Reverse Proxy to backend servers listening on HTTPS
am 30.10.2002 08:28:14 von limsehc
Hi,
I am facing some problems configuring mod_proxy to reverse-proxy https
request to a backend server (also listening on HTTPS). Http request works
fine and I have already configured mod-SSL on the apache and it
(standalone) works fine too. The only problem is when I try to proxy the
request to a backend server.
Do I have to configure a client SSL cert to be presented to the backend
server when establishing a connection to it from the apache?
Any input will be greatly appreciated. Thanks in Advance.
rgds,
SehChwan
[This e-mail is confidential and may also be privileged. If you are not the
intended recipient, please delete it and notify us immediately; you should
not copy or use it for any purpose, nor disclose its contents to any other
person. Thank you.]
RE: Reverse Proxy to backend servers listening on HTTPS
am 30.10.2002 16:05:30 von agfoust
I _have_ been able to get the following to work:
client <---https---> rproxy <---https---> server
On Linux, Solaris and HPUX. According to the note below this functionality
was first supported in 1998:
Changes with mod_ssl 2.1b2 (02-Sep-1998 to 06-Sep-1998) --- from mod_ssl
CHANGES file
*) Added the first cut of HTTPS support for the proxy module. This is
currently done by making the generic HTTP handler SSL-aware. But it
still doesn't provide support for client or server authentication nor
does it provide a way to configure it. Later we'll add perhaps
SSLProxyXXXXX directives to allow the users to configure the SSL
client
inside the proxy. But beside this it's full functional. One can use
it
for proxying https://xxx URLs and also use `ProxyPass https://xxxx'.
(the sources of SSLeay's s_client and cURL were my friends ;-)
What I _have not_ been able to get to work on any Apache platform is:
client <--https--> rproxy <--connect-thru-proxy--> https_server
Performing a backend connect to by way of a standard forward proxy to an
HTTPS server does not seem to work. I've tested this on only Linux and
Solaris. What is very puzzling is that according to the Apache bug database,
this feature seems to have come and gone a couple of times.
And right now it appears to be gone. The versions I tested were Apache
1.3.26 and Apache 2.0.43. Here are some related problem reports I found:
ProxyRemote doesn't seem to work for https (1997)
http://bugs.apache.org/index.cgi/full/173
SSL CONNECT does not work, when ProxyRemote is used (1997)
http://bugs.apache.org/index.cgi/full/1024
CONNECT Problem with SSL Proxy (1998)
http://bugs.apache.org/index.cgi/full/1942
Since a couple of these are dated before the 1998 "HTTPS works" change note,
I'm not completely clear on what's going on. Possibly the 1997 notes refer
to ApacheSSL and not mod_proxy and mod_ssl?
The behavior I observed when doing something like:
(for Apache 2.0.x you need: SSLProxyEngine on)
ProxyRemote * http://proxy:8080
ProxyPass / https://backend
ProxyPassReverse / https://backend
After the frontend reverse proxy request is made (no problems there with
HTTP or HTTPS), on the backend an HTTP proxy request like "https://backend"
to proxy:8080 is being sent, causing the proxy (a forward proxy not reverse)
to cough up error logs like:
[Tue Oct 22 17:26:43 2002] [warn] [client xx.xx.xx.xx] proxy: No protocol
handler was valid for the URL https://backend/path/. If you are using a DSO
version of mod_proxy, make sure the proxy submodules are included in the
configuration using LoadModule.
An https method request should never be sent to a regular HTTP proxy, so
this appears to be a bug. The proxy:8080 is a standard Apache 1.3.26
compiled statically, no DSO. I tested with cURL to make sure everything was
working as expected:
curl -x proxy:8080 https://backend/blah
....and it was. Apache working as an HTTPS client on the backend should
handle proxies like a browser, curl or your favorite client tool would by
connecting via HTTP to the proxy, issuing a CONNECT request to the proxy,
then tunneling the HTTPS connection over that. Either it doesn't work or I'm
missing something.
For the time being, I'm using stunnel in combination with Apache as a
solution but it would be nice to get Apache to behave correctly with bridged
SSL in combination with a backend proxy. It's also puzzling that this
problem seems to have been solved before then later fell through the cracks.
Any help would be appreciated.