SSL support for mod_proxy ...

SSL support for mod_proxy ...

am 08.10.2002 00:02:04 von Ilija Stankovski

Hi All

If you don't mind I would like to submit a feature request to this mailing
group for new functionality in the mod_proxy module.

Make mod_proxy SSL aware. mod_proxy should be able to negotiate SSL
connections with other web servers in order to reverse proxy to them. The
typical scenario is the following one...

ProxyPassReverse
Browser -----> mod_proxy ------> HTTPS
RewriteRule .. .. [P]


The web browser connects to Apache and based on the URL structure it should
proxy the request to a web server that has SSL enabled.

At a current state, mod_proxy, correct if I am wrong, does not talk to SSL
enabled web servers at all. Hence it can not reverse proxy to SSL enabled
servers.

Everything works great with normal HTTP traffic.

M-Tech, the company I work for is willing to help out with the development
work if needed in order to get this functionality in place.

Any response, comment or suggestion would be greatly appreciated.

--

Regards.

______________________________________

Ilija Stankovski
Infrastructure Technology Manager
Mercury Information Technology Inc.
Tel: (403) 233-0740
Fax: (403) 233-0725
E-mail: ilijas@psynch.com
http://www.psynch.com
______________________________________

____________________________________________________________ ______

"If you send me an e-mail request, and I do not respond within 3
hours, please send it again to 'support@psynch.com' as I may be
unavailable."
____________________________________________________________ ______

Re: SSL support for mod_proxy ...

am 08.10.2002 09:36:08 von Graham Leggett

Ilija Stankovski wrote:

> Make mod_proxy SSL aware. mod_proxy should be able to negotiate SSL
> connections with other web servers in order to reverse proxy to them. The
> typical scenario is the following one...
>
> ProxyPassReverse
> Browser -----> mod_proxy ------> HTTPS
> RewriteRule .. .. [P]

As far as I am aware, the mod_ssl module for Apache v1.3 allows proxy to
talk to SSL backend servers. The v2.0 proxy should be able to do this
too, but I am not sure, again it's up to mod_ssl, not mod_proxy.

Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."

Re: SSL support for mod_proxy ...

am 08.10.2002 20:01:39 von Ilija Stankovski

Hi Graham ...

> As far as I am aware, the mod_ssl module for Apache v1.3 allows proxy to
> talk to SSL backend servers. The v2.0 proxy should be able to do this
> too, but I am not sure, again it's up to mod_ssl, not mod_proxy.

The problem is that mod_proxy can not get the page from the end point
HTTPS server. This server can be Apache, IIS, iPlanet whatever. I don't
see how mod_ssl or apache-ssl is responsible for the outgoing connection
mod_proxy us suppose to handle. Please correct me if I am wrong ...

> >
> > ProxyPassReverse
> > Browser -----> mod_proxy ------> HTTPS
> > RewriteRule .. .. [P]
>


--

Regards.

______________________________________

Ilija Stankovski
Infrastructure Technology Manager
Mercury Information Technology Inc.
Tel: (403) 233-0740
Fax: (403) 233-0725
E-mail: ilijas@psynch.com
http://www.psynch.com
______________________________________

____________________________________________________________ ______

"If you send me an e-mail request, and I do not respond within 3
hours, please send it again to 'support@psynch.com' as I may be
unavailable."
____________________________________________________________ ______

Re: SSL support for mod_proxy ...

am 08.10.2002 20:07:21 von Graham Leggett

Ilija Stankovski wrote:

> The problem is that mod_proxy can not get the page from the end point
> HTTPS server. This server can be Apache, IIS, iPlanet whatever. I don't
> see how mod_ssl or apache-ssl is responsible for the outgoing connection
> mod_proxy us suppose to handle. Please correct me if I am wrong ...

My understanding is that mod_ssl in apache v1.3 patches mod_proxy to
enable it to do this:

ProxyPass / https://backend.secure.server/

I am not 100% sure though, as I have never needed to use it.

Is there a particular reason why you would want to do this? Secure
connections to backends can be expensive.

Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."

Re: SSL support for mod_proxy ...

am 08.10.2002 20:54:35 von Ilija Stankovski

Hi Graham...

> My understanding is that mod_ssl in apache v1.3 patches mod_proxy to
> enable it to do this:
>
> ProxyPass / https://backend.secure.server/
>
> I am not 100% sure though, as I have never needed to use it.

I will have to try it my self by using mod_ssl. I know that apache-ssl can
not do it.

ProxyPass / https://backand
ProxyPassReverse / https://backend

or

RewriteRule / https://backend [P]

do not seem to be working.

We need this to satisfy security requirements on enterprise level for
security applications. And it only makes sense. Usually the reverse proxy
(apache) resides in a DMZ and it talks to servers in the backend protected
network. As of now the traffic between the DMZ and the Trusted side will
fly in clear if it is not encrypted with SSL. As such, anyone who has
gotten to the DMZ ( which may not be that hard) can sniff on the
connections coming from the Reverse Proxy (Apache).

That is the reason why we are interested in making mod_proxy SSL aware.

In any event, I will try to confirm your findings and see if mod_ssl
behaves any differently from apache-ssl.

I will keep you posted and thanks for your assistance, it is greatly
appreciated

--

Regards.

______________________________________

Ilija Stankovski
Infrastructure Technology Manager
Mercury Information Technology Inc.
Tel: (403) 233-0740
Fax: (403) 233-0725
E-mail: ilijas@psynch.com
http://www.psynch.com
______________________________________

____________________________________________________________ ______

"If you send me an e-mail request, and I do not respond within 3
hours, please send it again to 'support@psynch.com' as I may be
unavailable."
____________________________________________________________ ______

Re: SSL support for mod_proxy ...

am 08.10.2002 23:38:00 von Ilija Stankovski

Hi Graham ...

You were absolutely correct with your assumption that mod_ssl in
conjunction with mod_proxy can do reverse proxying to HTTPS backend
server.

I appreciate your response and helpfulness...

--

Regards.

______________________________________

Ilija Stankovski
Infrastructure Technology Manager
Mercury Information Technology Inc.
Tel: (403) 233-0740
Fax: (403) 233-0725
E-mail: ilijas@psynch.com
http://www.psynch.com
______________________________________

____________________________________________________________ ______

"If you send me an e-mail request, and I do not respond within 3
hours, please send it again to 'support@psynch.com' as I may be
unavailable."
____________________________________________________________ ______

On Tue, 8 Oct 2002, Graham Leggett wrote:

> Ilija Stankovski wrote:
>
> > The problem is that mod_proxy can not get the page from the end point
> > HTTPS server. This server can be Apache, IIS, iPlanet whatever. I don't
> > see how mod_ssl or apache-ssl is responsible for the outgoing connection
> > mod_proxy us suppose to handle. Please correct me if I am wrong ...
>
> My understanding is that mod_ssl in apache v1.3 patches mod_proxy to
> enable it to do this:
>
> ProxyPass / https://backend.secure.server/
>
> I am not 100% sure though, as I have never needed to use it.
>
> Is there a particular reason why you would want to do this? Secure
> connections to backends can be expensive.
>
> Regards,
> Graham
> --
> -----------------------------------------
> minfrin@sharp.fm "There's a moon
> over Bourbon Street
> tonight..."
>

Re: SSL support for mod_proxy ...

am 29.10.2002 14:06:02 von Maurizio Marini

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 08 October 2002 07:07 pm, Graham Leggett wrote:
=20
>My understanding is that mod_ssl in apache v1.3 patches mod_proxy to
>enable it to do this:
>
>ProxyPass / https://backend.secure.server/
>
>I am not 100% sure though, as I have never needed to use it.
>
=20
Hi Graham,
i've a very strange problem:

i've 2 linux server, one is backend, the other is the rev-proxy

On rev-proxy i've tried=20

ProxyPass =09/ https://backend.secure.server/
ProxyPassReverse =09/ https://backend.secure.server/

with 1.3.27 + mod_ssl-2.8.12-1.3.27
RedHat 7.3

in backend i've a very small test script that send 3 cookies:

SetCookie("Cookie1","This is Cookie1", time()+100000, "/foo", ".dev.datal=
ogica.com", secure);
SetCookie("Cookie2","This is Cookie2", time()+100000, "/foo", ".dev.datal=
ogica.com", secure);
SetCookie("Cookie3","This is Cookie3", time()+100000, "/foo", ".dev.datal=
ogica.com", secure);
?>

I receive only the first cookie;

so i changed the hd on the rev-proxy linux server, putting the one with=
debian woody 3.0, with apache 1.3.26;=20
the backend is always the same with the same script: now i receive all th=
e 3 cookies
strange, isn't it?

Hve you some idea?

now i try to compile apache 1.3.26 tarball on RedHat 7.3 to see if the pr=
oblem is with 1.3.27

- --=20
Maurizio Marini
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9vofA4Q/49nIJTlwRArENAJ9nywxG1/7f9rhYNvs2BPvihWXXsgCg gMX3
Mrw6PWTixUEAaMvE6aBR4ec=3D
=3D4gV+
-----END PGP SIGNATURE-----