Re: HTTPS over mod_proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 18.10.2010 14:29, Hendrik Schmieder wrote:
Rainer Jung schrieb:
On 18.10.2010 11:17, Hendrik Schmieder wrote:
Joost de Heer schrieb:
On 10/18/2010 11:03 AM, Hendrik Schmieder wrote:
Hello,

with http over a proxy (like Apache mod_proxy) I send something like

<request>
GET http://192.168.2.234:7777/server/info HTTP/1.1
Content-Length: 0
Host: 192.168.2.234:7777
Connection: Keep-Alive
Accept-Encoding: identity, *;q=0

</request>

But I'm not sure what to send in case of HTTPS over proxy.

The same or should I replace 'http' by 'https' ?

No, you use the CONNECT method.


Maybe I was not clear enough.

I send the lines between
<request> and </request>
to the proxy.

You are talking about a forward proxy. There are two ways you can do
https using a forward proxy.

Either you want end-to-end security. Then the proxy simply provides a
tunnel to the back-end server and browser and back-end directly
communicate over https (ssl handshake etc.). In order to make this work,
the client/browser send a special request to the proxy, indicating to
which server and port it wants the proxy to open the tunnel. The HTTP
method used here is named "CONNECT". Apache supports it, but it is off
by default.

Or you actually want to talk http to the proxy and the proxy should talk
https to the back-end. This mode is not supported by "normal" clients
like e.g. browsers. As soon as you configure an https proxy for them,
they will use the CONNECT method. If you have full control over the
clint you can nevertheless use this method. Not that it obvously doesn't
provide end-to-end security. Apache does support this mode as well. And
yes, that is the mode that works like you suggested, using "https" as
the scheme in the URL provided in the first reuest line.

If you want to use either of the two methods, you should make sure you
are using Apache 2.2.

Regards,

Rainer


I'm talking about Apache 2.2 and end-to-end security.
I tried to understand RFC 2616, but failed for CONNECT.


9.9 CONNECT
This specification reserves the method name CONNECT for use with a proxy
that can dynamically switch to being a
tunnel (e.g. SSL tunneling [44]).

[44] Luotonen, A., âTunneling TCP based protocols through Web proxy
servers,â Work in Progress.


So should I send

<request>
CONNECT http://192.168.2.234:7777/server/info HTTP/1.1
Content-Length: 0
Host: 192.168.2.234:7777
Connection: Keep-Alive
Accept-Encoding: identity, *;q=0
</request>

Not sure about the final specification for CONNECT, but the citation given in RFC 2616 ist best aproximated by

http://tools.ietf.org/id/draft-luotonen-web-proxy-tunneling-01.txt

In this document - and several other places - a slghtly differet form ist being used:

CONNECT 192.168.2.234:7777/server/info HTTP/1.1

Which seems OK, because the proxy doesn't really use http, it simply creates a tcp connection. The rest of the HTTP headers should IMHO belong to the request for the proxy, not the opaque back-end request (e.g. the host header).

See also http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#allowconnect about needed modules and allowing non-default ports for CONNECT.

Regards,

Rainer

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux