OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server


HI

 i am not looking for end to end encryption , all i want to do is make apache a forwordproxy configured on SSL and accpect  HTTPS and proxy the urls based on the ACL's' below is my Vhost configuration where i have a forward proxy which is configured to allow only to example.com

  when i disabled SSL everything works fine and i can proxy to https://example.com below is the curl output , but when i have proxy configured as SSL  the request seems to be failing

SSL enabled -dosen't work

curl -I -x https://172.16.130.2:443 https://example.com
curl: (56) Proxy CONNECT aborted

<VirtualHost  172.16.130.2:443>
ProxyRequests On
ProxyVia On
SSLProxyEngine On
SSLEngine On
SSLProxyVerify none
SSLCertificateFile /etc/pki/tls/certs/1.cert
SSLCertificateKeyFile /etc/pki/tls/private1.key
<Proxy "*">
<RequireAny>
     Require expr %{HTTP_HOST} =~ /^example.com:443$/
</RequireAny>
</Proxy>
</VirtualHost>


SSL disabled -works fine


curl -I -x http://172.16.135.4:8082  https://example.com
HTTP/1.0 200 Connection Established
Proxy-agent: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: text/html
Date: Tue, 10 Apr 2018 09:08:37 GMT
Etag: "1541025663+gzip"
Expires: Tue, 17 Apr 2018 09:08:37 GMT
Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
Server: ECS (lga/1318)
X-Cache: HIT
Content-Length: 1270



NON-SSL configuration
Listen 172.16.130.2:80

<VirtualHost  172.16.130.2:80>

ProxyRequests On
ProxyVia On

<Proxy "*">
<RequireAny>
     Require expr %{HTTP_HOST} =~ /^example.com:443$/
</Proxy>
</VirtualHost>

 

On Tue, Apr 10, 2018 at 9:34 AM, Stefan Eissing <stefan.eissing@xxxxxxxxxxxxx> wrote:


> Am 10.04.2018 um 10:24 schrieb Rajesh Cherukuri <rajecher@xxxxxxxxx>:
>
> hi
>
> thanks for the info , wanted to know if there is a way we can configure SSL on  a apache forword proxy   so that the communication between the client (browser) to the Proxy server is encrypted

Not sure what exactly you looking for. If you have:

Browser <-c1-> Apache <-c2-> Backend

where Apache acts as forward proxy, the both c1 and c2 can be TLS connections, e.g. encrypted. But that means that the data is unencrypted "inside" the Apache server. There is no end-to-end encryption between Browser and Backend.

As for the TLS c2 connection setup, you have to specify "https:" for your proxied backend and can influence the setup with the various "SSLProxy*" directives.

Cheers,

Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx