R: [users@httpd] Https proxy on http Virtual Host

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
Thanks a lot for jour assstance.

Regards.
Marco

> -----Messaggio originale-----
> Da: Krist van Besien [mailto:krist.vanbesien@xxxxxxxxx]
> Inviato: mercoledì 10 ottobre 2007 13.00
> A: users@xxxxxxxxxxxxxxxx
> Oggetto: Re:  Https proxy on http Virtual Host
> 
> 
> On 10/10/07, Boyle Owen <Owen.Boyle@xxxxxxx> wrote:
> > > -----Original Message-----
> > > From: Bronzetti Marco [mailto:marco.bronzetti@xxxxxxxxxxxxxxxx]
> > > Sent: Wednesday, October 10, 2007 9:46 AM
> > > To: users@xxxxxxxxxxxxxxxx
> > > Subject:  Https proxy on http Virtual Host
> > >
> > > Hi,
> > > I need to do a Reverse proxy to a Https WebSite from an 
> Http  WebSite,
> > > my httpd.conf  should be  like that :
> > >
> > > <VirtualHost test.telecomitalia.it:80>
> > >  ServerName test.telecomitalia.it
> > >  ErrorLog /appl1/logs/http_error.log
> > >  CustomLog /appl1/logs/http_access.log common
> > >  DocumentRoot /docroot
> > >  DirectoryIndex index.html index.html.var
> > >  <IfModule mod_proxy.c>
> > >    ProxyPass /rep-rs/ https://10.173.82.30/rep-rs/
> > >    ProxyPass /ti-csr/ https://10.173.82.30/ti-csr/
> > >  </IfModule>
> > > </VirtualHost>
> > >
> > > Is it possible to do that ?
> >
> > Yes, but not like that...
> >
> > If the back-end is an HTTPS server, then the front-end (ie 
> your apache)
> > has to talk SSL to it. To do this, it needs to use mod_ssl 
> and special
> > directives to contact a back-end HTTPS server (see
> > http://httpd.apache.org/docs/2.2/mod/mod_proxy.html and
> > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html)
> 
> Important is also that you have the following directives:
> SSLProxyEngine on
> and
> SSLProxyCACertificateFile <file>
> or
> SSLProxyCACertificatePath <pat>
> (see: 
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslproxycacertificatepath
)

You see, apache needs to act as an ssl _client_, which it doesn't do
out of the box. In order for apache to act as an ssl client it needs a
few extra directives, and you must make the CA certificate used to
signthe certificate of the sever(s) you're communicating with
available to it using the SSLProxyCACertificateFile (or Path). See the
documentation.

> By the way, I guess the back-end is a legacy server that you can't
> change? Otherwise, it is pretty silly to do this since the connection
> from the client to the front-end will be plain HTTP and it makes no
> sense to protect data for only part of its journey.

I've had to set up such a configuration, to allow a legacy service
that only was able to make http requests to communicate with a new
service that only accepted https requests. The http -> https proxy ran
on the same machine as the legacy service, so there were no big
security issues.

Krist


-- 
krist.vanbesien@xxxxxxxxx
krist@xxxxxxxxxxxxx
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

--------------------------------------------------------------------

CONFIDENTIALITY NOTICE

This message and its attachments are addressed solely to the persons above and may contain confidential information. If you have received the message in error, be informed that any use of the content hereof is prohibited. Please return it immediately to the sender and delete the message. Should you have any questions, please contact us by replying to webmaster@xxxxxxxxxxxxxxxxx

        Thank you

                                        www.telecomitalia.it

--------------------------------------------------------------------
                        

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux