On Tue, 26 Mar 2002 14:42:37 -0800 (PST) Merton Campbell Crockett <[EMAIL PROTECTED]> wrote:
> On Tue, 26 Mar 2002, Patrick Herborn wrote: > > > I have been trying to configure the following setup: > > > > PRIVATE LAN | INTERNET > > | > > back_end <--HTTP--> Apache <--HTTPS--> Client > > | > > | > > > > Ie the Apache box is acting as a bastion host between the Internet and a > > private LAN segment. I have a valid cert and key on the Apache box, and SSL > > negotiation works fine. I also have the whole thing working with pure HTTP > > (no SSL) but with both, ie running SSL to the Apache box, then plain HTTP > > to the back end, it breaks. > > I assume that you have a virtual host defined on the Apache server with > the same name as the back_end. Use mod_rewrite's [P] flag to generate the > HTTP request to back_end. Use mod_proxy's ProxyPassReverse to capture the > response from back_end and return it to the client. Just a quick update. As previously stated it was setup as suggested and it worked fine with plain HTTP, but broke with HTTPS / SSL. I have now set this up with pretty much identical config but running Apache 1.3.x and it works just fine, it still does not work with Apache 2.0.32. My gut feeling at this stage, from the miniscule knowledge of the source I have gathered in the last day or so, is that it is an unwanted side-effect of the Apache 2.0 hook mechanism; it's as if the hook is being called even for a server-initiated TCP connection, not just for client initiated connections. Question is whose "responsibility" is it? Should mod_ssl skip the SSL negotiation on server-initiated connections (especially to port 80!), or should the Apache core bypass the hook on server-initiated connections? Ie is it a mod_ssl problem, or is it an Apache core problem? Or am I just barking up the wrong tree entirely? Patrick Herborn. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
