Proxy http with modssl?

Hi,

I'm looking for a method to hide an old web server behind
a modssl server. The hidden server has several applications
served over http. What I'd like is for https requests
to be rewritten in modssl and proxied to the hidden
internal system.

I installed a second interface on the modssl system. From
the modssl system I can access the internal web server.
In a virtualhost clause for the modssl system I've added

ProxyRequests On
ProxyRemote https://modssl/MyApp http://10.x.x.x

I'd like requests of the form
https://modssl/MyApp/pgm?SomeArgument=Value to be proxied
to the internal system as http://10.x.x.x/pgm?SomeArgument=Value
I receive a 404 in the browser and the following in my error log.

[Wed Mar 04 11:14:25 2003] [error] (20014)Error string
not specified yet: Cannot store SSL session to DBM file
`/usr/local/www/logs/ssl_scache'
[Wed Mar 04 11:14:25 2003] [error] [client 1.2.3.4] File does not exist:
/usr/local/www/htdocs/MyApp

Is it possible to have modssl proxy an http conversation?

Thanks for any advice, Chris





____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Proxy http with modssl?

Chris:

Look at Ralph Engelshall's paper on the Apache web site discussing the
mod_rewrite module. You can provide all the SSL/TLS support on your
front-end server and use mod_rewrite to generate HTTP requests to the old
web server.

Merton Campbell Crockett


On Wed, 5 Mar 2003, Chris Davis wrote:

>
> Hi,
>
> I'm looking for a method to hide an old web server behind
> a modssl server. The hidden server has several applications
> served over http. What I'd like is for https requests
> to be rewritten in modssl and proxied to the hidden
> internal system.
>
> I installed a second interface on the modssl system. From
> the modssl system I can access the internal web server.
> In a virtualhost clause for the modssl system I've added
>
> ProxyRequests On
> ProxyRemote https://modssl/MyApp http://10.x.x.x
>
> I'd like requests of the form
> https://modssl/MyApp/pgm?SomeArgument=Value to be proxied
> to the internal system as http://10.x.x.x/pgm?SomeArgument=Value
> I receive a 404 in the browser and the following in my error log.
>
> [Wed Mar 04 11:14:25 2003] [error] (20014)Error string
> not specified yet: Cannot store SSL session to DBM file
> `/usr/local/www/logs/ssl_scache'
> [Wed Mar 04 11:14:25 2003] [error] [client 1.2.3.4] File does not exist:
> /usr/local/www/htdocs/MyApp
>
> Is it possible to have modssl proxy an http conversation?
>
> Thanks for any advice, Chris
>

--
BEGIN: vcard
VERSION: 3.0
FN: Merton Campbell Crockett
ORG: General Dynamics Advanced Information Systems;
Intelligence and Exploitation Systems
N: Crockett;Merton;Campbell
EMAIL;TYPE=internet: mcc@CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref: +1(805)497-5045
TEL;TYPE=work,fax: +1(805)497-5050
TEL;TYPE=cell,voice,msg: +1(805)377-6762
END: vcard

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Proxy http with modssl?

On Wed, 5 Mar 2003, Chris Davis wrote:

> I'm looking for a method to hide an old web server behind
> a modssl server. The hidden server has several applications
> served over http. What I'd like is for https requests
> to be rewritten in modssl and proxied to the hidden
> internal system.
> ...

there are probably several possible implementations for the reverse proxy
configuration you're describing but one possibility is to use mod_accel
(http://sysoev.ru/mod_accel/) for this purpose.

best regards,
--
aspa http://www.kronodoc.fi/

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Proxy http with modssl?

If you wish to terminate the https on the "new" machine and communicate to
the old computer using http, then mod_proxy is what works for us. We use it
extensively.

-Torvald


-----Original Message-----
From: danalien [mailto:danalien@datormaffian.com]
Sent: 6. mars 2003 14:30
To: modssl-users@modssl.org
Subject: Re: Proxy http with modssl?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 06 March 2003 06:56, Marko Asplund wrote:
> On Wed, 5 Mar 2003, Chris Davis wrote:
> > I'm looking for a method to hide an old web server behindt
> > a modssl server. The hidden server has several applications
> > served over http. What I'd like is for https requests
> > to be rewritten in modssl and proxied to the hidden
> > internal system.
> > ...
>
> there are probably several possible implementations for the reverse proxy
> configuration you're describing but one possibility is to use mod_accel
> (http://sysoev.ru/mod_accel/) for this purpose.
>

or you could run stunnel (on that old machine, and close every other port
except the one stunnel uses, or use
port-forwarding on the "remote-pc" that uses stunnel to communicate with
ssl-based software...).

"Stunnel is a program that allows you to encrypt arbitrary TCP connections
inside SSL (Secure Sockets Layer) available on both Unix and Windows.
Stunnel can allow you to secure non-SSL aware daemons and protocols
(like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption,
requiring no changes to the daemon's code." -- www.stunnel.org

- --

// with regards
// ID :: danalien ::
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+Z01VHoWhCURqoogRAt6yAKCW6E6kolwJmV2YAhUVgFf9FLlqsACe Mxhd
+7BO07aYNgXKUpKp9wIsUNs=
=RFh4
-----END PGP SIGNATURE-----

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Proxy http with modssl?

=2D----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 06 March 2003 06:56, Marko Asplund wrote:
> On Wed, 5 Mar 2003, Chris Davis wrote:
> > I'm looking for a method to hide an old web server behindt=20
> > a modssl server. The hidden server has several applications
> > served over http. What I'd like is for https requests
> > to be rewritten in modssl and proxied to the hidden
> > internal system.
> > ...
>
> there are probably several possible implementations for the reverse proxy
> configuration you're describing but one possibility is to use mod_accel
> (http://sysoev.ru/mod_accel/) for this purpose.
>

or you could run stunnel (on that old machine, and close every other port e=
xcept the one stunnel uses, or use
port-forwarding on the "remote-pc" that uses stunnel to communicate with ss=
l-based software...).=20

"Stunnel is a program that allows you to encrypt arbitrary TCP connections=
=20
inside SSL (Secure Sockets Layer) available on both Unix and Windows.=20
Stunnel can allow you to secure non-SSL aware daemons and protocols=20
(like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption,=20
requiring no changes to the daemon's code." -- www.stunnel.org=20

=2D --=20

// with regards
// ID :: danalien ::
=2D----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE+Z01VHoWhCURqoogRAt6yAKCW6E6kolwJmV2YAhUVgFf9FLlqsACe Mxhd
+7BO07aYNgXKUpKp9wIsUNs=3D
=3DRFh4
=2D----END PGP SIGNATURE-----

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Proxy http with modssl?

Thanks everyone for the follow ups. I want to use mod_
Rewrite if I can get it to work. I've added the module
in the server and in my virtualhost clause have these
statements

RewriteEngine On
RewriteRule MyApp\/Version\/Five\/ http://10.x.x.x/Version/Five/ [P,NE,L]

I call the application as https://modssl/MyApp/Version/Five/?Arg1=1&Arg2=2
The internal server receives the URL but has this in the
access logs

GET /Version/Five/%3FArg1=1&Arg2=2

So it appears as if this is close to working. How can I
prevent the '?' from being changed to a '%3F' by Rewrite?


Chris
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org