RE: [users@httpd] Forward port 443 requests, but use mod_rewrite on port 80 requests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 

> -----Original Message-----
> From: Browne, Anthony A [mailto:aabrowne@xxxxxxxxxxxx] 
> Sent: Mittwoch, 19. April 2006 23:14
> To: users@xxxxxxxxxxxxxxxx
> Subject: RE: [users@httpd] Forward port 443 requests, but use 
> mod_rewrite on port 80 requests
> 
> OK, I've been working on this all day and I have some more 
> observations. The workstation browsers (hereinafter 
> 'browsers') have their LAN proxy settings configured to the 
> Apache server's IP and port 80.

This is becoming clearer... 

> 	Now, the Apache server is only listening on 80. So, 
> when the browsers want to CONNECT to an https site, what does 
> the request look like to Apache?

The request arrives at the apache proxy on port 80 and looks like this:

CONNECT www.securesite.com:443

The apache proxy then acts as a pipe and just passes packets back and forth between the client and server. It's the client and server who check the cert, negotiate the cipher etc. Once the SSL session is established, the client makes an encrypted GET request (which apache cann't see) for the resource required. All this happens via the proxy's port 80. 

> It appears even if I have a *:443 virtual host, it doesn't 
> get touched. 

It wouldn't, if the clients are all configured to use port 80 for all traffic.

> I even tried to Listen on 443 as well, but it 
> won't bind. 

Er... I kinda assumed you had this already - you can't run a VH on a port if you're not listening to it. If it won't bind that's a different problem. Is the port already in use? Is something else using it?

> A _default_:* doesn't get touched either. 

I don't think you can wildcard ports! That would mean every bit of traffic would end up at apache (mail, ping, ftp, rpc - whatever)!

> How do 
> I a) listen on one port and b) use different virtual hosts to 
> proxy requests from the browsers?

I see that http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewritecond has a server-variable called REQUEST_METHOD. So this might work:

RewriteCond %{REQUEST_METHOD} CONNECT
RewriteRule ^\.$ - [L]

... rest of HTTP rewrite rules

So what happens is that the RewriteCond detects the CONNECT method and then activates the following rule. The rule does nothing (target = "-" means no substitution) and then breaks out of all further rewriting (the [L] flag). Then the request gets proxied normally - possibly...

If not (if proxying supersedes mod_rewrite - I think you said it did), then maybe replace the rule with:
RewriteRule ^\.$ http://apache-proxy:81/ [R]

ie, redirect the request to the same proxy but on a different port. Then try:

Listen 81
<VH *:81>
  ProxyRequests On

as before...

I think you might *have* to have two ports on the proxy - I don't think you can separate the streams otherwise...

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.  


> 
> 
> -----Original Message-----
> From: Boyle Owen [mailto:Owen.Boyle@xxxxxxx] 
> Sent: Wednesday, April 19, 2006 1:26 AM
> To: users@xxxxxxxxxxxxxxxx
> Subject: RE: [users@httpd] Forward port 443 requests, but use 
> mod_rewrite on port 80 requests
> 
>  
> 
> > -----Original Message-----
> > From: Browne, Anthony A [mailto:aabrowne@xxxxxxxxxxxx] 
> > Sent: Dienstag, 18. April 2006 18:29
> > 
> > No, I am trying to figure out how to separate the two 
> > different request streams.
> 
> I did read your description below and I think I get it:
> 
> if (HTTP)
> 	if (mirrored)
> 		serve from cache
> 	else
> 		fetch from web
> else if (HTTPS)
> 	fetch from web
> 
> Is that right? Your problem is that you have only a main 
> config that is handling all requests through the same 
> ruleset. HTTPS requests can't be rewritten because you can't 
> decrypt them - you can only proxy HTTPS traffic using the 
> CONNECT method and in this case the packets are passed 
> through the proxy untouched (apache routes them using only 
> their TCP/IP attributes so you can't see the URI or hostname 
> or whatever).
> 
> I think splitting your traffic between two port-based VHs 
> should work, something like:
> 
> # HTTPS
> <VirtualHost *:443> 
> 	ProxyRequests on
> </VirtualHost>
> 
> #HTTP
> <VirtualHost *:80> 
> 	... mod_rewrite stuff
> </VirtualHost>
> 
> Rgds,
> Owen Boyle
> Disclaimer: Any disclaimer attached to this message may be ignored. 
> 
> > 
> > My config is as follows:
> > 
> > 1) 	The workstations on our LAN have IE configured to use the Apache
> > 	Server as a proxy
> > 2)	The Apache listens on 80
> > 3) 	The workstations request items from hosts they believe 
> > are valid,
> > 	but are actually in a folder on the Apache server 
> > (several million 	sites are mirrored by our company to 
> > save bandwidth and to monitor 
> > 	ALL outgoing requests-- workstations have only been 
> > allowed to receive 	this mirrored content). We implement 
> > this using mod_rewrite and 	rewriting all requests to 
> > /webfolder/servername/requesturi.
> > 4)	Our specification changed and now, we need to support 
> > workstation 	requests for items not in our mirrored web 
> > content folder (i.e., we 	now want to let our 
> > workstations be able to surf the Internet using 	our proxy).
> > 5)	However, we need requests that we have a mirror for to 
> > be served, 
> > 	rather than proxied. This means we must check to see if 
> > they exist in 	our web content folder BEFORE WE TRY TO 
> > PROXY THEM. This is what the 	specification is.
> > 6)	So far, we have been rewriting the request back to its 
> > original form,
> > 	if it doesn't exist in the web content folder, and 
> > trying to use the 	[P] flag to proxy it, but this does not 
> > work for https. It 	works for 	port 80 content, but 
> > mod_rewrite does't correctly store the uri for 	https. 
> > For example, trying:
> > 
> > RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} -s [OR]
> > RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} -d
> > RewriteRule ^/(.*)$ - [S=2]
> > 
> > RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-s
> > RewriteCond %{SERVER_PORT} 80
> > RewriteRule ^(.*)$ 
> > http://${lowercase:%{SERVER_NAME}}%{REQUEST_URI}%{QUERY_STRING
> } [P,S=1]	
> > 
> > RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME} !-s
> > RewriteCond %{SERVER_PORT} 443
> > RewriteRule ^/(.*) 
> > https://%{SERVER_NAME}%{REQUEST_URI}%{QUERY_STRING}  [P] 
> > 
> > 	always proxies 'https://serverName/' with no uri or qs.
> > 
> > So, this is why we wanted to just pass through port 443 
> > requests so that we didn't have to deal with this issue. 
> > Using 'ProxyRequests on' works, but then you can't use 
> > mod_rewrite. Any suggestions would be helpful.
> > 
> > -----Original Message-----
> > From: Boyle Owen [mailto:Owen.Boyle@xxxxxxx] 
> > Sent: Tuesday, April 18, 2006 4:14 AM
> > To: users@xxxxxxxxxxxxxxxx
> > Subject: RE: [users@httpd] Forward port 443 requests, but use 
> > mod_rewrite on port 80 requests
> > 
> > > -----Original Message-----
> > > From: Anthony Browne [mailto:aabrowne@xxxxxxxxxxxx] 
> > > Sent: Montag, 17. April 2006 21:59
> > > 
> > > Is there a way to use ProxyPass to forward items based on the 
> > > port number of the request? I want to forward all requests 
> > > that use port 443 with ProxyPass (so that I can use 
> > > mod_rewrite on all port 80 requests). Is this possible, or do 
> > > I need to implement this in mod_rewrite?
> > 
> > Do you not already have two port-based VHs? One on port 80 
> > and one on port 443? If so, there is no problem since the two 
> > VHs clearly separate the two request streams.
> > 
> > If this isn't clear to you, post back some more details of 
> > your config... Specifically, how do you separate HTTP and 
> > HTTPS traffic?
> >  
> > Rgds,
> > Owen Boyle
> > Disclaimer: Any disclaimer attached to this message may be ignored. 
> > 
> > > 
> > > Also, I can't use 'ProxyRequests on' because this won't let 
> > > me use mod_rewrite when a port 80 request comes in 
> > > (mod_rewrite is always applied last). If I need to do this 
> > > with mod_rewrite, does anyone have any suggestions as to what 
> > > I need to do? 
> > > 
> > >                         
> > > 
> > >                         Thanks
> > > 
> > >  
> > > 
> > > 
> > 
> > Diese E-mail ist eine private und persönliche Kommunikation. 
> > Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der 
> > SWX Gruppe. This e-mail is of a private and personal nature. 
> > It is not related to the exchange or business activities of 
> > the SWX Group. Le présent e-mail est un message privé et 
> > personnel, sans rapport avec l'activité boursière du Groupe SWX.
> >  
> >  
> > This message is for the named person's use only. It may 
> > contain confidential, proprietary or legally privileged 
> > information. No confidentiality or privilege is waived or 
> > lost by any mistransmission. If you receive this message in 
> > error, please notify the sender urgently and then immediately 
> > delete the message and any copies of it from your system. 
> > Please also immediately destroy any hardcopies of the 
> > message. You must not, directly or indirectly, use, disclose, 
> > distribute, print, or copy any part of this message if you 
> > are not the intended recipient. The sender's company reserves 
> > the right to monitor all e-mail communications through their 
> > networks. Any views expressed in this message are those of 
> > the individual sender, except where the message states 
> > otherwise and the sender is authorised to state them to be 
> > the views of the sender's company.
> > 
> > 
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP 
> > Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> >    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > 
> > 
> > 
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP 
> > Server Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> >    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > 
> > 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux