hi Kirst, all,
To use c_rehash, I must have .pem and .crt files. Correct me if I am worong please. The remote server has a self-signed certificate that was generated using keytool (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html) so the file generated is .keytool. Should I generate .pem and .crt files to run c_rehash? If so, how?
On another front, I understand from you that I can having apache as a proxy server that talks SSL witht the backend and non-ssl with the end user (in URL, the user puts http not https even if the backend server is accessed via https). Correct me if I am wrong please.
thanks.
--- On Fri, 11/4/08, Krist van Besien <krist.vanbesien@xxxxxxxxx> wrote:
> From: Krist van Besien <krist.vanbesien@xxxxxxxxx>
> Subject: Re: url proxying
> To: users@xxxxxxxxxxxxxxxx, melanie_pfefer@xxxxxxxxxxx
> Date: Friday, 11 April, 2008, 4:28 PM
> On Fri, Apr 11, 2008 at 9:48 AM, Melanie Pfefer
> <melanie_pfefer@xxxxxxxxxxx> wrote:
> > Hi everybody,
> >
> > I want to enable proxying from apache to a tomcat
> application running on ssl.
> >
> > Redirection is working:
> > RewriteRule /abc/ https://remoteserver:8443/abc/
> [R=301,L]
> >
> >
> > But proxying is not:
> > RewriteRule /abc/ https://remoteserver:8443/abc/
> [P,L]
> >
> > In redirection:
> > http://myapache/abc/ goes to
> https://remoteserver:8443/abc/ but this is shown in the url
> which is not my intention.
> >
> > Any idea how to fix the proxying?
> > thanks
>
> Apache can't proxy to https urls out of the box. You
> need to do some work.
>
> you need to add the following to your config.
>
> # turn on SSL proxying.
> SSLProxyEngine On
>
> # to tell Apache where to find CA certificates to check
> remote server
> certificates with:
> # (You can choose yourself where you put these
> certificates)
> SSLProxyCACertificatePath /path/to/ca/certificates.
>
> Then in this path you need to put the CA certificate(s)
> used to sign
> the certificate(s) used by the server(s) you communicate
> with. If you
> want to talk to a server that uses a "self
> signed" certificate you
> will need to put it in this dir too.
>
> Once you've done that you need to run c_rehash in that
> directory.
> c_rehash is part of a standard openssl distribution.
> c_rehash creates
> hashed aliases in this dir. Apache needs these.
>
> In order to test if everything is there you can do the
> following:
>
> openssl s_client -CApath /path/to/ca/certificates -connect
> remoteserver:8443
>
> if the conenction succeeds just try to do a
> GET /abc/
>
> and see if you get something. If all goes well it should
> work for apache also.
>
> Krist
>
>
>
>
>
>
>
>
>
> --
> krist.vanbesien@xxxxxxxxx
> krist@xxxxxxxxxxxxx
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email
> discussions?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> " from the digest:
> users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail:
> users-help@xxxxxxxxxxxxxxxx
___________________________________________________________
Yahoo! For Good helps you make a difference
http://uk.promotions.yahoo.com/forgood/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|