Rainer Jung schrieb:
On 18.10.2010 11:17, Hendrik Schmieder wrote:Joost de Heer schrieb:On 10/18/2010 11:03 AM, Hendrik Schmieder wrote:Hello, with http over a proxy (like Apache mod_proxy) I send something like <request> GET http://192.168.2.234:7777/server/info HTTP/1.1 Content-Length: 0 Host: 192.168.2.234:7777 Connection: Keep-Alive Accept-Encoding: identity, *;q=0 </request> But I'm not sure what to send in case of HTTPS over proxy. The same or should I replace 'http' by 'https' ?No, you use the CONNECT method.Maybe I was not clear enough. I send the lines between <request> and </request> to the proxy.You are talking about a forward proxy. There are two ways you can do https using a forward proxy. Either you want end-to-end security. Then the proxy simply provides a tunnel to the back-end server and browser and back-end directly communicate over https (ssl handshake etc.). In order to make this work, the client/browser send a special request to the proxy, indicating to which server and port it wants the proxy to open the tunnel. The HTTP method used here is named "CONNECT". Apache supports it, but it is off by default. Or you actually want to talk http to the proxy and the proxy should talk https to the back-end. This mode is not supported by "normal" clients like e.g. browsers. As soon as you configure an https proxy for them, they will use the CONNECT method. If you have full control over the clint you can nevertheless use this method. Not that it obvously doesn't provide end-to-end security. Apache does support this mode as well. And yes, that is the mode that works like you suggested, using "https" as the scheme in the URL provided in the first reuest line. If you want to use either of the two methods, you should make sure you are using Apache 2.2. Regards, Rainer
I'm talking about Apache 2.2 and end-to-end security. I tried to understand RFC 2616, but failed for CONNECT. 9.9 CONNECTThis specification reserves the method name CONNECT for use with a proxy that can dynamically switch to being a
tunnel (e.g. SSL tunneling [44]).[44] Luotonen, A., âTunneling TCP based protocols through Web proxy servers,â Work in Progress.
So should I send <request> CONNECT http://192.168.2.234:7777/server/info HTTP/1.1 Content-Length: 0 Host: 192.168.2.234:7777 Connection: Keep-Alive Accept-Encoding: identity, *;q=0 </request> best regards Hendrik --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|