mod_ssl / mod_proxy interaction
mod_ssl / mod_proxy interaction
am 30.09.2002 15:28:56 von robin.blanchard
in effort to eventually setup a secure apache reverse proxy for exchange
2000's OWA, i've run into the following dilemma....
per the mod-ssl docs, i had the following declared globally:
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
and realised after much wailing and gnashing of teeth that that line
caused the following (non-ssl) virtual host failed to operate correctly
under IE:
Listen 10.10.10.99:80
ServerName webmail.gactr.uga.edu
UseCanonicalName Off
CustomLog /tmp/webmail-trans.log combined
ErrorLog /tmp/webmail-error.log
RedirectPermanent / http://webmail.gactr.uga.edu/exchange/
ProxyRequests Off
ProxyVia Full
ProxyPass /exchange/ http://webmail.gactr.uga.edu/exchange/
ProxyPassReverse /exchange/
http://webmail.gactr.uga.edu/exchange/
ProxyPass /public/ http://webmail.gactr.uga.edu/public/
ProxyPassReverse /public/ http://webmail.gactr.uga.edu/public/
ProxyPass /ex2k/ http://webmail.gactr.uga.edu/ex2k/
ProxyPassReverse /ex2k/ http://webmail.gactr.uga.edu/ex2k/
ProxyPass /exchweb/ http://webmail.gactr.uga.edu/exchweb/
ProxyPassReverse /exchweb/ http://webmail.gactr.uga.edu/exchweb/
So, I placed User-Agent config out of the global config and into each
SSL config. Now, the exchange 2000 proxy (currently non-SSL) is
correctly handled by IE. Obviously, though, I will be wanting to put
this proxy behind SSL, which I've already determined will not work
(using the mod_ssl recommended settings). Has anyone else run into a
similar situation? Is there a reasonable work-around for this?
--
----------------------------------------
Robin P. Blanchard
Systems Integration Specialist
Georgia Center for Continuing Education
fon: 706.542.2404 <|> fax: 706.542.6546
----------------------------------------
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
RE: mod_ssl / mod_proxy interaction
am 30.09.2002 16:55:06 von John.Airey
Could you eloborate on why you say that reverse proxy with SSL won't work?
We've been running it for years on our Exchange system here, although
granted that uses 5.5 rather than 2000. Testing of access to OWA 2000 is on
my to-do list.
Thank you.
-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk
Theories of evolution are like buses - there'll be another one along in a
minute
> -----Original Message-----
> From: Robin P. Blanchard [mailto:robin.blanchard@georgiacenter.org]
> Sent: 30 September 2002 14:29
> To: modssl-users@modssl.org
> Subject: mod_ssl / mod_proxy interaction
>
>
>
> in effort to eventually setup a secure apache reverse proxy
> for exchange
> 2000's OWA, i've run into the following dilemma....
>
> per the mod-ssl docs, i had the following declared globally:
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> downgrade-1.0 force-response-1.0
>
> and realised after much wailing and gnashing of teeth that that line
> caused the following (non-ssl) virtual host failed to operate
> correctly
> under IE:
>
> Listen 10.10.10.99:80
>
> ServerName webmail.gactr.uga.edu
> UseCanonicalName Off
> CustomLog /tmp/webmail-trans.log combined
> ErrorLog /tmp/webmail-error.log
>
> RedirectPermanent / http://webmail.gactr.uga.edu/exchange/
> ProxyRequests Off
> ProxyVia Full
> ProxyPass /exchange/ http://webmail.gactr.uga.edu/exchange/
> ProxyPassReverse /exchange/
> http://webmail.gactr.uga.edu/exchange/
> ProxyPass /public/ http://webmail.gactr.uga.edu/public/
> ProxyPassReverse /public/
> http://webmail.gactr.uga.edu/public/
> ProxyPass /ex2k/ http://webmail.gactr.uga.edu/ex2k/
> ProxyPassReverse /ex2k/ http://webmail.gactr.uga.edu/ex2k/
> ProxyPass /exchweb/ http://webmail.gactr.uga.edu/exchweb/
> ProxyPassReverse /exchweb/
> http://webmail.gactr.uga.edu/exchweb/
>
>
>
> So, I placed User-Agent config out of the global config and into each
> SSL config. Now, the exchange 2000 proxy (currently non-SSL) is
> correctly handled by IE. Obviously, though, I will be wanting to put
> this proxy behind SSL, which I've already determined will not work
> (using the mod_ssl recommended settings). Has anyone else run into a
> similar situation? Is there a reasonable work-around for this?
>
> --
> ----------------------------------------
> Robin P. Blanchard
> Systems Integration Specialist
> Georgia Center for Continuing Education
> fon: 706.542.2404 <|> fax: 706.542.6546
> ----------------------------------------
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
-
NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.
RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.
Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.
RNIB Registered Charity Number: 226227
Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
Re: mod_ssl / mod_proxy interaction
am 30.09.2002 17:12:08 von robin.blanchard
John.Airey@rnib.org.uk wrote:
> Could you eloborate on why you say that reverse proxy with SSL won't work?
> We've been running it for years on our Exchange system here, although
> granted that uses 5.5 rather than 2000. Testing of access to OWA 2000 is on
> my to-do list.
Sure. Here's what I've come up with thus far:
Here's all four possible combinations of accessing exchange OWA. Options
1,2,4 all authenticate and load properly via using IE. Option 3 fails
IIS's auth challenge. This is all *without* SSL. Should {SetEnvIf
User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0} be set for the virual host (recommended for
mod_ssl), IE will only understand the apache reverse proxy when first
proxied through squid. ??? If not proxied first through squid, IE balks,
fails to load the pages (won't even load IIS's auth challenge), spitting
back it's generic "cannot find server" error. I've been trying to get
this thing working now for weeks and have been dealing with the
mod_proxy folks until just this AM when I determined that the above
SetEnvIf flag was causing the problem. I'm currently attempting to
figure out why IIS's auth challenge fails via the apache reverse proxy
but succeeds when proxied first through squid. Nonetheless, put all this
in with SSL (assuming you using the recommended above flag) and things
are broken. Period.
1) direct to exchange/iis
# wget --server-response ebe1.gc.nat/exchange
--11:01:28-- http://ebe1.gc.nat/exchange
=> `exchange'
Resolving ebe1.gc.nat... done.
Connecting to ebe1.gc.nat[10.10.11.23]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 401 Access Denied
2 Server: Microsoft-IIS/5.0
3 Date: Mon, 30 Sep 2002 15:01:28 GMT
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6 WWW-Authenticate: Basic realm="ebe1.gc.nat"
7 Content-Length: 24
8 Content-Type: text/html
Unknown authentication scheme.
2) exchange/iss via squid
# http_proxy="proxy.gactr.uga.edu:3128" wget --server-response
ebe1.gc.nat/exchange
--11:02:01-- http://ebe1.gc.nat/exchange
=> `exchange'
Resolving proxy.gactr.uga.edu... done.
Connecting to proxy.gactr.uga.edu[10.10.10.180]:3128... connected.
Proxy request sent, awaiting response...
1 HTTP/1.0 401 Unauthorized
2 Server: Microsoft-IIS/5.0
3 Date: Mon, 30 Sep 2002 15:02:01 GMT
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6 WWW-Authenticate: Basic realm="ebe1.gc.nat"
7 Content-Length: 24
8 Content-Type: text/html
9 X-Cache: MISS from proxy.gactr.uga.edu
10 Proxy-Connection: close
Unknown authentication scheme.
3) apache proxy
# wget --server-response webmail.gactr.uga.edu
--11:02:37-- http://webmail.gactr.uga.edu/
=> `index.html'
Resolving webmail.gactr.uga.edu... done.
Connecting to webmail.gactr.uga.edu[10.10.10.99]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 301 Moved Permanently
2 Date: Mon, 30 Sep 2002 15:02:37 GMT
3 Server: Apache/1.3.26 (Unix) mod_mp3/0.35 PHP/4.2.3 mod_perl/1.27
mod_ssl/2.8.10 OpenSSL/0.9.6g
4 Location: http://webmail.gactr.uga.edu/exchange/
5 Connection: close
6 Content-Type: text/html; charset=iso-8859-1
Location: http://webmail.gactr.uga.edu/exchange/ [following]
--11:02:37-- http://webmail.gactr.uga.edu/exchange/
=> `index.html'
Connecting to webmail.gactr.uga.edu[10.10.10.99]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 401 Access Denied
2 Date: Mon, 30 Sep 2002 15:02:37 GMT
3 Server: Microsoft-IIS/5.0
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6 WWW-Authenticate: Basic realm="webmail.gactr.uga.edu"
7 Content-Length: 24
8 Content-Type: text/html
9 Via: 1.1 webmail.gactr.uga.edu (Apache/1.3.26)
10 X-Cache: MISS from webmail.gactr.uga.edu
11 Keep-Alive: timeout=15, max=100
12 Connection: Keep-Alive
Unknown authentication scheme.
4) apache proxy via squid
# http_proxy="proxy.gactr.uga.edu:3128" wget --server-response
webmail.gactr.uga.edu
--11:03:06-- http://webmail.gactr.uga.edu/
=> `index.html'
Resolving proxy.gactr.uga.edu... done.
Connecting to proxy.gactr.uga.edu[10.10.10.180]:3128... connected.
Proxy request sent, awaiting response...
1 HTTP/1.0 301 Moved Permanently
2 Date: Mon, 30 Sep 2002 15:03:06 GMT
3 Server: Apache/1.3.26 (Unix) mod_mp3/0.35 PHP/4.2.3 mod_perl/1.27
mod_ssl/2.8.10 OpenSSL/0.9.6g
4 Location: http://webmail.gactr.uga.edu/exchange/
5 Content-Type: text/html; charset=iso-8859-1
6 X-Cache: MISS from proxy.gactr.uga.edu
7 Proxy-Connection: close
Location: http://webmail.gactr.uga.edu/exchange/ [following]
--11:03:06-- http://webmail.gactr.uga.edu/exchange/
=> `index.html'
Connecting to proxy.gactr.uga.edu[10.10.10.180]:3128... connected.
Proxy request sent, awaiting response...
1 HTTP/1.0 401 Unauthorized
2 Date: Mon, 30 Sep 2002 15:03:06 GMT
3 Server: Microsoft-IIS/5.0
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6 WWW-Authenticate: Basic realm="webmail.gactr.uga.edu"
7 Content-Length: 24
8 Content-Type: text/html
9 Via: 1.1 webmail.gactr.uga.edu (Apache/1.3.26)
10 X-Cache: MISS from webmail.gactr.uga.edu
11 X-Cache: MISS from proxy.gactr.uga.edu
12 Proxy-Connection: close
Unknown authentication scheme.
--
----------------------------------------
Robin P. Blanchard
Systems Integration Specialist
Georgia Center for Continuing Education
fon: 706.542.2404 <|> fax: 706.542.6546
----------------------------------------
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org