On Tue, 26 Mar 2002 14:42:37 -0800 (PST) Merton Campbell Crockett <[EMAIL PROTECTED]> wrote:
> On Tue, 26 Mar 2002, Patrick Herborn wrote: > > > I have been trying to configure the following setup: > > > > PRIVATE LAN | INTERNET > > | > > back_end <--HTTP--> Apache <--HTTPS--> Client > > | > > | > > > > Ie the Apache box is acting as a bastion host between the Internet and a > > private LAN segment. I have a valid cert and key on the Apache box, and SSL > > negotiation works fine. I also have the whole thing working with pure HTTP > > (no SSL) but with both, ie running SSL to the Apache box, then plain HTTP > > to the back end, it breaks. > > I assume that you have a virtual host defined on the Apache server with > the same name as the back_end. Yes, that is correct, the only difference is that in the Apache box it is defined <VirtualHost www.test.com:443> and a user would just connect to https://www.test.com/, without the port number because it is implicit. > Use mod_rewrite's [P] flag to generate the HTTP request to back_end. Yes, and that much appears to work. Indeed, running a tcpdump on the back end interface, I can actually see a SYN, SYN/ACK and ACK, ie the TCP layer is fine, mod_proxy is trying to connect (and does) with the back end, but as soon as it tries to send a GET to the back end, it breaks. > Use mod_proxy's ProxyPassReverse to capture the response from back_end and > return it to the client. Yep, got that. Like I said, it all works with plain old HTTP, but as soon as I try to run SSL it breaks. > Re-read Ralph Engelshall's notes on mod_rewrite 3 or 4 times. It takes > time for what my grandmother would have called "jookery-pookery" to sink > in. I'm not trying to do anything too complex with mod_rewrite, indeed I could use ProxyPass instead of [P] (but I will be doing URL filtering so I need the [F] target of mod_rewrite, something that ProxyPass wouldn't do) > When I developed a system running Stronghold several years ago, I recall > running into problems with SSL (ssleay) until I realized that you needed > to simulate ProxyPass using mod_rwrite. I have tested it with ProxyPass also, just to see if the problem lies with mod_rewrite, but I get exactly the same results. Today I will do a bit of testing with Apache 1.3.x to see if that works... > I don't think this is a mod_ssl problem. I'm not sure exactly where the problem lies, but thinking about it, if using ProxyPass yields the same results as RewriteRule, then it stands to reason that the problem doesn't lie with mod_rewrite, so that leaves mod_proxy and mod_ssl (and of course the Apache core). I'll keep digging.... > It's more of a problem of under which shell is the pea. Yeah... needle in haystack... up to now I've been content with configuring build options, building, and running Apache... now I need to sift through God knows how many lines of source code. Eeek. Regards, Patrick Herborn. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
