LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 07-04-2010, 02:44 PM   #1
citystriker
LQ Newbie
 
Registered: Jul 2010
Posts: 4

Rep: Reputation: 1
Reverse Proxy with Apache over https


I have an apache server running on ec2 that I want to proxy to mysite.com. I figured out how to compile apache and get it running. I also added "ProxyPass / http://mysite.com" which correctly redirects requests to my ec2 server to mysite.com. However, it does not pass on https connections. Any idea how I can do this?

I don't think I should need any certs on the apache server as it'll just be passing the request onward.

My httpd.conf looks like this:

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule headers_module modules/mod_headers.so

ProxyPass / http://mysite.com/


Currently http://my-ec2-instance.amazonaws.com does redirect to http://mysite.com, but the https url doesn't redirect. I get an error that says:

Error 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL protocol error.


I'd be happy if all http redirected to https or if https just worked on redirecting to https.

Anyone know how to make this work?
 
Old 07-05-2010, 04:49 PM   #2
SteveK1979
Member
 
Registered: Feb 2004
Location: UK
Distribution: RHEL5/6, Solaris 10/11, NetBSD, OpenBSD, FreeBSD, MacOS
Posts: 221

Rep: Reputation: 40
Hi,

If you just want to redirect clients, it sounds to me as though you need to use mod_alias and the Redirect directive. This should be a lot simpler than a proxy. If you actually want to proxy the connection (i.e. the inital server my-ec2-instance.amazonaws.com to make the connection to mysite.com on behalf of the client) then in my experience you WILL need an SSL cert on on the proxy, otherwise you won't be able to encrypt between the client and proxy.

You could try something like:

Code:
Redirect / https://mysite.com
That should redirect requests as per your ProxyPass to the https site.

Cheers,
Steve

Last edited by SteveK1979; 07-05-2010 at 04:50 PM. Reason: Format tags properly
 
Old 07-05-2010, 05:54 PM   #3
citystriker
LQ Newbie
 
Registered: Jul 2010
Posts: 4

Original Poster
Rep: Reputation: 1
The problem is that I really need to proxy instead of just redirect.

I have an app on https://mysite.appspot.com (hosted by Google) and I want to make it look like https://mysite.com. Google doesn't offer this in their app engine service so I'm trying to work around it so I can keep my traffic https.

Any idea how this can be done? I would have thought the proxy would just pass the encrypted traffic through, but perhaps I need to decrypt at the ec2 instance serving https://www.mysite.com and encrypt it separately for https://mysite.appspot.com?
 
Old 07-06-2010, 05:07 PM   #4
SteveK1979
Member
 
Registered: Feb 2004
Location: UK
Distribution: RHEL5/6, Solaris 10/11, NetBSD, OpenBSD, FreeBSD, MacOS
Posts: 221

Rep: Reputation: 40
Hi,

I have done this before, although quite a long time ago now!

A proxy won't pass encrypted traffic through, or any traffic for that matter. This isn't the way a proxy works. A proxy accepts an incoming connection from a client and then makes a second connection to the destination on behalf of the client. This is why you will need an SSL cert on the proxy - to allow the HTTPS session to be set up between the client and the proxy server itself.

The only way I have ever got this to work was to configure squid to act as a reverse proxy listening on port 80 for HTTP connections and port 443 for HTTPS connections. There is a rough document on how to do this on the squid wiki here although you don't really need a wildcard certificate unless you're running this for multiple hostnames (which you're not in your example). Hopefully this will give you a fair idea how to do it with squid.

If you do go down this route, make sure you're not running an open proxy!

Cheers,
Steve
Steve
 
1 members found this post helpful.
Old 07-09-2010, 07:42 AM   #5
citystriker
LQ Newbie
 
Registered: Jul 2010
Posts: 4

Original Poster
Rep: Reputation: 1
Thanks Steve! One final question - have I closed up the proxy ports (and any other security issues) correctly here? Below is a short write-up on how this worked.

One trick is that you need to compile squid yourself with the --enable-ssl option for the ssl to work. Hopefully this write-up can help the next person!


Install squid:
apt-get update
apt-get install devscripts build-essential
apt-get source squid3
apt-get build-dep squid3
cd squid3-"version"
nano debian/rules # or whatever editor you use
add the --enable-ssl line among the other --enable-blah- lines in the configure file
debuild -us -uc
cd ..
dpkg -i your_built_package.deb

Run squid:
sudo squid3 restart

Configure squid.conf file:
Find it under /etc/squid3/squid.conf and add the following to the top of that file:
https_port 443 accel cert=/usr/newrprgate/CertAuth/testcert.cert key=/usr/newrprgate/CertAuth/testkey.pem defaultsite=mybackendsite.com

cache_peer https://mybackendsite.com parent 80 0 no-query originserver login=PASS name=pcs

acl pc_secure_site dstdomain mybackendsite.com
cache_peer_access pcs allow pc_secure_site
http_access allow pc_secure_site


cache_mgr root

# Basic parameters
visible_hostname mybackendsite.com

# This line indicates the server we will be proxying for
http_port 80 accel defaultsite=mybackendsite.com

# And the IP Address for it - adjust the IP and port if necessary
cache_peer http://mybackendsite.com parent 80 0 no-query originserver login=PASS name=pc

acl all src 0.0.0.0/0.0.0.0

acl our_sites dstdomain mybackendsite.com
http_access allow our_sites
cache_peer_access pc allow our_sites
cache_peer_access pc deny all
 
1 members found this post helpful.
Old 07-10-2010, 07:09 PM   #6
SteveK1979
Member
 
Registered: Feb 2004
Location: UK
Distribution: RHEL5/6, Solaris 10/11, NetBSD, OpenBSD, FreeBSD, MacOS
Posts: 221

Rep: Reputation: 40
Hi,

From a quick look it appears that it should be secure - the acl should only allow access to the site you have specified so all should be good. You could probably verify this yourself by configuring an external machine to use your squid installation as it's proxy and see if you can get to any site other than that on your acl.

Cheers,
Steve
 
  


Reply

Tags
apache, httpd, redirect


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
HTTPS/SSL reverse proxy/VPN software? jantman Linux - Security 1 03-09-2009 06:23 AM
Squid reverse proxy problem (HTTPS to HTTP) RussP Linux - Networking 1 10-02-2008 01:20 PM
reverse Squid does HTTPS for hidden apache, how does PHP know? dlublink Linux - Server 1 08-21-2008 09:04 AM
HTTPS reverse proxy/VPN??? jantman Linux - Server 1 03-08-2008 11:57 PM
LXer: Linux configure pound reverse proxy for Apache http / https web server LXer Syndicated Linux News 0 12-14-2007 07:20 PM


All times are GMT -5. The time now is 08:00 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration