(internal app) --http-->apache---https--->(external app)

Hi,
I have a scenario to configure apache to handle
(internal app)--http-->apache---https--->(external app)

My internal app cannot handle SSL and can only handle HTTP connections.

How do i set up apache to handle such a scenario?
I tried creating a virtual host listening on port 10001 and then used the rewrite rule to change the url to https. This works on a browser but fails on my applicatin as it cannot handle the HTTPS traffic.
I tried redirect, that fails too.

Please help!!!
Thanks,
Pe





------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: (internal app) --http-->apache---https--->(external

On Sun, Aug 23, 2009 at 12:04 PM, pe uni wrote:
> Hi,
> I have a scenario to configure apache to =A0handle
> (internal app)--http-->apache---https--->(external app)
>
> My internal app cannot handle SSL and can only handle HTTP connections.
>
> How do i set up apache to handle such a scenario?
> I tried creating a virtual host listening on port 10001 and then used the=
rewrite rule to change the url to https. This works on a browser but fails=
on my applicatin as it cannot handle the HTTPS traffic.

You need to proxy, via mod_rewrite with the "P" flag or ProxyPass.

I assume your "my application" in the final sentence refers to the
internal app, not the external app -- otherwise it's a lost cause.


--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: (internal app) --http-->apache---https--->(external app)

Hi Eric, thanks for the reply.
"my application" is the internal application.
I tried the rewrite rule with P option, still doesn't work.

Internal application has the target URL set as www.techmed.com/VENDOR/vendo=
r.asmx with port 80 and is configured to use=20
my_proxy_server : 44444 as the proxy

Goal is --- (my internal appln) ----http--->apache ---https with client cer=
ts---->(www.techmed.com/VENDOR/vendor.asmx)

Here is my httpd.conf... apache logs show error "proxy: HTTPS: failed to =
enable ssl support for my_ipaddr:443"
--------------------------------------

ServerName my_proxy_server
Options +FollowSymlinks
ProxyRequests off

RewriteEngine On
RewriteLogLevel 9
RewriteLog /etc/httpd/logs/rewrite_80_log
RewriteRule ^/(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [P,L]



ServerName my_proxy_server
ServerAlias my_proxy_server
LogLevel debug
ProxyRequests Off
CustomLog /etc/httpd/logs/access_log common
ErrorLog "|/usr/sbin/rotatelogs /etc/httpd/logs/error_log 86400 common=
"
TransferLog /etc/httpd/logs/ssl_access_log

SSLEngine On
SSLCertificateFile /etc/httpd/ssl/servercerts/server.CRT
SSLCertificateKeyFile /etc/httpd/ssl/servercerts/server.KEY
SSLProxyMachineCertificateFile /etc/httpd/ssl/clientcerts/client-cert.p=
12

Proxypass /VENDOR https://www.techmed.com/VENDOR/vendor.asmx Prox=
ypassReverse /VENDOR https://www.techmed.com/VENDOR/vendor.asmx

---------------------------------------
Thanks,
Pe

--- On Sun, 8/23/09, Eric Covener wrote:

> From: Eric Covener
> Subject: Re: [users@httpd] (internal app) --http-->apache---https--->(ext=
ernal app)
> To: users@httpd.apache.org
> Date: Sunday, August 23, 2009, 12:47 PM
> On Sun, Aug 23, 2009 at 12:04 PM, pe
> uni
> wrote:
> > Hi,
> > I have a scenario to configure apache to =A0handle
> > (internal
> app)--http-->apache---https--->(external app)
> >
> > My internal app cannot handle SSL and can only handle
> HTTP connections.
> >
> > How do i set up apache to handle such a scenario?
> > I tried creating a virtual host listening on port
> 10001 and then used the rewrite rule to change the url to
> https. This works on a browser but fails on my applicatin as
> it cannot handle the HTTPS traffic.
>=20
> You need to proxy, via mod_rewrite with the "P" flag or
> ProxyPass.
>=20
> I assume your "my application" in the final sentence refers
> to the
> internal app, not the external app -- otherwise it's a lost
> cause.
>=20
>=20
> --=20
> Eric Covener
> covener@gmail.com
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See for more
> info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   =A0"  =A0from the digest: users-digest-unsubscribe@httpd.apache=
..org
> For additional commands, e-mail: users-help@httpd.apache.org
>=20
> =0A

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: (internal app) --http-->apache---https--->(external app)

Hi Eric, below is the excerpt from the apache log
------------------------------
[Sun Aug 23 12:24:39 2009] [debug] mod_proxy_http.c(56): proxy: HTTP: canon=
icalising URL //www.techmed.com/VENDOR/vendor.asmx
[Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(1507): [client interapp_ipa=
ddr] proxy: *: found reverse proxy worker for https://www.techmed.com/VENDO=
R/vendor.asmx
[Sun Aug 23 12:24:39 2009] [debug] mod_proxy.c(966): Running scheme https h=
andler (attempt 0)
[Sun Aug 23 12:24:39 2009] [debug] mod_proxy_http.c(1960): proxy: HTTP: ser=
ving URL https://www.techmed.com/VENDOR/vendor.asmx
[Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2044): proxy: HTTPS: has ac=
quired connection for (*)
[Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2102): proxy: connecting ht=
tps://www.techmed.com/VENDOR/vendor.asmx to www.techmed.com:443
[Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2195): proxy: connected /VE=
NDOR/vendor.asmx to www.techmed.com:443
[Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2347): proxy: HTTPS: fam 2 =
socket created to connect to *
[Sun Aug 23 12:24:39 2009] [error] [client 73.155.40.73] SSL Proxy requeste=
d for my_proxyserver:80 but not enabled [Hint: SSLProxyEngine]
[Sun Aug 23 12:24:39 2009] [error] proxy: HTTPS: failed to enable ssl suppo=
rt for 73.155.40.73:443 (www.techmed.com)
[Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2062): proxy: HTTPS: has re=
leased connection for (*)
--------------------------------------------------


--- On Sun, 8/23/09, pe uni wrote:

> From: pe uni
> Subject: Re: [users@httpd] (internal app) --http-->apache---https--->(ext=
ernal app)
> To: users@httpd.apache.org
> Date: Sunday, August 23, 2009, 2:22 PM
> Hi Eric, thanks for the reply.
> "my application" is the internal application.
> I tried the rewrite rule with P option, still doesn't
> work.
>=20
> Internal application has the target URL set as
> www.techmed.com/VENDOR/vendor.asmx with port 80=A0 and is
> configured to use=20
> my_proxy_server : 44444 as the proxy
>=20
> Goal is --- (my internal appln) ----http--->apache
> ---https with client
> certs---->(www.techmed.com/VENDOR/vendor.asmx)
>=20
> Here is my httpd.conf...  =A0apache logs show
> error "proxy: HTTPS: failed to enable ssl support for
> my_ipaddr:443"
> --------------------------------------
>
>   =A0ServerName my_proxy_server
>   =A0Options +FollowSymlinks
>   =A0ProxyRequests off
>=20
>   =A0RewriteEngine On
>   =A0RewriteLogLevel 9
>   =A0RewriteLog
> /etc/httpd/logs/rewrite_80_log
>   =A0RewriteRule ^/(.*)$
> https://%{HTTP_HOST}%{REQUEST_URI} [P,L]
>
>=20
>
> =A0 =A0 ServerName=A0 my_proxy_server
> =A0 =A0 ServerAlias my_proxy_server
> =A0 =A0 LogLevel debug
> =A0 =A0 ProxyRequests Off
> =A0 =A0 CustomLog /etc/httpd/logs/access_log common
> =A0 =A0 ErrorLog=A0 "|/usr/sbin/rotatelogs
> /etc/httpd/logs/error_log 86400 common"
> =A0 =A0 TransferLog /etc/httpd/logs/ssl_access_log
>=20
> =A0 =A0 SSLEngine On
> =A0 =A0 SSLCertificateFile
> /etc/httpd/ssl/servercerts/server.CRT
> =A0 =A0 SSLCertificateKeyFile
> /etc/httpd/ssl/servercerts/server.KEY
> =A0 =A0 SSLProxyMachineCertificateFile
> /etc/httpd/ssl/clientcerts/client-cert.p12
>=20
> =A0 =A0 Proxypass=A0 =A0 /VENDOR https://www.techmed.com/VENDOR/vendor.as=
mx=A0 =A0
> ProxypassReverse /VENDOR https://www.techmed.com/VENDOR/vendor.asmx
>
> ---------------------------------------
> Thanks,
> Pe
>=20
> --- On Sun, 8/23/09, Eric Covener
> wrote:
>=20
> > From: Eric Covener
> > Subject: Re: [users@httpd] (internal app)
> --http-->apache---https--->(external=A0 app)
> > To: users@httpd.apache.org
> > Date: Sunday, August 23, 2009, 12:47 PM
> > On Sun, Aug 23, 2009 at 12:04 PM, pe
> > uni
> > wrote:
> > > Hi,
> > > I have a scenario to configure apache to
> =A0handle
> > > (internal
> > app)--http-->apache---https--->(external app)
> > >
> > > My internal app cannot handle SSL and can only
> handle
> > HTTP connections.
> > >
> > > How do i set up apache to handle such a
> scenario?
> > > I tried creating a virtual host listening on
> port
> > 10001 and then used the rewrite rule to change the url
> to
> > https. This works on a browser but fails on my
> applicatin as
> > it cannot handle the HTTPS traffic.
> >=20
> > You need to proxy, via mod_rewrite with the "P" flag
> or
> > ProxyPass.
> >=20
> > I assume your "my application" in the final sentence
> refers
> > to the
> > internal app, not the external app -- otherwise it's a
> lost
> > cause.
> >=20
> >=20
> > --=20
> > Eric Covener
> > covener@gmail.com
> >=20
> >
> ------------------------------------------------------------ ---------
> > The official User-To-User support forum of the Apache
> HTTP
> > Server Project.
> > See for more
> > info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >   =A0"  =A0from the digest: users-digest-unsubscribe@httpd.apac=
he.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >=20
> >=20
>=20
>=20
>=20
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See for more
> info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   =A0"  =A0from the digest: users-digest-unsubscribe@httpd.apache=
..org
> For additional commands, e-mail: users-help@httpd.apache.org
>=20
> =0A

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: (internal app) --http-->apache---https--->(external

> [Sun Aug 23 12:24:39 2009] [error] [client 73.155.40.73] SSL Proxy requested for my_proxyserver:80 but not enabled [Hint: SSLProxyEngine]

Tried the hint?

--
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: (internal app) --http-->apache---https--->(external

On Sun, Aug 23, 2009 at 8:30 PM, pe uni wrote:
> Hi Eric, below is the excerpt from the apache log
> ------------------------------
> [Sun Aug 23 12:24:39 2009] [debug] mod_proxy_http.c(56): proxy: HTTP: canonicalising URL //www.techmed.com/VENDOR/vendor.asmx
> [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(1507): [client interapp_ipaddr] proxy: *: found reverse proxy worker for https://www.techmed.com/VENDOR/vendor.asmx
> [Sun Aug 23 12:24:39 2009] [debug] mod_proxy.c(966): Running scheme https handler (attempt 0)
> [Sun Aug 23 12:24:39 2009] [debug] mod_proxy_http.c(1960): proxy: HTTP: serving URL https://www.techmed.com/VENDOR/vendor.asmx
> [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2044): proxy: HTTPS: has acquired connection for (*)
> [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2102): proxy: connecting https://www.techmed.com/VENDOR/vendor.asmx to www.techmed.com:443
> [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2195): proxy: connected /VENDOR/vendor.asmx to www.techmed.com:443
> [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2347): proxy: HTTPS: fam 2 socket created to connect to *
> [Sun Aug 23 12:24:39 2009] [error] [client 73.155.40.73] SSL Proxy requested for my_proxyserver:80 but not enabled [Hint: SSLProxyEngine]
> [Sun Aug 23 12:24:39 2009] [error] proxy: HTTPS: failed to enable ssl support for 73.155.40.73:443 (www.techmed.com)
> [Sun Aug 23 12:24:39 2009] [debug] proxy_util.c(2062): proxy: HTTPS: has released connection for (*)
> --------------------------------------------------



When proxying http to https you need to configure apache as an ssl
_client_. Apache will not function as an SSL client out of the box.

This question comes up regularly, and this is what I answered last
time it came up:

You need to add the following to your config.

# turn on SSL proxying.
SSLProxyEngine On

# to tell Apache where to find CA certificates to check remote server
certificates with:
# (You can choose yourself where you put these certificates)
SSLProxyCACertificatePath /path/to/ca/certificates.

Then in this path you need to put the CA certificate(s) used to sign
the certificate(s) used by the server(s) you communicate with. If you
want to talk to a server that uses a "self signed" certificate you
will need to put it in this dir too.

Once you've done that you need to run "c_rehash" in that directory.
c_rehash is part of a standard openssl distribution. c_rehash creates
hashed aliases in this dir. Apache needs these.

In order to test if everything is there you can do the following:

openssl s_client -CApath /path/to/ca/certificates -connect remoteserver:8443

if the conenction succeeds just try to do a
GET /abc/

and see if you get something. If this test is succesfull apache should work too.

You can now add the ReWriteRule or Proxy statements to forward the
connections to your https server.

Krist

--
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: (internal app) --http-->apache---https--->(external app)

Hi Eric,=20
I tried the hint - SSLProxyEngine On. The https connection works with websi=
tes/applications that don't require a certificate.=20
For websites/applications that require a certificate, it fails. Please veri=
fy if the below config makes sense?
I included the following SSL directives in the virtualhost port.=20

--- =20
SSLProxyEngine On
SSLEngine On SSLCertificateFile /etc/httpd/ssl/servercerts/server.CRT SSLCe=
rtificateKeyFile /etc/httpd/ssl/servercerts/server.KEY SSLProxyMachineCerti=
ficateFile /etc/httpd/ssl/clientcerts/client-cert.p12=20
--

------------------------------
[Mon Aug 24 10:31:11 2009] [debug] ssl_engine_kernel.c(1765): OpenSSL: Read=
: SSLv3 read finished A
[Mon Aug 24 10:31:11 2009] [debug] ssl_engine_kernel.c(1784): OpenSSL: Exit=
: failed in SSLv3 read finished A
[Mon Aug 24 10:31:11 2009] [info] [client ip_addr1] SSL library error 1 rea=
ding data
[Mon Aug 24 10:31:11 2009] [info] SSL Library Error: 336151568 error:140944=
10:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Mon Aug 24 10:31:11 2009] [info] SSL Library Error: 336150757 error:140940=
E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
[Mon Aug 24 10:31:11 2009] [error] [client ip_addr2] (20014)Internal error:=
proxy: error reading status line from remote server webapplication_server=
=20
[Mon Aug 24 10:31:11 2009] [debug] mod_proxy_http.c(1466): [client 199.130.=
193.102] proxy: NOT Closing connection to client although reading from back=
end server webapplication_server failed.
-----------------------------


--- On Sun, 8/23/09, Eric Covener wrote:

> From: Eric Covener
> Subject: Re: [users@httpd] (internal app) --http-->apache---https--->(ext=
ernal app)
> To: users@httpd.apache.org
> Date: Sunday, August 23, 2009, 9:17 PM
> > [Sun Aug 23 12:24:39 2009]
> [error] [client 73.155.40.73] SSL Proxy requested for
> my_proxyserver:80 but not enabled [Hint: SSLProxyEngine]
>=20
> Tried the hint?
>=20
> --=20
> Eric Covener
> covener@gmail.com
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See for more
> info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   =A0"  =A0from the digest: users-digest-unsubscribe@httpd.apache=
..org
> For additional commands, e-mail: users-help@httpd.apache.org
>=20
> =0A

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

downstream server wanted client certificate but none are configured

I see the following message in the error_log

Proxy client certificate callback: downstream server wanted client certificate but none are configured

I have the following directives in my proxy virtual host...
---------------------------
SSLProxyCACertificateFile /etc/httpd/ssl/CA/CA-bundle.crt
SSLCertificateFile /etc/httpd/ssl/servercerts/server.CRT
SSLCertificateKeyFile /etc/httpd/ssl/servercerts/server.KEY
SSLProxyMachineCertificateFile /etc/httpd/ssl/clientcerts/client.p12
SSLProxyCACertificatePath /etc/httpd/ssl/CA
-------------------------
For some some reason apache is unable to pickup the client certificate and send it to the server.
Please advise.
Regards,
Pe





------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: downstream server wanted client certificate but

On Mon, Aug 24, 2009 at 7:47 PM, pe uni wrote:
> I see the following message in the error_log
>
> Proxy client certificate callback: downstream server wanted client certificate but none are configured
>
> I have the following directives in my proxy virtual host...
> ---------------------------
> SSLProxyCACertificateFile /etc/httpd/ssl/CA/CA-bundle.crt
> SSLCertificateFile /etc/httpd/ssl/servercerts/server.CRT
> SSLCertificateKeyFile /etc/httpd/ssl/servercerts/server.KEY
> SSLProxyMachineCertificateFile /etc/httpd/ssl/clientcerts/client.p12
> SSLProxyCACertificatePath /etc/httpd/ssl/CA
> -------------------------
> For some some reason apache is unable to pickup the client certificate and send it to the server.
> Please advise.
> Regards,
> Pe
>

Is PKCS12 legit there? Example has a pem-formatted file -- try splitting yours?


--
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org