RE: [users@httpd] Configuring a reverse proxy for SSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> > What seems strange to me is that the proxy host requires
> > a certificate just to tunnel a session to an https backend
> > system... This seems like quite a lot of overhead for
> > nothing...

> well, that is is because it is not just a tunnel. :-)
> If you want just that, then you could use some kind of port-forward
> (e. g.via paket-filter rule) BUT that can't inspect http and protect
> the backend server from (some kinds of) malicious requests.
> Or rewrite URLs.

Precisely.

I was using iptables, but quickly realised the limitations, which is why I
switched to proxying.


> > And contrary to what the docs tend to have one believe,
> > AllowCONNECT is not necessary.
>
> You use this in an HTTP VH which contains a proxy. I'm
> not entirely sure how it works (I've never actually used it),
> but it looks like mod_proxy is always listening on port 443
> (even if you have no SSL VH?). If a client tries to establish
> an SSL session,  the server tells him that it can proxy and
> so the browse re-tries using the CONNECT method (CONNECT
> simply forwards packets unopened between the client
> and the backend).
>
> You might like to try this and let us know... (I'd be interested :-)

Actually, that is what I thought I was supposed to do.

Not sure of the details about what happened, but generally speaking, the
requests were indeed getting forwarded to the local host. However, the
request was not understood by the local host, so was returning some kind of
error. I say "some kind of error" because it didn't seem to be a typical 50x
error and was displayed in a dialog box by my browser.


If you would like more details, please let me know exactly what you want. I
would be happy to check it out again.


Thanks for the explanations!!



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux