> > What seems strange to me is that the proxy host requires > > a certificate just to tunnel a session to an https backend > > system... This seems like quite a lot of overhead for > > nothing... > well, that is is because it is not just a tunnel. :-) > If you want just that, then you could use some kind of port-forward > (e. g.via paket-filter rule) BUT that can't inspect http and protect > the backend server from (some kinds of) malicious requests. > Or rewrite URLs. Precisely. I was using iptables, but quickly realised the limitations, which is why I switched to proxying. > > And contrary to what the docs tend to have one believe, > > AllowCONNECT is not necessary. > > You use this in an HTTP VH which contains a proxy. I'm > not entirely sure how it works (I've never actually used it), > but it looks like mod_proxy is always listening on port 443 > (even if you have no SSL VH?). If a client tries to establish > an SSL session, the server tells him that it can proxy and > so the browse re-tries using the CONNECT method (CONNECT > simply forwards packets unopened between the client > and the backend). > > You might like to try this and let us know... (I'd be interested :-) Actually, that is what I thought I was supposed to do. Not sure of the details about what happened, but generally speaking, the requests were indeed getting forwarded to the local host. However, the request was not understood by the local host, so was returning some kind of error. I say "some kind of error" because it didn't seem to be a typical 50x error and was displayed in a dialog box by my browser. If you would like more details, please let me know exactly what you want. I would be happy to check it out again. Thanks for the explanations!! --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx