On 18.10.2010 14:29, Hendrik Schmieder wrote:
Rainer Jung schrieb:On 18.10.2010 11:17, Hendrik Schmieder wrote:Joost de Heer schrieb:On 10/18/2010 11:03 AM, Hendrik Schmieder wrote:Hello, with http over a proxy (like Apache mod_proxy) I send something like <request> GET http://192.168.2.234:7777/server/info HTTP/1.1 Content-Length: 0 Host: 192.168.2.234:7777 Connection: Keep-Alive Accept-Encoding: identity, *;q=0 </request> But I'm not sure what to send in case of HTTPS over proxy. The same or should I replace 'http' by 'https' ?No, you use the CONNECT method.Maybe I was not clear enough. I send the lines between <request> and </request> to the proxy.You are talking about a forward proxy. There are two ways you can do https using a forward proxy. Either you want end-to-end security. Then the proxy simply provides a tunnel to the back-end server and browser and back-end directly communicate over https (ssl handshake etc.). In order to make this work, the client/browser send a special request to the proxy, indicating to which server and port it wants the proxy to open the tunnel. The HTTP method used here is named "CONNECT". Apache supports it, but it is off by default. Or you actually want to talk http to the proxy and the proxy should talk https to the back-end. This mode is not supported by "normal" clients like e.g. browsers. As soon as you configure an https proxy for them, they will use the CONNECT method. If you have full control over the clint you can nevertheless use this method. Not that it obvously doesn't provide end-to-end security. Apache does support this mode as well. And yes, that is the mode that works like you suggested, using "https" as the scheme in the URL provided in the first reuest line. If you want to use either of the two methods, you should make sure you are using Apache 2.2. Regards, RainerI'm talking about Apache 2.2 and end-to-end security. I tried to understand RFC 2616, but failed for CONNECT. 9.9 CONNECT This specification reserves the method name CONNECT for use with a proxy that can dynamically switch to being a tunnel (e.g. SSL tunneling [44]). [44] Luotonen, A., âTunneling TCP based protocols through Web proxy servers,â Work in Progress. So should I send <request> CONNECT http://192.168.2.234:7777/server/info HTTP/1.1 Content-Length: 0 Host: 192.168.2.234:7777 Connection: Keep-Alive Accept-Encoding: identity, *;q=0 </request>
Not sure about the final specification for CONNECT, but the citation given in RFC 2616 ist best aproximated by
http://tools.ietf.org/id/draft-luotonen-web-proxy-tunneling-01.txtIn this document - and several other places - a slghtly differet form ist being used:
CONNECT 192.168.2.234:7777/server/info HTTP/1.1Which seems OK, because the proxy doesn't really use http, it simply creates a tcp connection. The rest of the HTTP headers should IMHO belong to the request for the proxy, not the opaque back-end request (e.g. the host header).
See also http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#allowconnect about needed modules and allowing non-default ports for CONNECT.
Regards, Rainer --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|