Re: SSL proxy
It seem like you might be confusing "shared infrastructure" with "single ip". As others have said, you need a distinct address for each SSL-enabled httpd or proxy, although they can reside on the same hardware. A good example of this is the typical configuration for larger server farms. You find multiple High Availability load balancers in the DMZ for both http and https using something like ha/keepalived for linux. These proxy the incoming request back into private address space. The SSL proxies terminate the SSL connection and broker the request on behalf of the user and everything goes to the private address space in plain http. This allows each of the _real_ webservers to achieve better performance since the SSL overhead is not present. While you can use Apache as an SSL-terminating proxy, I find I get better performance, lower memory utilization and easier configuration using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have multiple public IP addresses floating between several hosts and pound binds https to those addresses. Hope that adds a bit of additional clarity, Dave Cuesta Gilles sent forth: So what about this ? "*MULTIPLE CN (SAN) SERVER CERTIFICATES* This type of certificate (also called /Subject Alternative Name/ (SAN) ) enables to secure not only one website but a large number of sites (a list of sites) hosted on a shared infrastructure (server with multiple names, reverse proxy). Ideal to secure multiple brands of a corporation. One certificate per hardware is required." http://www.tbs-certificats.com/index.html.en __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [email protected] Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy
Eckard Wille schrieb:
Cuesta Gilles schrieb:
"*MULTIPLE CN (SAN) SERVER CERTIFICATES*
This type of certificate (also called /Subject Alternative Name/ (SAN)
) enables to secure not only one website but a large number of sites
(a list of sites) hosted on a shared infrastructure (server with
multiple names, reverse proxy). Ideal to secure multiple brands of a
corporation. One certificate per hardware is required."
This only means that one host can have several names by configuring
ServerName and ServerAlias, but does not enable virtual hosting.
Hi Cuesta,
with some tricks you could achive your goal by using the preconditions
of mod_rewrite rules. If your ssl proxy has one single host entry with
such a multi-named cert, it may be possible to rewrite via proxy after
a look at the host header:
RewriteEngine on
RewriteCond %{HTTP_HOST} www.vhost1.com
RewriteRule ^/(.*) www.internal.http.vhost1.com/$1 [P]
RewriteCond %{HTTP_HOST} www.vhost2.com
RewriteRule ^/(.*) www.internal.http.vhost2.com/$1 [P]
If this works for you depends also on the backend webapps, for example
if they are capable of running behind a reverse proxy with a different
http schema (HTTP<->HTTPS, servername references in html, internal
redirects...).
Good luck
Eckard
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [email protected]
Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy
Cuesta Gilles schrieb: "*MULTIPLE CN (SAN) SERVER CERTIFICATES* This type of certificate (also called /Subject Alternative Name/ (SAN) ) enables to secure not only one website but a large number of sites (a list of sites) hosted on a shared infrastructure (server with multiple names, reverse proxy). Ideal to secure multiple brands of a corporation. One certificate per hardware is required." This only means that one host can have several names by configuring ServerName and ServerAlias, but does not enable virtual hosting. Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [email protected] Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy
Eckard Wille a écrit : Cuesta Gilles schrieb: I thought that using wildcard or multi-cn certificates will work ? No. In this case, only one certificate is needeed for a range of Vhost If you only have one ip this won't make things better because virtual hosting is still not possible. Wildcard certs do not enable vHosting because the ssl handshake still takes place before the http host header can be evaluated. They were offered by CAs to make it easier for admins so they wouldn't have to fiddle around with dozens of certs and their validity management in a masshosting environment or for subdomains. So what about this ? "*MULTIPLE CN (SAN) SERVER CERTIFICATES* This type of certificate (also called /Subject Alternative Name/ (SAN) ) enables to secure not only one website but a large number of sites (a list of sites) hosted on a shared infrastructure (server with multiple names, reverse proxy). Ideal to secure multiple brands of a corporation. One certificate per hardware is required." http://www.tbs-certificats.com/index.html.en -- Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: SSL proxy
Cuesta Gilles schrieb: I thought that using wildcard or multi-cn certificates will work ? No. In this case, only one certificate is needeed for a range of Vhost If you only have one ip this won't make things better because virtual hosting is still not possible. Wildcard certs do not enable vHosting because the ssl handshake still takes place before the http host header can be evaluated. They were offered by CAs to make it easier for admins so they wouldn't have to fiddle around with dozens of certs and their validity management in a masshosting environment or for subdomains. Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [email protected] Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy
Eckard Wille a écrit : [EMAIL PROTECTED] schrieb: I have several web servers currently that all have the same IP, but different host names, and I have an apache that uses mod_proxy to direct requests to the correct internal server to process the request. I would like to use my apache proxy server to provide SSL encryption and decryption, and not have to have each individual server do that. Is that possible? I have worked with virtual host configuration, and I have tried to set up the ssl stuff so that this will work, but so far I have not been successful. I have tried to search for this, but the closest I have come is proxy to an ssl server. I want to have the proxy server do the ssl stuff for me. Hi, you can not use SSL with virtual hosting, see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 You'll have to get a dedicated ip for every single ssl host. You could play around with one ssl proxy on your single ip with a common name and do some rewriting according to an url praefix matching the secure parts of your backend virtual hosts; decide yourself if this config work is worth it. I thought that using wildcard or multi-cn certificates will work ? In this case, only one certificate is needeed for a range of Vhost -- Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: SSL proxy
[EMAIL PROTECTED] schrieb: I have several web servers currently that all have the same IP, but different host names, and I have an apache that uses mod_proxy to direct requests to the correct internal server to process the request. I would like to use my apache proxy server to provide SSL encryption and decryption, and not have to have each individual server do that. Is that possible? I have worked with virtual host configuration, and I have tried to set up the ssl stuff so that this will work, but so far I have not been successful. I have tried to search for this, but the closest I have come is proxy to an ssl server. I want to have the proxy server do the ssl stuff for me. Hi, you can not use SSL with virtual hosting, see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 You'll have to get a dedicated ip for every single ssl host. You could play around with one ssl proxy on your single ip with a common name and do some rewriting according to an url praefix matching the secure parts of your backend virtual hosts; decide yourself if this config work is worth it. Regards Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [email protected] Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy
How is it possible? By definition SSL does not allow different host names on the same IP:PORT. Or is there something I'm missing? > -- Forwarded message -- > From: Gilles Cuesta (Gmail) <[EMAIL PROTECTED]> > Date: Thu, Jul 10, 2008 at 10:38 PM > Subject: Re: SSL proxy > To: [email protected] > > > [EMAIL PROTECTED] a écrit : > >> I have several web servers currently that all have the same IP, but >> different host names, and I have an apache that uses mod_proxy to direct >> requests to the correct internal server to process the request. >> >> I would like to use my apache proxy server to provide SSL encryption and >> decryption, and not have to have each individual server do that. >> >> Is that possible? >> >> > Apparently, understanding what you want to do, it's possible. > > It might depend on Apache / modssl versions > > One of the best way is doing encrypted HTTPS between client and proxy and > clear HTTP between proxy and real server. > You can also do encrypted HTTPS between proxy and real server, just adding > some Apache configuration > > . > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [email protected] > Automated List Manager[EMAIL PROTECTED] > >
Re: SSL proxy
[EMAIL PROTECTED] a écrit : I have several web servers currently that all have the same IP, but different host names, and I have an apache that uses mod_proxy to direct requests to the correct internal server to process the request. I would like to use my apache proxy server to provide SSL encryption and decryption, and not have to have each individual server do that. Is that possible? Apparently, understanding what you want to do, it's possible. It might depend on Apache / modssl versions One of the best way is doing encrypted HTTPS between client and proxy and clear HTTP between proxy and real server. You can also do encrypted HTTPS between proxy and real server, just adding some Apache configuration . __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [email protected] Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy issues
Hi, first time mailer but hoping for some good advice from experienced users. Basically Im looking to implement a solution that will redirect SSL requests coming into my apache server (listening on 443) and forward them on to a backend server. I have reverse proxying setup but I cant seem to get it to work for https connections. At the moment using the current configuration, below, an http connection coming into the server on port 80 can be redirected to the https site configured. But when I click on a login button on that site Im just getting a blank screen on Firefox, with no errors showing in the logs? Has anyone any ideas, cause Ive been looking into this for hours now? Listen 8080 Listen 443 ServerName F00311.eircom.ie SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLProxyEngine on ProxyPass / https://www.365online.com/ ProxyPassReverse / https://www.365online.com/ SSLSessionCache "shmcb:d:/Apache2.2/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateKeyFile "D:\Apache2.2\conf\security\ca.key" SSLCertificateFile "D:\Apache2.2\conf\security\ca.crt" ServerName F00311.eircom.ie SSLProxyEngine on ProxyPass / https://www.365online.com/ ProxyPassReverse / https://www.365online.com/ SSLProxyVerify none SSLProxyProtocol all SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL *** The information contained in this e-mail and any files transmitted with it is confidential and may be subject to legal professional privilege. It is intended solely for the use of the addressee(s). If you are not the intended recipient of this e-mail, please note that any review, dissemination, disclosure, alteration, printing, copying or transmission of this e-mail and/or any file transmitted with it, is prohibited and may be unlawful. If you have received this e-mail by mistake, please promptly inform the sender by reply e-mail and delete the material. Whilst this e-mail message has been swept for the presence of computer viruses, eircom does not, except as required by law, represent, warrant and/or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors, viruses, interception or interference. eircom Limited. Private Company Limited by Shares. Registered in Dublin. Registration Number 98789. Registered Office - 114 St. Stephen's Green West, Dublin 2. ***
RE: ssl proxy
> What i type in the browser is the url to myscript (see original note > below). > > What i want displayed is simply the output of myscript (which i DO > get successfully if i point directly at the destination, again, as i > note below. > > -george If you show us your exact proxy directive, it would help. You are probably missing the port. Thus, your ProxyPass (and ProxyPassReverse) should say: ProxyPass / http://my.dest.com:8080/ Aryeh --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl proxy
Owen, The browser is just for test to verify that proxy is working. My ultimate goal does not involve browsers at all - just an app pumping http messages into a proxy that converts to SSL and forwards to an https client. Anyway, for the test, the only settings i have changed from the default conf file (aside from domain names and emails) is : on the target: No change on the proxy:ProxyPass and ProxyPassReverse as was suggested to me by Aryeh. Also on the proxy: the Ifmodule Mod_proxy.c clause is uncommented, Proxy Reqeusts On is set, and httpd -l shows proxy.c module is compiled in. (And i'm not even trying this with HTTPS/SSL yet, though that is ultimately my goal - i just want to keep it as simple as i can for first test.) What i type in the browser is the url to myscript (see original note below). What i want displayed is simply the output of myscript (which i DO get successfully if i point directly at the destination, again, as i note below. -george -Original Message- From: Owen Boyle [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 28, 2002 11:18 AM To: [EMAIL PROTECTED] Subject: Re: ssl proxy "Petryczka, George" wrote: > > Tried ProxyPass and ProxyPassReverse on my proxy box and my test fails > (even with just plain http) with 404. To test I use MSIE against the proxy > host: > http://www.myprox.com:8080/cgi-bin/myscript > > It does work when i point directly at the destination host: > http://www.mydest.com:8080/cgi-bin/myscript What do you want to type in the browser? What do you want it to produce? What do your proxy directives look like? rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl proxy
> Tried ProxyPass and ProxyPassReverse on my proxy box and my test fails > (even with just plain http) with 404. To test I use MSIE against the > proxy host: http://www.myprox.com:8080/cgi-bin/myscript > > It does work when i point directly at the destination host: > http://www.mydest.com:8080/cgi-bin/myscript I thought you said that your destination host was ssl. shouldn't that be httpS://www.mydest.com? Anyway, make sure mod_ssl is loaded, and enabled (-DSSL) in your proxy, then it should be able to connect via ssl. --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ssl proxy
"Petryczka, George" wrote: > > Tried ProxyPass and ProxyPassReverse on my proxy box and my test fails > (even with just plain http) with 404. To test I use MSIE against the proxy > host: > http://www.myprox.com:8080/cgi-bin/myscript > > It does work when i point directly at the destination host: > http://www.mydest.com:8080/cgi-bin/myscript What do you want to type in the browser? What do you want it to produce? What do your proxy directives look like? rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl proxy
Tried ProxyPass and ProxyPassReverse on my proxy box and my test fails (even with just plain http) with 404. To test I use MSIE against the proxy host: http://www.myprox.com:8080/cgi-bin/myscript It does work when i point directly at the destination host: http://www.mydest.com:8080/cgi-bin/myscript so it does seem just the proxy is not set up right. Maybe I need some special settings on the destination host too? Oh and i get no access.log entries on the destination box at all. -Original Message- From: Aryeh Katz [mailto:[EMAIL PROTECTED]] Sent: Monday, May 27, 2002 9:11 AM To: [EMAIL PROTECTED] Subject: RE: ssl proxy > As a followup to below, what directives would be needed to accomplish > this "proxy" or "tunnel" or whatever i should call it? Incidentally, > if it matters, the client here is not a browser - it's just a > c-program that writes raw http-headered request messages directly. An > illustrative example would be great! In either a virtual host, or whole server: ProxyPass / https://login.passport.com/ ProxyPassReverse / https://login.passport.com/ --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl proxy
> As a followup to below, what directives would be needed to accomplish > this "proxy" or "tunnel" or whatever i should call it? Incidentally, > if it matters, the client here is not a browser - it's just a > c-program that writes raw http-headered request messages directly. An > illustrative example would be great! In either a virtual host, or whole server: ProxyPass / https://login.passport.com/ ProxyPassReverse / https://login.passport.com/ --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl proxy
As a followup to below, what directives would be needed to accomplish this "proxy" or "tunnel" or whatever i should call it? Incidentally, if it matters, the client here is not a browser - it's just a c-program that writes raw http-headered request messages directly. An illustrative example would be great! > > Can a httpd be set up as a "secure proxy"? Ie.: forward requests > > from a client (a client that doesn't get involved with any ssl > > stuff itself) on to an HTTPS site? > > Yes. With Apache 1.3 / mod_ssl 2.8.x, you _might_ have to enable > SSL_EXPERIMENTAL or something like that, I'm not sure. But it can be > done. No special compile flags are necessary in 1.3.22+ and mod_ssl 2.8 Aryeh --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ssl proxy
> > Can a httpd be set up as a "secure proxy"? Ie.: forward requests > > from a client (a client that doesn't get involved with any ssl > > stuff itself) on to an HTTPS site? > > Yes. With Apache 1.3 / mod_ssl 2.8.x, you _might_ have to enable > SSL_EXPERIMENTAL or something like that, I'm not sure. But it can be > done. No special compile flags are necessary in 1.3.22+ and mod_ssl 2.8 Aryeh --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ssl proxy
On Fri, 17 May 2002, Petryczka, George wrote: > Can a httpd be set up as a "secure proxy"? Ie.: forward requests from a > client (a client that doesn't get involved with any ssl stuff itself) on > to an HTTPS site? Yes. With Apache 1.3 / mod_ssl 2.8.x, you _might_ have to enable SSL_EXPERIMENTAL or something like that, I'm not sure. But it can be done. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL Proxy with Strong Authentication
This is the kind of thing within the virtual host configuration on the machine you are proxying to: Order deny,allow Deny from all Allow from 10. AuthType Basic AuthName "Outside users" AuthDBUserFile /path/to/dbuserfile require valid-user satisfy any This assumes that your internal network is a class A network starting with 10. as defined in RFC1918. Internal users get in immediately. You have to use dbmmanage to manage the dbuserfile. It is a good idea to ensure that the web server has only read-only access to this file. This works because "/" appears in every single web request, so will match all requests under your secure site. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Agnostic (Greek) = Ignoramus (Latin) >-Original Message- >From: Mike Murray [mailto:[EMAIL PROTECTED]] >Sent: 24 January 2002 23:49 >To: [EMAIL PROTECTED]; [EMAIL PROTECTED] >Subject: SSL Proxy with Strong Authentication > > >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >Hi all, > >I'm investigating using Apache and SSL for (reverse) proxying >HTTPS requests; >however, one of the requirements of the task is to have a strong auth >mechanism in place. > >I had two ideas, both of which have lead me to a dead end: > >1. Use the ProxyPass and ProxyPassReverse directives to authorize >connections, and requiring client certs to authenticate to the server. > >2. Using a normal SSL page to authenticate via client certs, >and using an >.htaccess file in the DocRoot of the proxy server to auth IP >addresses. > >Both seemed likely, and both have failed. The first because >the directives >don't work as I had hoped, and the second because I can't find >anywhere to >put an .htaccess file that makes sense to the proxy> section. > >So, this is a two-part question: first, does anybody have any >idea on how to >use .htaccess to control access to the proxy, and/or, does >anybody have any >ideas on what will accomplish this task? > > Thanks, > Mike > >- -- >| Mike Murray<[EMAIL PROTECTED]> >| Scientific Technologist http://www.nCircle.com >| nCircle Network Security >-BEGIN PGP SIGNATURE- >Version: GnuPG v1.0.6 (FreeBSD) >Comment: For info see http://www.gnupg.org > >iD8DBQE8UJ1WSZ6Dtue7Vb4RAsDDAJwMg0CCcY70/0ombK2ryyN7LkF1ugCfQHsy >42fEW4GwPOUph+5Jo8tQPBo= >=gyM/ >-END PGP SIGNATURE- >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL Proxy question
On Tue, Jun 19, 2001 at 06:47:48PM +0200, Thierry Coopman wrote: > Hi, > > I'm looking for a solution to make proxy https connections and > forward them as http connections. > > client->https->proxy->http->server > > I'm not sure this the right place to ask a solution for it, but I > have seen snippets in this mailing list. Something was possible using > mod_proxy, mod_ssl and mod_rewrite. > > Does anybody have a HOW-TO, or some instructions to get me on the > right track (poiters to documentation, example configs etc etc) > Reading mod_ssl docs along with the standard documentation for Apache mod_proxy and mod_rewrite is a very good idea. You could also take a look at: http://forum.swarthmore.edu/epigone/modperl/glarvelto (see my postings in that thread) vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl & proxy .. again
I use the following virtual host configuration to connect certain users over the Internet (real names of systems and IPs have been changed) # Proxy to security (security measure) ServerAdmin [EMAIL PROTECTED] ServerName security.rnib.org.uk SSL Stuff here ... Auth Stuff here ... ErrorLog /var/log/httpd/security-error_log TransferLog /var/log/httpd/security-access_log ProxyPass / http://real-security/ This takes a secure connection to the virtual host "security", and proxies all requests to the host "real-security" via http. In this case, the proxy is on the internal network and passwords are encrypted over the 'net. (I've missed out the SSL and Auth bits). In fact, the proxied host "real-security" cannot be contacted directly. The logging is useful for checking that it works. I believe this is the best you can do, unless another program can "proxy" https. Whereas http is effectively plain text (purists will obviously point out that iso-8859-1 isn't exactly plain text, but I know that!), https is encrypted end to end. To pass data from one https connection to another would make the security next to useless. (Actually I'd like to authenticate users via TACACS+, but that's another question altogether). John -Original Message- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: 19/01/00 16:57 Subject: ssl & proxy .. again Hi there, in the mail archive I found a discussion about using a https connection from browser to proxy, regardless of the request type. ( browser <- ssl -> proxy <- whatever -> server). Actually, I am trying to set this up myself, without success so far, and would like to ask, if it can be done somehow. The reason for doing this is, that I want my users to authenticate against apache through some module ( mod_auth_nds, actually, but it could be any auth module ) and by their authentication / authorization define, how ca use which Internet resources. I do not want their NDS password going over the net in plain text, though. Does anybody know, if / how this can be accomplished? regards, Andreas [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ssl & proxy .. again
Hi, Is you apache SSL enabled? I've configuration like this one but without usage of authorization an it works fine for me. I am using apache 1.3.9, mod_ssl 2.4.10 and openssl 0.9.4. Rossen [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 01/19/00 11:57 AM Please respond to modssl-users To: [EMAIL PROTECTED] cc: Subject:ssl & proxy .. again Hi there, in the mail archive I found a discussion about using a https connection from browser to proxy, regardless of the request type. ( browser <- ssl -> proxy <- whatever -> server). Actually, I am trying to set this up myself, without success so far, and would like to ask, if it can be done somehow. The reason for doing this is, that I want my users to authenticate against apache through some module ( mod_auth_nds, actually, but it could be any auth module ) and by their authentication / authorization define, how ca use which Internet resources. I do not want their NDS password going over the net in plain text, though. Does anybody know, if / how this can be accomplished? regards, Andreas [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ssl & proxy .. again
>>> [EMAIL PROTECTED] 01/19/00 11:57AM >>> >The reason for doing this is, that I want my users to authenticate >against apache through some module ( mod_auth_nds, actually, >but it could be any auth module ) and by their authentication / >authorization define, how ca use which Internet resources. >I do not want their NDS password going over the net in plain text, though. If I understand what you're wanting, it's straightforward... All you have to do is set it up so that the browser connects to your server with HTTPS to get to the authorization-required pages. At that point, both the request (including the username/password header) and the response (the page itself) are encrypted. Does that make sense? I can explain further... --Cliff Cliff Woolley Central Systems Software Administrator Washington and Lee University http://www.wlu.edu/~jwoolley/ Work: (540) 463-8089 Pager: (540) 462-2303 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
