git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server


Just tested this setup , out of pure boredom and it works as expected
(ubuntu 16.04)

Proxy server modules needed to enable: ssl,proxy,proxy_connect
Proxy Config (n1: virtualhost)
	<VirtualHost _default_:443>
		ErrorLog error.log
		SSLEngine on
		SSLCertificateFile	ssl/proxy.crt
		SSLCertificateKeyFile ssl/proxy.key
		
		ProxyRequests On
		ProxyVia On
		<Proxy "*">
		<RequireAny>
     		   Require expr %{HTTP_HOST} =~
/^192.168.99.11:443$/
		</RequireAny>
		</Proxy>
	</VirtualHost>


Backend server modules needed to enable: ssl
Backend server (n2: virtualhost)
	<VirtualHost _default_:443>
		DocumentRoot /var/www/html
		ErrorLog error.log

		SSLEngine on
		SSLCertificateFile  ssl/server.crt
		SSLCertificateKeyFile ssl/server.key
		<Directory /var/www/html>
			# Only from proxy IP
			Require ip 192.168.99.10
		</Directory>
	</VirtualHost>



>From a third VM
$ curl -k --proxy-insecure -x  https://192.168.99.10 -k https://192.168
.99.11
> Hello from n2

$ curl -k --proxy-insecure -x  https://192.168.99.10 -k https://www.goo
gle.com
curl: (56) Received HTTP code 403 from proxy after CONNECT

On Tue, 2018-04-10 at 14:40 +0100, Rajesh Cherukuri wrote:
> Eric 
> 
>  In that case if it uses  connect  over http , do you think this
> would be the reason why i get below in the error logs  then i am not
> sure why would the HTTP urls fail with 400 band request 
> 
> 
> 
> SSL Library Error: error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request -- speaking HTTP
> to HTTPS port!?
> 
> 
> On Tue, Apr 10, 2018 at 1:34 PM, Eric Covener <covener@xxxxxxxxx>
> wrote:
> > On Tue, Apr 10, 2018 at 8:10 AM, Rajesh Cherukuri <rajecher@gmail.c
> > om> wrote:
> > > Eric
> > >
> > >  So you mean to say that i can't use a browser that has proxy
> > configuration
> > > as  apache  HTTPS forwarding  proxy and then use it to connect to
> > http and
> > > https urls ?
> > 
> > I'm saying if you configure a browser to use a proxy for HTTPS
> > connections, it uses CONNECT over HTTP to the proxy server.
> > 
> > -----------------------------------------------------------------
> > ----
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > 
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx