you are not the intended recipient, please notify the sender
>immediately and then delete the email and any attachments from your
>system.
>
>RNIB has made strenuous efforts to ensure that emails and any
>attachments generated by its staff are free from viruses. However, it
>cannot accept any responsibility for any viruses which are
>transmitted. We therefore recommend you scan all attachments.
>
>Please note that the statements and views expressed in this email
>and any attachments are those of the author and do not necessarily
>represent those of RNIB.
>
>RNIB Registered Charity Number: 226227
>
>Website: http://www.rnib.org.uk
>
>14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
>find out all about it.
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: 1 certificate for several sites using redirection ?

am 12.06.2002 13:50:12 von Peter Viertel

Re: 1 certificate for several sites using redirection ?

am 12.06.2002 14:08:55 von Wim Godden

So there's no system which allows me to really proxy pages and 'modify' them so
that all future connections go through this 'proxy' as well ?

Greetings,

Wim

Peter Viertel wrote:

> yes, i think thats whats happening - you need to review the website
> content you are pointing at. For this to work you can't have any
> absolute hrefs, and also the backend site may issue redirects, for these
> to work you need a ProxyPassReverse which will rewrite the Location:
> header on any redirects the backend site may send.
>
> For example:
>
> ProxyPass /test http://other.subdomain.ourdomain.com/
> ProxyPassReverse /test http://other.subdomain.ourdomain.com/
>
> proxypassreverse unfortunately is not case insensitive, and the backend
> webserver may refer to itself canonically, so the location headers may
> have another hostname. Either fix up the backend webserver to match the
> proxypassreverse, or add extra proxypassreverse lines.
>
> The most common cause of redirects is the / bug handlers of tomcat, and
> IIS which kick in if your url ends with / and that resolves to a
> directory, then the webserver looks up what the directoryindex script is
> (eg. index.html) and sends a redirect. This is something to do with
> early revision browser releases, I have no idea which ones or if it
> matters anymore.
>
> Also note that mod_proxy got a big upgrade at apache release 1.3.23 that
> may help things along too in certain cases.
>
> John.Airey@rnib.org.uk wrote:
>
> >Sounds like you have some absolute links rather than relative links. You can
> >also use
> >proxypass /test https://other-subdomain.ourdomain.com
> >
> >If the data needs to be secured between the proxy and the destination
> >server.
> >
> >-
> >John Airey
> >Internet systems support officer, ITCSD, Royal National Institute of the
> >Blind,
> >Bakewell Road, Peterborough PE2 6XU,
> >Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk
> >
> >Is the statement 'There is no such thing as truth' true?
> >
> >
> >
> >
> >>-----Original Message-----
> >>From: Wim Godden [mailto:wim@godden.net]
> >>Sent: 12 June 2002 11:06
> >>To: modssl-users@modssl.org
> >>Subject: Re: 1 certificate for several sites using redirection ?
> >>
> >>
> >>proxypass /test http://other-subdomain.ourdomain.com
> >>doesn't work properly... I get errors about the images being
> >>insecure and all links
> >>point to the wrong position.
> >>
> >>
> >>Peter Viertel wrote:
> >>
> >>
> >>
> >>>You could do that using reverse proxy, ie mod_proxy.
> >>>Redirects are not going to help.
> >>>
> >>>Wim Godden wrote:
> >>>
> >>>
> >>>
> >>>>Hi,
> >>>>
> >>>>I'd like to use a certificate to secure several of our
> >>>>
> >>>>
> >>subdomains...
> >>
> >>
> >>>>buying hundreds of certificates is simply too expensive.
> >>>>Is there some way to do this :
> >>>>
> >>>>- Install certificate on secure.ourdomain.com
> >>>>- Let people surf to
> >>>>
> >>>>
> >>>https://secure.ourdomain.com/other-subdomain.ourdomain.co m/wh
> >>>
> >>>
> >at-ever-page.html
> >
> >
> >>>Thanks in advance.
> >>>
> >>>
> >>>Greetings,
> >>>
> >>>Wim Godden
> >>>
> >>>_________________________________________________________ _____________
> >>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >>>User Support Mailing List modssl-users@modssl.org
> >>>Automated List Manager majordomo@modssl.org
> >>>
> >>>
> >>>
> >>>
> >>__________________________________________________________ ____________
> >>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >>User Support Mailing List modssl-users@modssl.org
> >>Automated List Manager majordomo@modssl.org
> >>
> >>
> >
> >--
> >------
> >Adverteren.be - 100% Nederlandstalig adverteren op kwalitatief hoogstaande
> >sites !
> >
> >
> >___________________________________________________________ ___________
> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >User Support Mailing List modssl-users@modssl.org
> >Automated List Manager majordomo@modssl.org
> >
> >-
> >
> >NOTICE: The information contained in this email and any attachments is
> >confidential and may be legally privileged. If you are not the
> >intended recipient you are hereby notified that you must not use,
> >disclose, distribute, copy, print or rely on this email's content. If
> >you are not the intended recipient, please notify the sender
> >immediately and then delete the email and any attachments from your
> >system.
> >
> >RNIB has made strenuous efforts to ensure that emails and any
> >attachments generated by its staff are free from viruses. However, it
> >cannot accept any responsibility for any viruses which are
> >transmitted. We therefore recommend you scan all attachments.
> >
> >Please note that the statements and views expressed in this email
> >and any attachments are those of the author and do not necessarily
> >represent those of RNIB.
> >
> >RNIB Registered Charity Number: 226227
> >
> >Website: http://www.rnib.org.uk
> >
> >14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
> >find out all about it.
> >
> >___________________________________________________________ ___________
> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >User Support Mailing List modssl-users@modssl.org
> >Automated List Manager majordomo@modssl.org
> >
> >
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

--
------
Adverteren.be - 100% Nederlandstalig adverteren op kwalitatief hoogstaande sites
!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: 1 certificate for several sites using redirection ?

am 12.06.2002 14:08:55 von Wim Godden

Re: 1 certificate for several sites using redirection ?

am 12.06.2002 14:35:04 von Peter Viertel

thats basically right.

the proxy spec in http/1.1 etc copes with rewriting headers - but
nothing I've seen rewrites the actual html content - this would be
possible of course, but there would have to be a new module for apache
to do it, and architecturally you'd be creating a potential bottleneck
as the proxy server would have to parse all of the content passing
through it.

Wim Godden wrote:

>So there's no system which allows me to really proxy pages and 'modify' them so
>that all future connections go through this 'proxy' as well ?
>
>Greetings,
>
>Wim
>
>Peter Viertel wrote:
>
>
>
>>yes, i think thats whats happening - you need to review the website
>>content you are pointing at. For this to work you can't have any
>>absolute hrefs, and also the backend site may issue redirects, for these
>>to work you need a ProxyPassReverse which will rewrite the Location:
>>header on any redirects the backend site may send.
>>
>> For example:
>>
>>ProxyPass /test http://other.subdomain.ourdomain.com/
>>ProxyPassReverse /test http://other.subdomain.ourdomain.com/
>>
>>proxypassreverse unfortunately is not case insensitive, and the backend
>>webserver may refer to itself canonically, so the location headers may
>>have another hostname. Either fix up the backend webserver to match the
>>proxypassreverse, or add extra proxypassreverse lines.
>>
>>The most common cause of redirects is the / bug handlers of tomcat, and
>>IIS which kick in if your url ends with / and that resolves to a
>>directory, then the webserver looks up what the directoryindex script is
>>(eg. index.html) and sends a redirect. This is something to do with
>>early revision browser releases, I have no idea which ones or if it
>>matters anymore.
>>
>>Also note that mod_proxy got a big upgrade at apache release 1.3.23 that
>>may help things along too in certain cases.
>>
>>John.Airey@rnib.org.uk wrote:
>>
>>
>>
>>>Sounds like you have some absolute links rather than relative links. You can
>>>also use
>>>proxypass /test https://other-subdomain.ourdomain.com
>>>
>>>If the data needs to be secured between the proxy and the destination
>>>server.
>>>
>>>-
>>>John Airey
>>>Internet systems support officer, ITCSD, Royal National Institute of the
>>>Blind,
>>>Bakewell Road, Peterborough PE2 6XU,
>>>Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk
>>>
>>>Is the statement 'There is no such thing as truth' true?
>>>
>>>
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Wim Godden [mailto:wim@godden.net]
>>>>Sent: 12 June 2002 11:06
>>>>To: modssl-users@modssl.org
>>>>Subject: Re: 1 certificate for several sites using redirection ?
>>>>
>>>>
>>>>proxypass /test http://other-subdomain.ourdomain.com
>>>>doesn't work properly... I get errors about the images being
>>>>insecure and all links
>>>>point to the wrong position.
>>>>
>>>>
>>>>Peter Viertel wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>You could do that using reverse proxy, ie mod_proxy.
>>>>>Redirects are not going to help.
>>>>>
>>>>>Wim Godden wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Hi,
>>>>>>
>>>>>>I'd like to use a certificate to secure several of our
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>subdomains...
>>>>
>>>>
>>>>
>>>>
>>>>>>buying hundreds of certificates is simply too expensive.
>>>>>>Is there some way to do this :
>>>>>>
>>>>>>- Install certificate on secure.ourdomain.com
>>>>>>- Let people surf to
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>https://secure.ourdomain.com/other-subdomain.ourdomain. com/wh
>>>>>
>>>>>
>>>>>
>>>>>
>>>at-ever-page.html
>>>
>>>
>>>
>>>
>>>>>Thanks in advance.
>>>>>
>>>>>
>>>>>Greetings,
>>>>>
>>>>>Wim Godden
>>>>>
>>>>>_______________________________________________________ _______________
>>>>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>>>>User Support Mailing List modssl-users@modssl.org
>>>>>Automated List Manager majordomo@modssl.org
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>________________________________________________________ ______________
>>>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>>>User Support Mailing List modssl-users@modssl.org
>>>>Automated List Manager majordomo@modssl.org
>>>>
>>>>
>>>>
>>>>
>>>--
>>>------
>>>Adverteren.be - 100% Nederlandstalig adverteren op kwalitatief hoogstaande
>>>sites !
>>>
>>>
>>>_________________________________________________________ _____________
>>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>>User Support Mailing List modssl-users@modssl.org
>>>Automated List Manager majordomo@modssl.org
>>>
>>>-
>>>
>>>NOTICE: The information contained in this email and any attachments is
>>>confidential and may be legally privileged. If you are not the
>>>intended recipient you are hereby notified that you must not use,
>>>disclose, distribute, copy, print or rely on this email's content. If
>>>you are not the intended recipient, please notify the sender
>>>immediately and then delete the email and any attachments from your
>>>system.
>>>
>>>RNIB has made strenuous efforts to ensure that emails and any
>>>attachments generated by its staff are free from viruses. However, it
>>>cannot accept any responsibility for any viruses which are
>>>transmitted. We therefore recommend you scan all attachments.
>>>
>>>Please note that the statements and views expressed in this email
>>>and any attachments are those of the author and do not necessarily
>>>represent those of RNIB.
>>>
>>>RNIB Registered Charity Number: 226227
>>>
>>>Website: http://www.rnib.org.uk
>>>
>>>14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
>>>find out all about it.
>>>
>>>_________________________________________________________ _____________
>>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>>User Support Mailing List modssl-users@modssl.org
>>>Automated List Manager majordomo@modssl.org
>>>
>>>
>>>
>>>
>>__________________________________________________________ ____________
>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>User Support Mailing List modssl-users@modssl.org
>>Automated List Manager majordomo@modssl.org
>>
>>
>
>--
>------
>Adverteren.be - 100% Nederlandstalig adverteren op kwalitatief hoogstaande sites
>!
>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: 1 certificate for several sites using redirection ?

am 12.06.2002 16:33:10 von David Marshall

To rewrite content you might look at the Perl module Apache::ProxyRewrite. I
was given an assignment to Front-end MS EXCHANGE OWA with Apache HTTPS.
After review of options, I took a copy of the Perl module
Apache::ProxyRewrite and added the ability to ReplaceText in the content as
well, I renamed it ProxyRewriteReplace. This was my 1st excursion into Perl
and I've never gotten the time to fully complete/test the module (example,
the documentation is from ProxyReplace). I also only tested it as far as to
meet our objective of Proxying MS Exchange. I don;t know if this will help,
but I've included my ProxyRewriteReplace source.

To solve Bottlenecks, we run a loadbalancer in front of a balanced set of
identically configured proxy servers. But it is surprising how fast content
can be rewritten. In our case content is only re-written by Location, so
bottlenecks are limited to what needs to be re-rwitten.

Here is an example useage proxying MS Exchange 5.5 OWA. In the example,
External DNS for svr.com resolves to the load balancer(s). Internal DNS (or
/etc/hosts) resolves svr.com to the real MS Exchange OWA server. We run a
firewall between the proxy server and the MS Exchange server.

SetHandler perl-script
PerlHandler Apache::ProxyRewriteReplace

PerlSetVar ProxyTo http://svr.com/exchange
PerlSetVar ProxyAuthRedirect Off
PerlSetVar ProxyShrinkURI On
PerlSetVar ProxyReplaceText "http://svr.com => https://svr.com"

SetHandler perl-script
PerlHandler Apache::ProxyRewriteReplace

PerlSetVar ProxyTo http://svr.com/exchweb
PerlSetVar ProxyAuthRedirect Off
PerlSetVar ProxyShrinkURI On
PerlSetVar ProxyReplaceText "http://svr.com => https://svr.com"

Hope this is useful
David Marshall

# $Id: ProxyRewriteReplace.pm,v 0.01 2001/10/22 20:45:44 dmarshall Exp $
#
# Author : David Marshall (From ProxyRewrite)
# Created On : Oct 22 12:04:00 CDT 2001
# Status : Functional
#
# PURPOSE
# Proxy requests
# 1. rewrite embedded URLs according to configuration
# 2. replace embedded proxied text according to configuration
#
############################################################ ################
###

# Package name
package Apache::ProxyRewriteReplace;

# Required libraries
use strict;
use Apache;
use Apache::Constants qw(OK AUTH_REQUIRED DECLINED DONE);
use Apache::Log;
use Apache::URI;
use LWP::UserAgent;
use URI::Escape qw(uri_unescape);

# Global variables
$Apache::ProxyRewriteReplace::VERSION = '0.1';
$Apache::ProxyRewriteReplace::PRODUCT = 'ProxyRewriteReplace/' .
$Apache::ProxyRewriteReplace::VERSION;
my %LINK_ELEMENTS =
( # These represent all the possible valid tags that have links in them
'a' => 'href',
'applet' => {
'archive' => 1,
'code' => 1,
'codebase' => 1,
},
'area' => 'href',
'base' => 'href',
'body' => 'background',
'embed' => 'src',
'form' => 'action',
'frame' => 'src',
'img' => {
'src' => 1,
'lowsrc' => 1,
'usemap' => 1,
},
'input' => 'src',
'isindex' => 'action',
'link' => {
'href' => 1,
'src' => 1,
},
'meta' => {
'content' => 1,
'http-equiv' => 1,
},
'object' => {
'classid' => 1,
'codebase' => 1,
'data' => 1,
'name' => 1,
'usemap' => 1,
},
'script' => 'src',
'td' => 'background',
'th' => 'background',
'tr' => 'background',
);

############################################################ ################
###
############################################################ ################
###
# handler: hook into Apache/mod_perl API
############################################################ ################
###
############################################################ ################
###
sub handler {
my $r = shift;
my %mappings = ();
my %text_replacements = ();
my ($auth_info, $auth_redirect, $remote_location, $shrink_uri) = undef;

%mappings = split(/\s*(?:=>|,)\s*/, $r->dir_config('ProxyRewriteURI'));
%text_replacements = split(/\s*(?:=>|,)\s*/,
$r->dir_config('ProxyReplaceText'));
$auth_info = $r->dir_config('ProxyAuthInfo');
$auth_redirect = $r->dir_config('ProxyAuthRedirect') || 'Off';
$shrink_uri = $r->dir_config('ProxyShrinkURI') || 'Off';
if ($r->dir_config('ProxyTo')) {
$remote_location = $r->dir_config('ProxyTo');
} else {
$r->log->error("ProxyRewriteReplace::handler: ProxyTo directive must be
defined");
return DECLINED;
}

# Automatically add a mapping for the remote relative URI and the
# current location. Also capture remote site information.
$remote_location =~ m!^([^:]+://[^/]+)(/?.*)!;
my $remote_site = $1;
if ($2) {
$mappings{$2} = $r->location;
} elsif ($r->location eq '/') {
$mappings{'/'} = $r->location;
} else {
$mappings{'/'} = $r->location . '/';
}

$r->log->debug("handler: Remote Site - $remote_site");
$r->log->debug("handler: Remote Location - $remote_location");
$r->log->debug("handler: Auth Info - $auth_info");
$r->log->debug("handler: Shrink URI - $shrink_uri");
foreach (keys(%mappings)) {
$r->log->debug("handler: Mapping $_ to $mappings{$_}");
}
foreach (keys(%text_replacements)) {
$r->log->debug("handler: Text Replacements $_ to
$text_replacements{$_}");
}

# fetch URL
$r->log->info("ProxyRewriteReplace: Preparing to fetch ", $r->uri,
" at time ", time);
my $response = &fetch($r, $remote_location, $auth_info);

# rewrite response URIs as needed
$r->log->info("ProxyRewriteReplace: Preparing to rewrite URIs for ",
$r->uri,
" at time ", time);
if ($response->header('Content-type') =~ m!^text/html!) {
$r->log->debug("handler: text/html found");
&parse($r, $remote_site, $response, $shrink_uri, \%mappings);
}

# respond to client
$r->log->info("ProxyRewriteReplace: Preparing to respond for ", $r->uri,
" at time ", time);
&respond($r, $remote_site, $remote_location, $auth_redirect,
$response, \%mappings, \%text_replacements );

return OK;
}

############################################################ ################
###
############################################################ ################
###
# fetch: fetch the remote URL and return a reference to the response object
############################################################ ################
###
############################################################ ################
###
sub fetch {
my ($r, $remote_location, $auth_info) = @_;
my $client_agent = '';
my $my_uri = '';
my ($k, $v);
my $base = $r->location();
my $args = $r->args();
if ($base ne '/') {
($my_uri = $r->uri) =~ s/^$base//;
} else {
$my_uri = $r->uri;
}
$my_uri = $remote_location . $my_uri;
$my_uri .= '?' . $r->args() if $args;

my $request = HTTP::Request->new($r->method, $my_uri);

$r->log->info("ProxyRewriteReplace::fetch: Time proxy request method
created: ", time);
$r->log->debug("fetch: Base URI (aka location section): $base");
$r->log->info("ProxyRewriteReplace::fetch: Request for $my_uri with method
", $r->method);

my(%headers_in) = $r->headers_in;
while(($k,$v) = each %headers_in) {
# HACK to force no Keep-Alives on the connection between proxy
# and remote server
$r->log->debug("fetch: IN $k: $v");
if ($k =~ /Connection/) {
$v = "Close";
} elsif ($k =~ /Host/) {
($v) = ($remote_location =~ m!://([^/]+)!);
} elsif ($k =~ /Referer/) {
$v =~ s/.*(https?:\/\/.*)/$1/;
}
if ($k =~ /User-Agent/) {
$client_agent = $v;
}
$v = uri_unescape($v);
$request->header($k,$v);
$r->log->debug("fetch: IN-MOD $k: $v");
}

# If we have authorization information and it isn't already filled in
if ($auth_info && !$request->authorization()) {
$request->authorization($auth_info);
}

if ($r->method eq "POST") {
my $content;
if ($r->headers_in->{'Content-type'} eq
'application/x-www-form-urlencoded') {
$content = $r->content;
} else {
$r->read($content, $r->headers_in->{'Content-length'});
}
$request->content($content);
$r->log->debug("fetch: Request type: ", $r->method);
$r->log->debug("fetch: Request content type: ",
$r->headers_in->{'Content-type'});
$r->log->debug("fetch: Request content: $content");
}

$r->log->debug("fetch: Product: $Apache::ProxyRewriteReplace::PRODUCT");
my $ua = new LWP::UserAgent;
if ($client_agent ne '') {
$ua->agent("$client_agent; $Apache::ProxyRewriteReplace::PRODUCT");
} else {
$ua->agent("$Apache::ProxyRewriteReplace::PRODUCT");
}
my $res = $ua->simple_request($request);
$r->log->info("ProxyRewriteReplace::fetch: Time proxy got document: ",
time);
$r->log->info("ProxyRewriteReplace::fetch: Original document size: ",
length($res->content));
$r->log->info("ProxyRewriteReplace::fetch: Original document: ",
$res->content);
return($res);
}

############################################################ ################
###
############################################################ ################
###
# parse: parse HTML and find all embedded URLs
############################################################ ################
###
############################################################ ################
###
sub parse {
my ($r, $remote_site, $response, $shrink_uri, $mapref) = @_;
my $buf = $response->content;
my ($lessthanpos, $greaterthanpos, $prediff, $diff,
$preblock, $tagblock, $lastblock);
my $pos = 0;
my $newbuf = '';
my $iscomment = 0;
my $buflen = length($buf);

while (($lessthanpos = index($buf, "<", $pos)) > -1) {
# Make a special case out of the comment in case there
# are nested tags within the comment, such as javascript code
# fragments. Not necessarily our problem, but it doesn't hurt much
# to deal with it.
if (substr($buf, $lessthanpos + 1, 3) eq '!--') {
$greaterthanpos = index($buf, "-->", $lessthanpos);
$iscomment = 1;
} else {
$greaterthanpos = index($buf, ">", $lessthanpos);
}
$prediff = $lessthanpos - $pos;
$diff = $greaterthanpos - $lessthanpos - 1;
$preblock = substr($buf, $pos, $prediff + 1);
$tagblock = substr($buf, $lessthanpos + 1, $diff);
if ($iscomment == 0) {
$r->log->debug("parse: Dealing with tag block: $tagblock");
&dealwithtag($r, $remote_site, \$tagblock, $shrink_uri, $mapref);
$r->log->debug("parse: Edited tag block: $tagblock");
} else {
$r->log->debug("parse: Skipped comment tag block");
$iscomment = 0;
}
$newbuf .= "$preblock$tagblock";
$pos = $greaterthanpos;
# If a tag isn't properly closed at the end of a document, we need to
# force an end to the loop.
last if ($pos == -1);
}
$lastblock = substr($buf, $pos, $buflen);
$newbuf .= "$lastblock";

$response->content($newbuf);
}

############################################################ ################
###
############################################################ ################
###
# dealwithtag: decides if there a URL in a tag and sends it to be rewritten
############################################################ ################
###
############################################################ ################
###
sub dealwithtag {
my ($r, $remote_site, $tagblock, $shrink_uri, $mapref) = @_;
my @blocks;
my ($tag, $lctag, $key, $lckey, $value, $lcvalue, $delay, $tmp, $i);
my $done = 0;
my $refresh = 0;

# Remove spaces around equal signs, eg 'src = bar' becomes 'src=bar'
$$tagblock =~ s/\s*(=)\s*/$1/g;
# Remove all other forms of whitespace in block
$$tagblock =~ s/(\f|\n|\r|\t)+/ /g;
# Remove leading spaces in block, eg < img ...> becomes
$$tagblock =~ s/^\s+//;
# Remove leading and trailing whitespace within quotes
$$tagblock =~ s/(=[\"\'])\s*/$1/g;
$$tagblock =~ s/\s*([\"\'])/$1/g;
# need to skip "base href="
$lctag = lc($$tagblock);
if ($lctag =~ /base href/) {
$r->log->debug("dealwithtag: skipping base href found in
$$tagblock");
}
else {
@blocks = split(/\s+/, $$tagblock);
$tag = shift(@blocks);
#lowercase tag for table comparison
$lctag = lc($tag);
if (exists($LINK_ELEMENTS{$lctag})) {
$$tagblock = $tag;
for ($i = 0; $i < @blocks; $i++) {
if ($blocks[$i] =~ /=/) {
($key, $value) = split(/=/, $blocks[$i], 2);
$lckey = lc($key);
if ($lctag =~ /(applet|img|link|meta|object)/) {
if (exists($LINK_ELEMENTS{$lctag}{$lckey})) {
$value =~ s/(\"|\')//g;
if ($lctag eq 'meta') {
$lcvalue = lc($value);
if ($lckey eq 'http-equiv') {
if ($lcvalue eq 'refresh') {
$refresh = 1;
}
$$tagblock .= " $key=\"$value\"";
next;
} else {
# Must be a content key
while (!$done && $i < @blocks) {
$value .= " $blocks[++$i]";
if (1 == ($value =~ s/\"//g)) {
$done = 1;
}
}
$done = 0;
if ($refresh) {
$tmp = $value;
$value =~ /(\d)+\;\s*url=([^;\s]+)/i;
$delay = $1;
$value = $2;
} else {
$$tagblock .= " $key=\"$value\"";
next;
}
}
}
# deal with potential codebase issues
if ($lctag eq 'applet' || $lctag eq 'object') {
# Must deal with later
}
&rewrite_url($r, $remote_site, \$value, $mapref);
if ($lctag eq 'meta' && $refresh) {
$refresh = 0;
$r->headers_out->{'Refresh'} = "$delay; $value";
$tmp =~ s/(url=)[^;\s]+/$1$value/i;
$value = $tmp;
}
$$tagblock .= " $key=\"$value\"";
} else {
$$tagblock .= " $blocks[$i]";
}
} elsif ($lckey eq $LINK_ELEMENTS{$lctag}) {
$value =~ s/(\"|\')//g;
&rewrite_url($r, $remote_site, \$value, $shrink_uri, $mapref);
$$tagblock .= " $key=\"$value\"";
} else {
$$tagblock .= " $blocks[$i]";
}
} else {
$$tagblock .= " $blocks[$i]";
}
}
}
}
}

############################################################ ################
###
############################################################ ################
###
# rewrite_url: rewrite URLs as per the mappings hash
############################################################ ################
###
############################################################ ################
###
sub rewrite_url {
my ($r, $remote_site, $url, $shrink_uri, $mapref) = @_;

$r->log->debug("rewrite_url: Looking at rewriting $$url");
$r->log->debug("remote_site: $remote_site");
$r->log->debug("shrink_uri: $shrink_uri");

if ($shrink_uri eq 'On') {
# Remove remote_site from URI to get just the relative-from-root
information
if ($$url =~ s/^$remote_site//) {
$r->log->debug("rewrite_url: Shrunk to $$url");
}
}

# Ensure we go from most to least specific rewrite
foreach my $mapping (sort { $b cmp $a } keys(%$mapref)) {
$r->log->debug("rewrite_url: Testing match of $mapping ",
"($$mapref{$mapping})");
last if ($$url =~ s/^$mapping/$$mapref{$mapping}/);
}
}

############################################################ ################
###
############################################################ ################
###
# replace_text: replace text as per the replacement_texts hash
############################################################ ################
###
############################################################ ################
###
sub replace_text {
my ($r, $response, $replace_ref) = @_;
my $buf = $response->content;
my $lookstr = 0;
my $replacestr = 0;
$r->log->debug("replace_text: before buf: $buf");
# Ensure we go from most to least specific rewrite
foreach $lookstr (sort { $b cmp $a } keys(%$replace_ref)) {
$replacestr = $$replace_ref{$lookstr};
$r->log->debug("replace_text: to replace $lookstr with $replacestr");
$buf =~ s/$lookstr/$replacestr/g;
}
$r->log->debug("replace_text: after buf: $buf");
$response->content($buf);
$r->log->debug("replace_text: after content: $response->content");
}

############################################################ ################
###
############################################################ ################
###
# respond: respond to the client
############################################################ ################
###
############################################################ ################
###
sub respond {
my ($r, $remote_site, $remote_location, $auth_redirect,
$response, $mapref, $replace_ref) = @_;
my $parsed_uri = Apache::URI->parse($r);

$r->log->debug("respond: URI: ", $r->uri);
$r->log->debug("respond: Parsed hostinfo: ", $parsed_uri->hostinfo());

# feed reponse back into our request_record
$response->scan(sub {
my ($header, $value) = @_;
$r->log->debug("respond: OUT $header: $value");
if ($header =~ /^Set-Cookie/i) {
$value =~ /path=([^;]+)/i;
my $cookie_path = $1;
&rewrite_url($r, $remote_site, \$cookie_path,
$mapref);
$value =~ s/(path=)([^;]+)/$1$cookie_path/i;
$r->log->debug("respond: OUT-MOD $header: $value");
}
$r->headers_out->{$header} = $value;
});
$r->content_type($response->header('Content-type'));
$r->status($response->code);
$r->status_line(join " ", $response->code, $response->message);

# deal with redirects
if ($r->status =~ /(301|302)/) {
my $location = $response->header('Location');
&rewrite_url($r, $remote_site, \$location, $mapref);
# Only modify location is rewritten URL is relative
unless ($location =~ m!://!) {
$location = $parsed_uri->scheme . '://' . $parsed_uri->hostinfo .
$location;
}
$r->log->debug("respond: Location: $location");
$r->headers_out->{'Location'} = $location;
}

# deal with auth required redirects
if ($r->status == 401 && $auth_redirect =~ /^on$/i) {
my $base = $r->location();
my $location = '';
if ($base ne '/') {
($location = $r->uri) =~ s/^$base//;
} else {
$location = $r->uri;
}
$location = $remote_location . $location;
$r->status('302');
$r->status_line(join " ", '302', 'Moved Temporarily');
$r->log->debug("respond: Location: $location");
$r->headers_out->{'Location'} = $location;
$response->content(undef);
}

&replace_text($r, $response, $replace_ref);

if (length($response->content) != 0) {
$r->headers_out->{'Content-length'} = length($response->content);
} else {
# HEAD request, must populate with what backend said
$r->headers_out->{'Content-length'} = length($response->content);
}

$r->log->debug("respond: Status: ", $r->status);
$r->log->debug("respond: Status Line: ", $r->status_line);
$r->log->debug("respond: Final Content: ", $response->content);

$r->send_http_header();

$r->print($response->content);
}

1;

__END__

# Documentation - try 'pod2text ProxyRewriteReplace'

=head1 NAME

Apache::ProxyRewriteReplace - mod_perl URL-rewriting proxy

=head1 SYNOPSIS

SetHandler perl-script
PerlHandler Apache::ProxyRewriteReplace

PerlSetVar ProxyTo http://www.tivoli.com
PerlSetVar ProxyAuthInfo "BASIC aGb2c3ewenQ6amF4szzmY3b="
PerlSetVar ProxyAuthRedirect On
PerlSetVar ProxyRewriteReplace "https://www.tivoli.com/secure =>
/secure"

SetHandler perl-script
PerlHandler Apache::ProxyRewriteReplace

PerlSetVar ProxyTo https://www.tivoli.com/secure
PerlSetVar ProxyAuthInfo "BASIC aGb2c3ewenQ6amF4szzmY3b="
PerlSetVar ProxyAuthRedirect Off
PerlSetVar ProxyRewriteReplace "http://www.tivoli.com/ => /"

=head1 DESCRIPTION

B acts as a reverse-proxy that will rewrite
URLs embedded in HTML documents per apache configuration
directives.

This module was written to allow multiple backend services with
discrete URLs to be presented as one service and to allow the
proxy to do authentication on the client's behalf.

=head1 CONFIGURATION OPTIONS

The following variables can be defined within the configration of
Directory, Location, or Files blocks.

=over 4

=item B

The URL for which ProxyRewriteReplace will proxy its requests.

=back

=over 4

=item B

Authorization information for proxied requests. This string must
conform to the credentials string defined in section 11 of RFC
2068.

=back

=over 4

=item B

If the credentials supplied in the ProxyAuthInfo directive are
insufficient and if ProxyAuthRedirect is set to On, the proxy
server will redirect the client directly to the backend host. If
ProxyAuthRedirect is set to Off (the default), the proxy server
will challenge the client on the remote server's behalf.

=back

=over 4

=item B

A hash of URLs to rewrite. A note on hashes in configuration
directives from the "Writing Apache Modules with Perl and C"
book page 287:

The only trick is to remember to put double quotes around the
configuration value if it contains whitespace and not to allow
your text editor to wrap it to another line. You can use
backslash as a continuation character if you find long lines a
pain to read.

=back

=head1 NOTES

=over 4

=item B

ProxyRewriteReplace automatically adds a mapping for the remote relative
URI and the current location. An example:

ServerName proxyhost

PerlSetVar ProxyTo http://server1/A

The request for http://proxyhost/foo/B is proxied to
http://server1/A/B. Within the response from server1 is an
embedded URI /A/C. This URI is rewritten to /foo/C before being
returned to the client.

=back

=over 4

=item B

Embedded languages such as Javascript are not parsed for embedded
URLs. The problem is NP-Complete. The best choice is to surround
all embedded languages in HTML comments to avoid possible parsing
problems.

=back

=over 4

=item B

The parser takes a single pass through each HTML document. This
method is extremely efficient, but it has possible drawbacks with
poorly constructed HTML. All known drawbacks have been
eliminated, but more may exist. Please contact the author if you
have any trouble with parsed output.

=back

=over 4

=item B

=back

=head1 AVAILABILITY

=head1 AUTHOR

=head1 SEE ALSO

httpd(8), mod_perl(1)

=head1 COPYRIGHT

=cut

############################################################ ################
###
############################################################ ################
###
# $Log: ProxyRewriteReplace.pm,v $
#
# Revision 0.1 2001/10/22 23:51:20 dmarshall
# initial version from ProxyRewrite
#
############################################################ ################
###
############################################################ ################
###

-----Original Message-----
From: Peter Viertel [mailto:peter.viertel@itaction.co.uk]
Sent: Wednesday, June 12, 2002 5:35 AM
To: modssl-users@modssl.org
Subject: Re: 1 certificate for several sites using redirection ?

thats basically right.

the proxy spec in http/1.1 etc copes with rewriting headers - but
nothing I've seen rewrites the actual html content - this would be
possible of course, but there would have to be a new module for apache
to do it, and architecturally you'd be creating a potential bottleneck
as the proxy server would have to parse all of the content passing
through it.

Wim Godden wrote:

>So there's no system which allows me to really proxy pages and 'modify'
them so
>that all future connections go through this 'proxy' as well ?
>
>Greetings,
>
>Wim
>
>Peter Viertel wrote:
>
>
>
>>yes, i think thats whats happening - you need to review the website
>>content you are pointing at. For this to work you can't have any
>>absolute hrefs, and also the backend site may issue redirects, for these
>>to work you need a ProxyPassReverse which will rewrite the Location:
>>header on any redirects the backend site may send.
>>
>> For example:
>>
>>ProxyPass /test http://other.subdomain.ourdomain.com/
>>ProxyPassReverse /test http://other.subdomain.ourdomain.com/
>>
>>proxypassreverse unfortunately is not case insensitive, and the backend
>>webserver may refer to itself canonically, so the location headers may
>>have another hostname. Either fix up the backend webserver to match the
>>proxypassreverse, or add extra proxypassreverse lines.
>>
>>The most common cause of redirects is the / bug handlers of tomcat, and
>>IIS which kick in if your url ends with / and that resolves to a
>>directory, then the webserver looks up what the directoryindex script is
>>(eg. index.html) and sends a redirect. This is something to do with
>>early revision browser releases, I have no idea which ones or if it
>>matters anymore.
>>
>>Also note that mod_proxy got a big upgrade at apache release 1.3.23 that
>>may help things along too in certain cases.
>>
>>John.Airey@rnib.org.uk wrote:
>>
>>
>>
>>>Sounds like you have some absolute links rather than relative links. You
can
>>>also use
>>>proxypass /test https://other-subdomain.ourdomain.com
>>>
>>>If the data needs to be secured between the proxy and the destination
>>>server.
>>>
>>>-
>>>John Airey
>>>Internet systems support officer, ITCSD, Royal National Institute of the
>>>Blind,
>>>Bakewell Road, Peterborough PE2 6XU,
>>>Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk
>>>
>>>Is the statement 'There is no such thing as truth' true?
>>>
>>>
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Wim Godden [mailto:wim@godden.net]
>>>>Sent: 12 June 2002 11:06
>>>>To: modssl-users@modssl.org
>>>>Subject: Re: 1 certificate for several sites using redirection ?
>>>>
>>>>
>>>>proxypass /test http://other-subdomain.ourdomain.com
>>>>doesn't work properly... I get errors about the images being
>>>>insecure and all links
>>>>point to the wrong position.
>>>>
>>>>
>>>>Peter Viertel wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>You could do that using reverse proxy, ie mod_proxy.
>>>>>Redirects are not going to help.
>>>>>
>>>>>Wim Godden wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Hi,
>>>>>>
>>>>>>I'd like to use a certificate to secure several of our
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>subdomains...
>>>>
>>>>
>>>>
>>>>
>>>>>>buying hundreds of certificates is simply too expensive.
>>>>>>Is there some way to do this :
>>>>>>
>>>>>>- Install certificate on secure.ourdomain.com
>>>>>>- Let people surf to
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>https://secure.ourdomain.com/other-subdomain.ourdomain. com/wh
>>>>>
>>>>>
>>>>>
>>>>>
>>>at-ever-page.html
>>>
>>>
>>>
>>>
>>>>>Thanks in advance.
>>>>>
>>>>>
>>>>>Greetings,
>>>>>
>>>>>Wim Godden
>>>>>
>>>>>_______________________________________________________ _______________
>>>>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>>>>User Support Mailing List modssl-users@modssl.org
>>>>>Automated List Manager majordomo@modssl.org
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>________________________________________________________ ______________
>>>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>>>User Support Mailing List modssl-users@modssl.org
>>>>Automated List Manager majordomo@modssl.org
>>>>
>>>>
>>>>
>>>>
>>>--
>>>------
>>>Adverteren.be - 100% Nederlandstalig adverteren op kwalitatief
hoogstaande
>>>sites !
>>>
>>>
>>>_________________________________________________________ _____________
>>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>>User Support Mailing List modssl-users@modssl.org
>>>Automated List Manager majordomo@modssl.org
>>>
>>>-
>>>
>>>NOTICE: The information contained in this email and any attachments is
>>>confidential and may be legally privileged. If you are not the
>>>intended recipient you are hereby notified that you must not use,
>>>disclose, distribute, copy, print or rely on this email's content. If
>>>you are not the intended recipient, please notify the sender
>>>immediately and then delete the email and any attachments from your
>>>system.
>>>
>>>RNIB has made strenuous efforts to ensure that emails and any
>>>attachments generated by its staff are free from viruses. However, it
>>>cannot accept any responsibility for any viruses which are
>>>transmitted. We therefore recommend you scan all attachments.
>>>
>>>Please note that the statements and views expressed in this email
>>>and any attachments are those of the author and do not necessarily
>>>represent those of RNIB.
>>>
>>>RNIB Registered Charity Number: 226227
>>>
>>>Website: http://www.rnib.org.uk
>>>
>>>14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk
to
>>>find out all about it.
>>>
>>>_________________________________________________________ _____________
>>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>>User Support Mailing List modssl-users@modssl.org
>>>Automated List Manager majordomo@modssl.org
>>>
>>>
>>>
>>>
>>__________________________________________________________ ____________
>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>User Support Mailing List modssl-users@modssl.org
>>Automated List Manager majordomo@modssl.org
>>
>>
>
>--
>------
>Adverteren.be - 100% Nederlandstalig adverteren op kwalitatief hoogstaande
sites
>!
>
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: 1 certificate for several sites using redirection ?

am 12.06.2002 16:45:45 von Wim Godden

Hi David,

Thanks, but does this require Mod_perl as I haven't got that install (it eats
too much resources).

Greetings,

Wim

David Marshall wrote:

> To rewrite content you might look at the Perl module Apache::ProxyRewrite. I
> was given an assignment to Front-end MS EXCHANGE OWA with Apache HTTPS.
> After review of options, I took a copy of the Perl module
> Apache::ProxyRewrite and added the ability to ReplaceText in the content as
> well, I renamed it ProxyRewriteReplace. This was my 1st excursion into Perl
> and I've never gotten the time to fully complete/test the module (example,
> the documentation is from ProxyReplace). I also only tested it as far as to
> meet our objective of Proxying MS Exchange. I don;t know if this will help,
> but I've included my ProxyRewriteReplace source.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: 1 certificate for several sites using redirection ?

am 12.06.2002 16:57:25 von David Marshall

Yes

-----Original Message-----
From: Wim Godden [mailto:wim@godden.net]
Sent: Wednesday, June 12, 2002 7:46 AM
To: modssl-users@modssl.org
Subject: Re: 1 certificate for several sites using redirection ?

Hi David,

Thanks, but does this require Mod_perl as I haven't got that install (it
eats
too much resources).

Greetings,

Wim

David Marshall wrote:

> To rewrite content you might look at the Perl module Apache::ProxyRewrite.
I
> was given an assignment to Front-end MS EXCHANGE OWA with Apache HTTPS.
> After review of options, I took a copy of the Perl module
> Apache::ProxyRewrite and added the ability to ReplaceText in the content
as
> well, I renamed it ProxyRewriteReplace. This was my 1st excursion into
Perl
> and I've never gotten the time to fully complete/test the module (example,
> the documentation is from ProxyReplace). I also only tested it as far as
to
> meet our objective of Proxying MS Exchange. I don;t know if this will
help,
> but I've included my ProxyRewriteReplace source.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: 1 certificate for several sites using redirection ?

am 17.06.2002 15:20:09 von John.Airey

Generally speaking there isn't, however you can use mod_rewrite to rewrite
URLs for another site, but you would have to be reasonably consistent
otherwise writing the rules would be very difficult.

John

> -----Original Message-----
> From: Wim Godden [mailto:wim@godden.net]
> Sent: 12 June 2002 13:09
> To: modssl-users@modssl.org
> Subject: Re: 1 certificate for several sites using redirection ?
>
>
> So there's no system which allows me to really proxy pages
> and 'modify' them so
> that all future connections go through this 'proxy' as well ?
>
> Greetings,
>
> Wim
>
> Peter Viertel wrote:
>
> > yes, i think thats whats happening - you need to review the website
> > content you are pointing at. For this to work you can't have any
> > absolute hrefs, and also the backend site may issue
> redirects, for these
> > to work you need a ProxyPassReverse which will rewrite the Location:
> > header on any redirects the backend site may send.
> >
> > For example:
> >
> > ProxyPass /test http://other.subdomain.ourdomain.com/
> > ProxyPassReverse /test http://other.subdomain.ourdomain.com/
> >
> > proxypassreverse unfortunately is not case insensitive, and
> the backend
> > webserver may refer to itself canonically, so the location
> headers may
> > have another hostname. Either fix up the backend webserver
> to match the
> > proxypassreverse, or add extra proxypassreverse lines.
> >
> > The most common cause of redirects is the / bug handlers of
> tomcat, and
> > IIS which kick in if your url ends with / and that resolves to a
> > directory, then the webserver looks up what the
> directoryindex script is
> > (eg. index.html) and sends a redirect. This is something to do with
> > early revision browser releases, I have no idea which ones or if it
> > matters anymore.
> >
> > Also note that mod_proxy got a big upgrade at apache
> release 1.3.23 that
> > may help things along too in certain cases.
> >
> > John.Airey@rnib.org.uk wrote:
> >
> > >Sounds like you have some absolute links rather than
> relative links. You can
> > >also use
> > >proxypass /test https://other-subdomain.ourdomain.com
> > >
> > >If the data needs to be secured between the proxy and the
> destination
> > >server.
> > >
> > >-
> > >John Airey
> > >Internet systems support officer, ITCSD, Royal National
> Institute of the
> > >Blind,
> > >Bakewell Road, Peterborough PE2 6XU,
> > >Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848
> John.Airey@rnib.org.uk
> > >
> > >Is the statement 'There is no such thing as truth' true?
> > >
> > >
> > >
> > >
> > >>-----Original Message-----
> > >>From: Wim Godden [mailto:wim@godden.net]
> > >>Sent: 12 June 2002 11:06
> > >>To: modssl-users@modssl.org
> > >>Subject: Re: 1 certificate for several sites using redirection ?
> > >>
> > >>
> > >>proxypass /test http://other-subdomain.ourdomain.com
> > >>doesn't work properly... I get errors about the images being
> > >>insecure and all links
> > >>point to the wrong position.
> > >>
> > >>
> > >>Peter Viertel wrote:
> > >>
> > >>
> > >>
> > >>>You could do that using reverse proxy, ie mod_proxy.
> > >>>Redirects are not going to help.
> > >>>
> > >>>Wim Godden wrote:
> > >>>
> > >>>
> > >>>
> > >>>>Hi,
> > >>>>
> > >>>>I'd like to use a certificate to secure several of our
> > >>>>
> > >>>>
> > >>subdomains...
> > >>
> > >>
> > >>>>buying hundreds of certificates is simply too expensive.
> > >>>>Is there some way to do this :
> > >>>>
> > >>>>- Install certificate on secure.ourdomain.com
> > >>>>- Let people surf to
> > >>>>
> > >>>>
> > >>>https://secure.ourdomain.com/other-subdomain.ourdomain.co m/wh
> > >>>
> > >>>
> > >at-ever-page.html
> > >
> > >
> > >>>Thanks in advance.
> > >>>
> > >>>
> > >>>Greetings,
> > >>>
> > >>>Wim Godden
> > >>>
> >
> >>>_________________________________________________________ __
> ___________
> > >>>Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> > >>>User Support Mailing List
> modssl-users@modssl.org
> > >>>Automated List Manager
> majordomo@modssl.org
> > >>>
> > >>>
> > >>>
> > >>>
> >
> >>__________________________________________________________ __
> __________
> > >>Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> > >>User Support Mailing List
> modssl-users@modssl.org
> > >>Automated List Manager
> majordomo@modssl.org
> > >>
> > >>
> > >
> > >--
> > >------
> > >Adverteren.be - 100% Nederlandstalig adverteren op
> kwalitatief hoogstaande
> > >sites !
> > >
> > >
> >
> >___________________________________________________________ __
> _________
> > >Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> > >User Support Mailing List
> modssl-users@modssl.org
> > >Automated List Manager
> majordomo@modssl.org
> > >
> > >-
> > >
> > >NOTICE: The information contained in this email and any
> attachments is
> > >confidential and may be legally privileged. If you are not the
> > >intended recipient you are hereby notified that you must not use,
> > >disclose, distribute, copy, print or rely on this email's
> content. If
> > >you are not the intended recipient, please notify the sender
> > >immediately and then delete the email and any attachments from your
> > >system.
> > >
> > >RNIB has made strenuous efforts to ensure that emails and any
> > >attachments generated by its staff are free from viruses.
> However, it
> > >cannot accept any responsibility for any viruses which are
> > >transmitted. We therefore recommend you scan all attachments.
> > >
> > >Please note that the statements and views expressed in this email
> > >and any attachments are those of the author and do not necessarily
> > >represent those of RNIB.
> > >
> > >RNIB Registered Charity Number: 226227
> > >
> > >Website: http://www.rnib.org.uk
> > >
> > >14th June 2002 is RNIB Look Loud Day - visit
> http://www.lookloud.org.uk to
> > >find out all about it.
> > >
> >
> >___________________________________________________________ __
> _________
> > >Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> > >User Support Mailing List
> modssl-users@modssl.org
> > >Automated List Manager
> majordomo@modssl.org
> > >
> > >
> >
> >
> ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl)
> www.modssl.org
> > User Support Mailing List
> modssl-users@modssl.org
> > Automated List Manager
> majordomo@modssl.org
>
> --
> ------
> Adverteren.be - 100% Nederlandstalig adverteren op
> kwalitatief hoogstaande sites
> !
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk

14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to
find out all about it.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: 1 certificate for several sites using redirection ?

am 19.06.2002 00:05:26 von Jason Haar

On Wed, Jun 12, 2002 at 01:35:04PM +0100, Peter Viertel wrote:
> thats basically right.
> ...
> Wim Godden wrote:
>
> >So there's no system which allows me to really proxy pages and 'modify'
> >them so
> >that all future connections go through this 'proxy' as well ?
> >

There is one way...

It can only work if the "internal" server has a hostname that can be
hijacked by the reverse proxy server.

i.e. if you are wanting to do:

client --- Internet ---> https://www.mycompany.com/

...then you can do:

client --- Internet ---> https://www.mycompany.com/ --- Internal ---
http://www.mycompany.com/

e.g. on the Internet www.mycompany.com is 1.2.3.4, whereas internally
www.mycompany.com is 10.1.2.3

Then you can set up your Apache reverse proxy so that it proxies "/" - i.e.
run www.mycompany.com as a full VirtualHost.

Done it - it works :-)

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org