Re: Forward Proxy on behalf of the client instead of as a tunnel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Marat,

Thank you again for your response.  You are correct, I cannot enumerate all of the targets because we do not know about any of them and they could potentially be any IP or URI reachable by the system.  

I spent some time looking at the P option for mod_rewrite but I got the impression that it would only work in the case of the reverse proxy situation.  I was not able to get it to work but I wanted to make sure you thought there was potential for that to help with my forward proxy issue before I spent a lot more time on it.

-Dan

On Tue, Feb 28, 2017 at 11:05 AM, Marat Khalili <mkh@xxxxxx> wrote:
Solution using reverse proxy does not require any control over proxied services, but you'll need to enumerate them all in your proxy configuration. Proxy will discriminate requests by hostname and port and forward them to specified services. This will give you additional control and security at the cost of management overhead.

If you cannot or wish not enumerate all your target services, looks like you can use "P" option of mod_rewrite: https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_p . I do not have much experience with it, but it might work.
--

With Best Regards,
Marat Khalili

On February 28, 2017 6:39:38 PM GMT+03:00, Daniel Frank <danthehitman@xxxxxxxxx> wrote:
I see how my original question made it sound like a single service.  I was trying to keep the scenario as simple as possible and probably over simplified it.  The reality is that the endpoint we will be connecting to will be many appliances at many different IPs.  

Regarding using a reverse proxy, even if it were one service I dont see how the reverse proxy would work since we dont control that service or where it is running.  Maybe I am misunderstanding how the reverse proxy works as well.

Thanks for the response.  Regarding the original question, is what I am asking possible?

-Dan

On Tue, Feb 28, 2017 at 12:19 AM, Marat Khalili <mkh@xxxxxx> wrote:

Why are you calling it _forward_ proxy if it's only going to connect to one service? Your problem can easily be solved with _reverse_ proxy.


--

With Best Regards,
Marat Khalili

On 28/02/17 02:16, Daniel Frank wrote:
All,

I am trying to set Apache up as a forward proxy to help solve an issue that we have where an HTTP Client in our application does not support TLS 1.2 but an API that we need to consume only supports TLS 1.2.  What I am attempting to do is use Apache to talk HTTPS/TLS 1.2 to the target API but allow my internal client to talk to the proxy over HTTP.

I had it in my head that this was what a forward proxy was going to give me so after having set up a forward proxy and configuring my application to use it I was surprised to see that I was getting exactly the same behavior that I was getting when I had no proxy configured (failure of my internal client to speak TLS 1.2).

So my question is; can Apache be configured as a FORWARD proxy to speak HTTP with the caller but HTTPS to the callee?

I have spent a lot of time searching and I did check the mailing list archives but it's entirely possible that I just dont even know what to search for to get a good answer so if this is a dumb question I sincerely apologize for wasting the groups time.

Thanks in advance for any help.

-Dan



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux