Reverse Proxy https question

This is a multi-part message in MIME format.

------=_NextPart_000_00A3_01C21D38.68B37280
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I am trying to Reverse Proxy HTTPS connections in the following manner:

CLIENT Browser (https://secure-site.com) -> Apache 2.0 Reverse Proxy, =
posing as secure-site.com (non-ssl, non-decrypting, just passing the =
https through) -> Sonicwall SSL Accelerator (a stand-alone HW device for =
SSL decryption/encryption, hosting the certificate for secure-site.com, =
decrypting the SSL connection) -> WEBSERVER (non-SSL)

The purpose for this design is to keep the webserver behind a layer of =
switches (for VLANS and ACLS) and Cisco Content Servers (which act as a =
router and load balancer) and keep the Apache proxy server as the "edge =
presence" of the website.=20

What happens with this configuration is:
1) The client browser connects to the Apache proxy
2) The Apache proxy server connects to the SSL accelerator with HTTPS =
sucessfully, as seen in the debug-level Apache log files.=20
3) The browser waits, waits and waits...
4) The Apache proxy sits, sits and sits.=20
5) The Webserver DOES see the non-ssl connection. The information in the =
access log is:
"Client IPAddress - - [25/Jun/2002:17:04:18 -0700] "?L / HTTP/1.0" =
302 0 "
5) Eventually the client browser gives up and times out.

If I install the certificate for secure-site.com on the Apache reverse =
proxy server and enable SSL , then the Apache reverse proxy will connect =
with SSL to both the browser and the downstream webserver. This works, =
but is pointless as it loads the Proxy server's CPU with SSL =
encryption/decryption. That's what we have the SSL accelerators for.


What is missing in my config? Is this setup even possible?
Any comments?

Thanks in advance.

-Michael


--------------


This is the Apache config I am using:
----------
Listen IPAddress:443
LogLevel debug

SSLProxyEngine On
ServerName web-site
ProxyPass / https://secure-site.com
ProxyPassReverse / https://secure-site.com



------------
Server version: Apache/2.0.39
Server built: Jun 25 2002 16:11:49

-----------
Compiled in modules:
core.c
mod_access.c
mod_auth.c
mod_include.c
mod_log_config.c
mod_env.c
mod_setenvif.c
mod_proxy.c
proxy_connect.c
proxy_ftp.c
proxy_http.c
mod_ssl.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_cgi.c
mod_negotiation.c
mod_dir.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_so.c

------=_NextPart_000_00A3_01C21D38.68B37280
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable



charset=3Diso-8859-1">

Re: Reverse Proxy https question

I don't understand something.
If the Apache proxy server is not going to decrypt the packets, how will it know where to send it?
Aryeh
> I am trying to Reverse ProxyHTTPS connections in the following
> manner:
>
> CLIENT Browser (https://secure-site.com) -> Apache 2.0 Reverse Proxy,
> posing as secure-site.com (non-ssl, non-decrypting, just passing the
> https through) -> Sonicwall SSL Accelerator (a stand-alone HW device
> for SSL decryption/encryption, hosting the certificate forsecure-
> site.com, decrypting the SSL connection) -> WEBSERVER (non-SSL)
>
> The purpose for this design is to keep the webserver behind a layer of
> switches (for VLANS and ACLS) and Cisco Content Servers (which act as
> a router and load balancer) and keep the Apache proxy server as the
> "edge presence" of the website.
>
> What happens with this configuration is:
> 1) The client browser connects to the Apache proxy
> 2) The Apache proxy server connects to the SSL accelerator with HTTPS
> sucessfully, as seen in the debug-level Apache log files. 3) The
> browser waits, waits and waits... 4) The Apache proxy sits, sits and
> sits. 5) The Webserver DOES see the non-ssl connection. The
> information in the access log is:
> "Client IPAddress- - [25/Jun/2002:17:04:18 -0700] "€L /
> HTTP/1.0" 302 0 "
> 5) Eventually the client browser gives up and times out.
>
> If I install the certificate for secure-site.com on the Apache
> reverse proxy server and enable SSL, then the Apache reverse proxy
> will connect with SSL to both the browser and the downstream
> webserver. This works, but is pointless as it loads the Proxy server's
> CPU with SSL encryption/decryption. That's what we have the SSL
> accelerators for.
>
>
> What is missing in my config? Is this setup even possible?
> Any comments?
>
> Thanks in advance.
>
> -Michael
>
>
> --------------
>
>
> This is the Apache config I am using:
> ----------
> Listen IPAddress:443
> LogLevel debug
>
> SSLProxyEngine On
> ServerName web-site
> ProxyPass / https://secure-site.com
> ProxyPassReverse / https://secure-site.com
>
>
>
> ------------
> Server version: Apache/2.0.39
> Server built: Jun 25 2002 16:11:49
>
> -----------
> Compiled in modules:
> core.c
> mod_access.c
> mod_auth.c
> mod_include.c
> mod_log_config.c
> mod_env.c
> mod_setenvif.c
> mod_proxy.c
> proxy_connect.c
> proxy_ftp.c
> proxy_http.c
> mod_ssl.c
> prefork.c
> http_core.c
> mod_mime.c
> mod_status.c
> mod_autoindex.c
> mod_asis.c
> mod_cgi.c
> mod_negotiation.c
> mod_dir.c
> mod_imap.c
> mod_actions.c
> mod_userdir.c
> mod_alias.c
> mod_so.c
>
>
>


---
Aryeh Katz
VASCO
www.vasco.com

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Reverse Proxy https question

As I understand SSL, the packet headers remain unencrypted , the content is
encrypted. Hence the ability of routers throughout the Internet to route SSL
packets.


----- Original Message -----
From: "Aryeh Katz"
To:
Sent: Thursday, June 27, 2002 05:23
Subject: Re: Reverse Proxy https question


> I don't understand something.
> If the Apache proxy server is not going to decrypt the packets, how will
it know where to send it?
> Aryeh
> > I am trying to Reverse ProxyHTTPS connections in the following
> > manner:
> >
> > CLIENT Browser (https://secure-site.com) -> Apache 2.0 Reverse Proxy,
> > posing as secure-site.com (non-ssl, non-decrypting, just passing the
> > https through) -> Sonicwall SSL Accelerator (a stand-alone HW device
> > for SSL decryption/encryption, hosting the certificate forsecure-
> > site.com, decrypting the SSL connection) -> WEBSERVER (non-SSL)
> >
> > The purpose for this design is to keep the webserver behind a layer of
> > switches (for VLANS and ACLS) and Cisco Content Servers (which act as
> > a router and load balancer) and keep the Apache proxy server as the
> > "edge presence" of the website.
> >
> > What happens with this configuration is:
> > 1) The client browser connects to the Apache proxy
> > 2) The Apache proxy server connects to the SSL accelerator with HTTPS
> > sucessfully, as seen in the debug-level Apache log files. 3) The
> > browser waits, waits and waits... 4) The Apache proxy sits, sits and
> > sits. 5) The Webserver DOES see the non-ssl connection. The
> > information in the access log is:
> > "Client IPAddress- - [25/Jun/2002:17:04:18 -0700] "?L /
> > HTTP/1.0" 302 0 "
> > 5) Eventually the client browser gives up and times out.
> >
> > If I install the certificate for secure-site.com on the Apache
> > reverse proxy server and enable SSL, then the Apache reverse proxy
> > will connect with SSL to both the browser and the downstream
> > webserver. This works, but is pointless as it loads the Proxy server's
> > CPU with SSL encryption/decryption. That's what we have the SSL
> > accelerators for.
> >
> >
> > What is missing in my config? Is this setup even possible?
> > Any comments?
> >
> > Thanks in advance.
> >
> > -Michael
> >
> >
> > --------------
> >
> >
> > This is the Apache config I am using:
> > ----------
> > Listen IPAddress:443
> > LogLevel debug
> >
> > SSLProxyEngine On
> > ServerName web-site
> > ProxyPass / https://secure-site.com
> > ProxyPassReverse / https://secure-site.com
> >
> >
> >
> > ------------
> > Server version: Apache/2.0.39
> > Server built: Jun 25 2002 16:11:49
> >
> > -----------
> > Compiled in modules:
> > core.c
> > mod_access.c
> > mod_auth.c
> > mod_include.c
> > mod_log_config.c
> > mod_env.c
> > mod_setenvif.c
> > mod_proxy.c
> > proxy_connect.c
> > proxy_ftp.c
> > proxy_http.c
> > mod_ssl.c
> > prefork.c
> > http_core.c
> > mod_mime.c
> > mod_status.c
> > mod_autoindex.c
> > mod_asis.c
> > mod_cgi.c
> > mod_negotiation.c
> > mod_dir.c
> > mod_imap.c
> > mod_actions.c
> > mod_userdir.c
> > mod_alias.c
> > mod_so.c
> >
> >
> >
>
>
> ---
> Aryeh Katz
> VASCO
> www.vasco.com
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Reverse Proxy https question

I did not believe that the packet headers had enough information for Apache
to determine what to do. So, it must decrpyt the message with the
certificate.



-----Original Message-----
From: Michael [mailto:iplanet_user@hotmail.com]
Sent: Thursday, June 27, 2002 2:29 PM
To: modssl-users@modssl.org
Subject: Re: Reverse Proxy https question


As I understand SSL, the packet headers remain unencrypted , the content is
encrypted. Hence the ability of routers throughout the Internet to route SSL
packets.


----- Original Message -----
From: "Aryeh Katz"
To:
Sent: Thursday, June 27, 2002 05:23
Subject: Re: Reverse Proxy https question


> I don't understand something.
> If the Apache proxy server is not going to decrypt the packets, how will
it know where to send it?
> Aryeh
> > I am trying to Reverse ProxyHTTPS connections in the following
> > manner:
> >
> > CLIENT Browser (https://secure-site.com) -> Apache 2.0 Reverse Proxy,
> > posing as secure-site.com (non-ssl, non-decrypting, just passing the
> > https through) -> Sonicwall SSL Accelerator (a stand-alone HW device
> > for SSL decryption/encryption, hosting the certificate forsecure-
> > site.com, decrypting the SSL connection) -> WEBSERVER (non-SSL)
> >
> > The purpose for this design is to keep the webserver behind a layer of
> > switches (for VLANS and ACLS) and Cisco Content Servers (which act as
> > a router and load balancer) and keep the Apache proxy server as the
> > "edge presence" of the website.
> >
> > What happens with this configuration is:
> > 1) The client browser connects to the Apache proxy
> > 2) The Apache proxy server connects to the SSL accelerator with HTTPS
> > sucessfully, as seen in the debug-level Apache log files. 3) The
> > browser waits, waits and waits... 4) The Apache proxy sits, sits and
> > sits. 5) The Webserver DOES see the non-ssl connection. The
> > information in the access log is:
> > "Client IPAddress- - [25/Jun/2002:17:04:18 -0700] "?L /
> > HTTP/1.0" 302 0 "
> > 5) Eventually the client browser gives up and times out.
> >
> > If I install the certificate for secure-site.com on the Apache
> > reverse proxy server and enable SSL, then the Apache reverse proxy
> > will connect with SSL to both the browser and the downstream
> > webserver. This works, but is pointless as it loads the Proxy server's
> > CPU with SSL encryption/decryption. That's what we have the SSL
> > accelerators for.
> >
> >
> > What is missing in my config? Is this setup even possible?
> > Any comments?
> >
> > Thanks in advance.
> >
> > -Michael
> >
> >
> > --------------
> >
> >
> > This is the Apache config I am using:
> > ----------
> > Listen IPAddress:443
> > LogLevel debug
> >
> > SSLProxyEngine On
> > ServerName web-site
> > ProxyPass / https://secure-site.com
> > ProxyPassReverse / https://secure-site.com
> >
> >
> >
> > ------------
> > Server version: Apache/2.0.39
> > Server built: Jun 25 2002 16:11:49
> >
> > -----------
> > Compiled in modules:
> > core.c
> > mod_access.c
> > mod_auth.c
> > mod_include.c
> > mod_log_config.c
> > mod_env.c
> > mod_setenvif.c
> > mod_proxy.c
> > proxy_connect.c
> > proxy_ftp.c
> > proxy_http.c
> > mod_ssl.c
> > prefork.c
> > http_core.c
> > mod_mime.c
> > mod_status.c
> > mod_autoindex.c
> > mod_asis.c
> > mod_cgi.c
> > mod_negotiation.c
> > mod_dir.c
> > mod_imap.c
> > mod_actions.c
> > mod_userdir.c
> > mod_alias.c
> > mod_so.c
> >
> >
> >
>
>
> ---
> Aryeh Katz
> VASCO
> www.vasco.com
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Reverse Proxy https question

Quoting David Marshall :

> I did not believe that the packet headers had enough information for
> Apache
> to determine what to do. So, it must decrpyt the message with the
> certificate.


That's right. For Apache to accept an SSL connection as a reverse proxy it must
decode it. What Michael wants is a generic TCP proxy.

Think of it this way. When you configure Apache to accept SSL you have to have
configure it with an SSL certificate. Why? So it can authenticate and
subsequently decrypt the packets.

Furthermore Apache cannot act as in initiator of SSL connections; I've spent
many many hours testing this and everybody I've asked has said the same. I'd
look at the code but I have no reason to believe there's any there to do this.

The only way Apache can act as an SSL proxy is using the CONNECT method as a
forward proxy. This is not what he is looking for.

Squid can't do this either. Nor can Apache derived servers like IBM HTTPServer
or Stronghold.

I shouldn't think it would be all that hard to modify Apache to do it. However I
don't see the point when what you are doing is emulating a TCP proxy. Unless you
want caching or content based routing.

There are many generic TCP proxies. Look on Freshmeat or Sourceforge; or your
average firewall like Firewall-1 can do this.

IBM Edgeserver (the Caching Proxy component) has this capability too.

But there are many possible scenarios and requirements; for some there is no one
product to do the job.



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Reverse Proxy https question

Quoting Michael Pacey :

> Furthermore Apache cannot act as in initiator of SSL connections; I've
> spent
> many many hours testing this and everybody I've asked has said the same.
> I'd
> look at the code but I have no reason to believe there's any there to do
> this.

I've looked at the code. I couldn't find any SSL client code.

--
Web: http://sydb.dyndns.org
ICQ: 152392113 (New to ICQ? http://www.mirabilis.com)
IRC: #sydb on EFnet (New to IRC? http://www.irchelp.org)
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org