Re: connecting two apache http servers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thank you. Those points you raised helped me to get it working. The key was to turn on SSL proxy (i.e. SSLProxyEngine On). I did not have to do anything with CA certificates or c_rehash.

Again, I appreciate your help and thank you.

On Tue, Feb 3, 2009 at 2:42 AM, Krist van Besien <krist.vanbesien@xxxxxxxxx> wrote:
On Tue, Feb 3, 2009 at 5:42 AM, Jake Vang <vangjake@xxxxxxxxxxxxxx> wrote:
> Thanks for the link. I tried to implement it according to that site.
> However, I keep getting a permission denied error.

What do you have in the error log?

>
> Could this permission error be related to the fact that server1 and server2
> are both running on SSL? I am running Ubuntu 8.10, and I've already enabled
> mod_proxy (a2enmod proxy). Is there any other module I need to enable?

You might have to explicitely allow access to <Location /site2>, also
proxing to ssl is not something that usually works out of the box. You
have two options here.
- Enable http on your site2 (in a way that only access from the other
apache is permitted),
or
-  setup SSLProxying.

Apache can't proxy to https urls out of the box. You need to do some work.

you need to add the following to your config.
--- begin config ---
# turn on SSL proxying.
SSLProxyEngine On

# to tell Apache where to find CA certificates to check remote server
certificates with:
# (You can choose yourself where you put these certificates)
SSLProxyCACertificatePath /path/to/ca/certificates.
--- end config ---

Then in this path you need to put the CA certificate(s) used to sign
the certificate(s) used by the server(s) you communicate with. If you
want to talk to a server that uses a "self signed" certificate you
will need to put it in this dir too. (Remember that Apache is acting
as a HTTPS client here)

Once you've done that you need to run c_rehash in that directory.
c_rehash is part of a standard openssl distribution. c_rehash creates
hashed aliases in this dir. Apache needs these.

In order to test if everything is there you can do the following:

openssl s_client -CApath /path/to/ca/certificates -connect remoteserver:8443

if the conenction succeeds just try to do a
GET /something/


HTH,

Krist

--
krist.vanbesien@xxxxxxxxx
krist@xxxxxxxxxxxxx
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux