On 5/17/06, Sebastian Reitenbach <itlistuser@xxxxxxxxxxx> wrote:
Hi, I have an apache listening for SSL connections on port 443 behind a NAT firewall in the DMZ. Connections for one virtual host shall be reverse proxied to another host in the same DMZ, but it seems that I am unable to get it to work, for me it seems I must have missed sth. obvious. I tried this with mod_proxy: SSLProxyEngine On ProxyRequests On AllowCONNECT 443 ProxyPass / https://10.0.0.2/ ProxyPassReverse / https://10.0.0.2/ then I receive the following error messages at the proxy: [Wed May 17 17:07:18 2006] [error] SSL Proxy requested for webgis.rapideye.de:80 but not enabled [Hint: SSLProxyEngine] [Wed May 17 17:07:18 2006] [error] proxy: failed to enable ssl support for 10.0.0.2:443 (0.0.0.2) [Wed May 17 17:07:19 2006] [notice] child pid 28242 exit signal Segmentation fault (11) because of the segmentation fault, I am not sure, whether it shall work that way or not, but I doubt it. with the SSLProxyEngine enabled: SSLProxyEngine On ProxyRequests On AllowCONNECT 443 ProxyPass / https://10.0.0.2/ ProxyPassReverse / https://10.0.0.2/ I have this message in the error_log of the proxy: [Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet: proxy: request failed to 10.10.10.2:443 (10.0.0.2) [Wed May 17 17:09:55 2006] [error] proxy: HTTP: previous connection is closed [Wed May 17 17:09:55 2006] [error] (20014)Error string not specified yet: proxy: request failed to 10.0.0.2:443 (10.0.0.2) and this in the error_log of the apache behind the proxy: [Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request \x80|\\x03\x01 [Wed May 17 19:07:17 2006] [error] [client 10.0.0.3] Invalid method in request \x80|\x01\x03\x01 with only these in the virtual host of the proxy, it is working, but only without HTTPS ProxyPass / http://10.0.0.2/ ProxyPassReverse / http://10.0.0.2/ Is there any way to access an HTTPS server behind a apache HTTPS proxy?
Firstly: You don't need ProxyRequests On AllowCONNECT 443 First this. This is to allow clients to use your server as a _forward_ proxy to HTTPS hosts. Do not put "ProxyRequests On" in your config file if you are only doing reverse proxying. Proxying to a HTTPS server is possible. (I do this on one of my systems), but it requires a bit more than just adding SSLProxyEngine On on most installations. This is because when forwarding requests to an HTTPS server Apache has to behave as an https _client_. For this is requires a few files that are usually not present on a stock Apache install. This is how I would do it, SSLProxyEngine On SSLProxyCACertificateFile /usr/local/apache/conf/cacerts.crt ProxyPass / https://10.0.0.2/ ProxyPassReverse / https://10.0.0.2/ You need to create the filey /usr/local/apache/conf/cacerts.crt, and in it you put the (PEM encoded) certificate used to sign the certificate your 10.0.0.2 server uses. This way apache can complete the SSL handshake with your server. For more info read the mod_ssl documentation, specifically the SSLProxy* directives. The docs are not that obvious, but they do contain the answers you are looking for. Krist -- krist.vanbesien@xxxxxxxxx Solothurn, Switzerland --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|