Re: mod_proxy SSL forward proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Aug 24, 2011 at 11:16 AM, Bill Moseley <moseley@xxxxxxxx> wrote:
Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8r
OS X 10.6.8

I need help with a forward proxy setup and SSL.

I have created a simple httpd.conf file with two virtual hosts, listening on 8080 and 8443 (accepting SSL connections).  I'm using a self-signed certificate for testing.  WIth this config both of these requests work just fine:

http://localhost:8080/foo.txt
https://localhost:8443/foo.txt (issues a warning about the self-signed cert, of course)


I enabled mod_proxy (and _http and _connect) and then I set up both Firefox and Chrome to proxy http to localhost:8080 and https to localhost:8443.

The forward proxy works fine for non-SSL requests.  Any non-SSL site I go to is passed through my local Apache proxy.  But, the SSL pages do not work, and with LogLevel debug I see:

[Wed Aug 24 11:54:42 2011] [info] SSL Library Error: 336027803 error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request speaking HTTP to HTTPS port!?

So, I assume I'm not understanding the configuration needed to proxy the SSL requests.

Here's my httpd.config.  Again, this config will serve local files over http or https fine.  And when a browser is set up to proxy via localhost:8080 normal http proxy works fine (and I can see all we pages I access logged as they are proxied).

But, with the browser https proxy config set to localhost 8443 https requests fails with the error above.


moseley@bair ~/Documents/apache $ cat httpd.conf 

ServerRoot /Users/moseley/Documents/apache
PidFile apache.pid
Lockfile accept.lock

LoadModule ssl_module         /usr/libexec/apache2/mod_ssl.so

LoadModule proxy_module         /usr/libexec/apache2/mod_proxy.so
LoadModule proxy_http_module         /usr/libexec/apache2/mod_proxy_http.so
LoadModule proxy_connect_module         /usr/libexec/apache2/mod_proxy_connect.so

LoadModule log_config_module  /usr/libexec/apache2/mod_log_config.so

LogLevel Debug


CustomLog logs/access_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"



Listen localhost:8080
Listen localhost:8443


DocumentRoot /Users/moseley/Documents/apache/htdocs

ServerName hank.org

SSLSessionCache dbm:ssl.cache

<VirtualHost *:8080>
    ProxyRequests ON
</VirtualHost>

<VirtualHost *:8443>
    ProxyRequests ON

    # This needed?
    AllowCONNECT 443 8443

    SSLEngine on

I've never used Apache like this before but I suspect that you may need the SSLProxyEngine directive as well. http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslproxyengine
 

    SSLCertificateFile certs3/server.crt
    SSLCertificateKeyFile certs3/server.key

    #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
</VirtualHost>

--
Bill Moseley
moseley@xxxxxxxx



--
Jens-Harald Johansen
--
There are 10 kinds of people in the world: Those who understand binary and
those who don't...
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux