www-modproxy-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Foust, Adam G." <agfo...@tva.gov>
Subject RE: Reverse Proxy to backend servers listening on HTTPS
Date Wed, 30 Oct 2002 15:05:30 GMT
I _have_ been able to get the following to work:

  client <---https---> rproxy <---https---> server

On Linux, Solaris and HPUX. According to the note below this functionality
was first supported in 1998:

  Changes with mod_ssl 2.1b2 (02-Sep-1998 to 06-Sep-1998) --- from mod_ssl
CHANGES file

   *) Added the first cut of HTTPS support for the proxy module. This is
      currently done by making the generic HTTP handler SSL-aware. But it
      still doesn't provide support for client or server authentication nor
      does it provide a way to configure it. Later we'll add perhaps
      SSLProxyXXXXX directives to allow the users to configure the SSL
client
      inside the proxy.  But beside this it's full functional. One can use
it
      for proxying https://xxx URLs and also use `ProxyPass https://xxxx'.
      (the sources of SSLeay's s_client and cURL were my friends ;-)

What I _have not_ been able to get to work on any Apache platform is:

  client <--https--> rproxy <--connect-thru-proxy--> https_server

Performing a backend connect to by way of a standard forward proxy to an
HTTPS server does not seem to work. I've tested this on only Linux and
Solaris. What is very puzzling is that according to the Apache bug database,
this feature seems to have come and gone a couple of times.

And right now it appears to be gone. The versions I tested were Apache
1.3.26 and Apache 2.0.43. Here are some related problem reports I found:

  ProxyRemote doesn't seem to work for https (1997)
  http://bugs.apache.org/index.cgi/full/173

  SSL CONNECT does not work, when ProxyRemote is used (1997)
  http://bugs.apache.org/index.cgi/full/1024

  CONNECT Problem with SSL Proxy (1998)
  http://bugs.apache.org/index.cgi/full/1942

Since a couple of these are dated before the 1998 "HTTPS works" change note,
I'm not completely clear on what's going on. Possibly the 1997 notes refer
to ApacheSSL and not mod_proxy and mod_ssl?

The behavior I observed when doing something like:

  (for Apache 2.0.x you need: SSLProxyEngine on)
  ProxyRemote * http://proxy:8080
  ProxyPass        /   https://backend
  ProxyPassReverse /   https://backend

After the frontend reverse proxy request is made (no problems there with
HTTP or HTTPS), on the backend an HTTP proxy request like "https://backend"
to proxy:8080 is being sent, causing the proxy (a forward proxy not reverse)
to cough up error logs like:

[Tue Oct 22 17:26:43 2002] [warn] [client xx.xx.xx.xx] proxy: No protocol
handler was valid for the URL https://backend/path/. If you are using a DSO
version of mod_proxy, make sure the proxy submodules are included in the
configuration using LoadModule.

An https method request should never be sent to a regular HTTP proxy, so
this appears to be a bug. The proxy:8080 is a standard Apache 1.3.26
compiled statically, no DSO. I tested with cURL to make sure everything was
working as expected:

  curl -x proxy:8080 https://backend/blah

...and it was. Apache working as an HTTPS client on the backend should
handle proxies like a browser, curl or your favorite client tool would by
connecting via HTTP to the proxy, issuing a CONNECT request to the proxy,
then tunneling the HTTPS connection over that. Either it doesn't work or I'm
missing something.

For the time being, I'm using stunnel in combination with Apache as a
solution but it would be nice to get Apache to behave correctly with bridged
SSL in combination with a backend proxy. It's also puzzling that this
problem seems to have been solved before then later fell through the cracks.

Any help would be appreciated.

Mime
View raw message