Good day everyone,
i am in desperate need for your help with a problem tunneling a custom
tcp protocol through a chain of apache servers configured as proxies.
The necessary setup looks like this:
Client -> [Apache 2.2 Reverse Proxy] -> [Apache 2.2 Forward Proxy] ->
Server
and unfortunately it can't be changed.
Client and Server a talking a custom protocol. To tunnel through the
proxies the Client sends a HTTP CONNECT request to the first proxy
(according to the INTERNET-DRAFT "Tunneling TCP based protocols through
Web proxy servers" by Ari Luotonen). The proxy is then supposed to
digest this HTTP CONNECT HEADER from the wire and create a tcp tunnel
between the Client and the Server. Client and Server then can talk their
custom protocol.
In the following setups this approach works flawlessly:
* Client -> [Apache 2.2 Forward Proxy] -> Server
* Client -> [Apache 2.0 Forward Proxy] -> Server
* Client -> [Apache 2.0 Reverse Proxy] -> Server
Unfortunately it does not work for Apache 2.2 reverse proxies:
* Client -> [Apache 2.2 Reverse Proxy] -> Server
* Client -> [Apache 2.2 Reverse Proxy] -> [Apache 2.2 Forward Proxy] ->
Server
How do i have to configure the proxies so that the CONNECT request
actually creates a tunnel?
My current configurations are the following:
Reverse Proxy:
Listen 9006
NameVirtualHost *:9006
<VirtualHost *:9006>
AllowCONNECT 9008
ProxyPass / http://forwardproxyhost:9007
ProxyRemote * http://forwardproxyhost:9007
</VirtualHost>
Forward Proxy:
Listen 9007
NameVirtualHost *:9007
<VirtualHost *:9007>
AllowCONNECT 9008
ProxyRequests On
</VirtualHost>
The HTTP CONNECT request header looks like this:
CONNECT serverhost:9008 HTTP/1.1
Host: serverhost:9008
User-agent: myCustomUserAgent
Connection: Keep-Alive
With the above setup the reverse proxy alters the request header and
sends the following to the forward proxy:
CONNECT http://serverhost:9008/ HTTP/1.1
Host: serverhost:9008
User-agent: myCustomUserAgent
Via: 1.1 reverseproxyhost:9008
X-Forwarded-For: serverhost
X-Forwarded-Host: serverhost:9008
X-Forwarded-Server: serverhost
Connection: Keep-Alive
...and then the chained forward proxy responds with the following:
HTTP/1.1 400 Bad Request
Date: Thu, 18 Jun 2009 11:42:02 GMT
Server: Apache/2.2.9 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 303
Content-Type: text/html; charset=iso-8859-1
Via: 1.1 reverseproxyhost:9008
Connection: close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br
/>
</p>
<hr>
<address>Apache/2.2.9 (Ubuntu) Server at forwardproxyhost Port
0</address>
</body></html>
The http:// part after the CONNECT keyword is new and was attached to
the request header by the reverse proxy. If i send this exact request
without the http://, it works. However, i have not found a way to make
Apache 2.2 do that for me. I have played with this for a while now using
different alterations of ProxyPass, ProxyPassReverse, ProxyRemote and so
on. None of those gave me the results i need.
Btw: Modules proxy, proxy_connect, proxy_http are enabled and proxy.conf
accepts all requests ("Allow from all").
Thanks in advance!
Holger Weissboeck
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|