Re: [users@httpd] SSL and reverse proxying

frankpeng Thu, 29 Jun 2006 17:55:12 -0700

Hi,

I first set up SSL, then I set up forward proxy server. It worked. Now I am setting up reverse proxy server. It has some problem. English works. Chinese does not work. But Chinese in Tomcat works.

The following are my error_log, configuration files.

[Thu Jun 29 20:39:40 2006] [notice] Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.7g proxy_html/2.5 configured -- resuming normal operations

[Thu Jun 29 20:40:09 2006] [error] [client 192.168.0.90] Invalid method in request \x80L\x01\x03\x01

[Thu Jun 29 20:40:14 2006] [error] [client 192.168.0.90] Invalid method in request \x80L\x01\x03\x01

[Thu Jun 29 20:40:20 2006] [error] [client 192.168.0.90] Invalid method in request \x80L\x01\x03\x01

[Thu Jun 29 20:40:31 2006] [error] [client 192.168.0.90] File does not exist: /usr/local/apache/htdocs/3

[Thu Jun 29 20:40:36 2006] [error] [client 192.168.0.90] File does not exist: /usr/local/apache/htdocs/1

[Thu Jun 29 20:40:42 2006] [error] [client 192.168.0.90] File does not exist: /usr/local/apache/htdocs/2

[Thu Jun 29 20:40:47 2006] [error] [client 192.168.0.90] Unsupported charset gb2312 in HTML META

[Thu Jun 29 20:40:47 2006] [warn] [client 192.168.0.90] No usable charset information: using old HTTP default LATIN1

[Thu Jun 29 20:40:47 2006] [error] [client 192.168.0.90] Error in bucket read

[Thu Jun 29 20:40:48 2006] [error] [client 192.168.0.90] Error in bucket read

#!/bin/bash

./configure --prefix=/usr/local/apache \

--with-mpm=prefork \

--enable-ssl \

--disable-charset-lite \

--disable-include \

--disable-env \

--enable-setenvif \

--disable-status \

--disable-autoindex \

--disable-asis \

--disable-cgi \

--disable-negotiation \

--disable-imap \

--disable-actions \

--disable-userdir \

--disable-alias \

--enable-proxy \

--enable-cache \

--enable-disk-cache \

--enable-file-cache \

--enable-mem-cache \

--enable-diskcache \

--enable-headers \

--enable-deflate \

--enable-rewrite \

--enable-mime \

--enable-negotiation \

--enable-speling

ServerRoot "/usr/local/apache"
Listen 8088
#ProxyRequests On
#ProxyVia On
ProxyRequests off
ProxyVia off
#LoadFile /usr/local/lib/libxml2.so.2.6.26
LoadFile /usr/local/lib/libxml2.so.2.6.26
#LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_html_module modules/mod_proxy_html.so
<Directory proxy:*>
Order deny,allow
Deny from all
Allow from 192.168.0
</Directory>

CacheRoot "/usr/local/apache/proxy"
#CacheGcInterval 4
#CacheMaxExpire 24
#CacheLastModifiedFactore 0.1
#CacheDefaultExpire 1
#NoCache www.peacehall.com

User daemon
Group daemon
</IfModule>
ServerAdmin [EMAIL PROTECTED]
ServerName www.ddint.org:8088
DocumentRoot "/usr/local/apache/htdocs"
<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>
<Directory "/usr/local/apache/htdocs">
    Options Indexes FollowSymLinks
    Order allow,deny
    Allow from all

</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>

<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

ErrorLog logs/error_log

LogLevel warn

<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

CustomLog logs/access_log common

</IfModule>

ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"

</IfModule>

<IfModule cgid_module>
    #
    # ScriptSock: On threaded servers, designate the path to the UNIX
    # socket used to communicate with the CGI daemon of mod_cgid.
    #
    #Scriptsock logs/cgisock
</IfModule>
<Directory "/usr/local/apache/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

DefaultType text/plain

<IfModule mime_module>
    TypesConfig conf/mime.types
    #AddType application/x-gzip .tgz
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

#AddHandler cgi-script .cgi

    # For type maps (negotiated resources):
    #AddHandler type-map var
    #AddType text/html .shtml
    #AddOutputFilter INCLUDES .shtml
</IfModule>

#MIMEMagicFile conf/magic

#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#EnableMMAP off
#EnableSendfile off

# Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf

# Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf

# Fancy directory listings
#Include conf/extra/httpd-autoindex.conf

# Language settings
Include conf/extra/httpd-languages.conf

# User home directories
#Include conf/extra/httpd-userdir.conf

# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf

# Virtual hosts
#Include conf/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf

# Various default settings
#Include conf/extra/httpd-default.conf

# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

#httpd-ssl.conf
Listen 8843
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLSessionCache shmcb:/usr/local/apache/logs/ssl_scache(512000)
SSLSessionCacheTimeout 300
<VirtualHost _default_:8843>

<Directory proxy:*>
Order deny,allow
Deny from all
Allow from 192.168.0
</Directory>
DocumentRoot "/usr/local/apache/htdocs"
ServerName www.ddint.org:8843
ServerAdmin [EMAIL PROTECTED]
#SSLEngine on
SSLProxyEngine on
ProxyPass /1/ http://www.dajiyuan.com/
ProxyPass /2/ http://www.peacehall.com/
ProxyPass /3/ http://breakevilaxis.org/
ProxyPass /g/ http://www.google.com/
ProxyPass /z/ http://zyzg.org/
ProxyHTMLURLMap http://www.dajiyuan.com /1
ProxyHTMLURLMap http://www.peacehall.com /2
ProxyHTMLURLMap http://breakevilaxis.o rg /3
ProxyHTMLURLMap http://www.google.com /g
ProxyHTMLURLMap http://zyzg.org /z
<Location /1/>
ProxyPassReverse /
SetOutputFilter proxy-html
ProxyHTMLURLMap / /1/
ProxyHTMLURLMap /1 /1
</Location>
<Location /2/>
ProxyPassReverse /
SetOutputFilter proxy-html
ProxyHTMLURLMap / /2/
ProxyHTMLURLMap /2 /2
</Location>
<Location /3/>
ProxyPassReverse /
SetOutputFilter proxy-html
ProxyHTMLURLMap / /3/
ProxyHTMLURLMap /3 /3
</Location>
<Location /g/>
ProxyPassReverse /
SetOutputFilter proxy-html
ProxyHTMLURLMap / /g/
ProxyHTMLURLMap /g /g
</Location>
<Location /z/>
ProxyPassReverse /
SetOutputFilter proxy-html
ProxyHTMLURLMap / /z/
ProxyHT MLURLMap /z /z
</Location>
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache/conf/new.cert.cert
#SSLCertificateFile /usr/local/apache/conf/server-dsa.crt
SSLCertificateKeyFile /usr/local/apache/conf/new.cert.key
#SSLCertificateKeyFile /usr/local/apache/conf/server-dsa.key
#SSLCertificateChainFile /usr/local/apache/conf/server-ca.crt
#SSLCACertificatePath /usr/local/apache/conf
#SSLCACertificateFile /usr/local/apache/conf/client.cert.cert
#SSLCARevocationPath /usr/local/apache/conf/ssl.crl
#SSLCARevocationFile /usr/local/apache/conf/ssl.crl/ca-bundle.crl
#SSLVerifyClient require
#SSLVerifyDepth 1
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache/cgi-bin">
    SSLOptions +StdEnvVa rs
</Directory>
BrowserMatch ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

-----Original Message-----
From: Joshua Slive <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>; Apache Users <users@httpd.apache.org>
Sent: Thu, 29 Jun 2006 20:18:12 -0400
Subject: Re: [EMAIL PROTECTED] SSL and reverse proxying

[Sending back to the list. Please keep the discussion there.]

On 6/29/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> Hi Joshua,
>
> In order to get the communication between the RPS and the web app server to
> be SSL though, don't you need to have two certs and a special configuration
> vs. having a single cert on the RPS if you're willing to have the
> communication between the RPS and the backend web app server unencrypted.
> The info were passing between the RPS and web app server needs to remain
> secure too. Any thoughts on some good reference material on that? I
> thought I read something about a combined pool of keys or something, but
> like I said, got lost.

Yes, you need two separate certs. But you need to realize that these
are entirely separate, unrelated connections (from an ssl
perspective). So it would be best to first work on getting the
client->proxy connection working under ssl, using the normal SSL
config stuff. Then look at the SSLProxy* directives which are used to
configure the client side of the proxy->web app connection.

I don't know of any tutorials for this stuff, and I'm not all that
familiar with it myself.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [users@httpd] SSL and reverse proxying

Reply via email to