Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-12 Thread Rajesh Cherukuri 
Alex

below config  seems to be working now , the only difference i see between
my earlier conf and below config  is location of these values , (proxyvia
on , proxy requests on) , and disabling  of SSLProxyEngine On

Thanks for all your help on this




*Working Config *

Listen 172.16.130.2:8080 
http://172.16.135.4:8080>>
LoadModule setenvif_module modules/mod_setenvif.so
#SSLProxyEngine On
#ProxyRequests On
#ProxyVia On


SSLCertificateFile /etc/pki/tls/certs/1.cert
SSLCertificateKeyFile /etc/pki/tls/private/1.key
SSLCACertificateFile /etc/pki/tls/certs/intermediate.crt
SSLProxyEngine On

ProxyRequests On
ProxyVia On



 Require expr %{HTTP_HOST} =~ /^example.com:443$/
 Require expr %{HTTP_HOST} =~ /^crl3.digicert.com:80$/

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-11 Thread Alexandru Duzsardi 
If you want to proxy to google.com or any host , just leave out the
 stanza from the config

I would recommend to start only with the absolutely necessary config
and expand from there.

That means that for a https forward proxy config you only need this
vhost config + the required modules: mod_proxy_connect, mod_ssl,
mod_proxy (and maybe mod_proxy_http,mod_proxy_ftp if you want to target
other protocols than https)

  SSLEngine on
  SSLCertificateFile  ssl/proxy.crt
  SSLCertificateKeyFile ssl/proxy.key

  ProxyRequests On
  ProxyVia On


On Wed, 2018-04-11 at 07:44 +0100, Rajesh Cherukuri wrote:
> hi
> 
> Could you try any of the HTTP urls , i am not sure why it is n't
> working for me i can see that you are proxying to 192.IP ,but on mine
> i still get connection abort when it try with below configuration 
> 
> and when tried cul with option --proxy-insecure that option dosen't
> seems to be available 
> 
> 
> 
> # cat  virtualhosts.conf
> 
> Listen 443 https
> 
> 
> 
> 
> LoadModule proxy_connect_module modules/mod_proxy_connect.so
> LogLevel debug
> 
> 
> SSLProtocol all -SSLv2
> SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
> 
> SSLCertificateFile /etc/pki/tls/certs/1.cert
> 
> SSLCertificateKeyFile /etc/pki/tls/private/1.key
> 
> SSLCACertificateFile /etc/pki/tls/certs/intermediate.crt
>   ProxyRequests On
> ProxyVia On
> SSLProxyEngine On
> 
> 
>  Require expr %{HTTP_HOST} =~ /^example.com:443$/
>  Require expr %{HTTP_HOST} =~ /^172.17.33.13:443$/
>  
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>   curl -k --proxy https://172.16.135.4:443 https://172.17.33.13 -v -v
> * About to connect() to proxy 172.16.135.4 port 443 (#0)
> *   Trying 172.16.135.4...
> * Connected to 172.16.135.4 (172.16.135.4) port 443 (#0)
> * Establish HTTP proxy tunnel to 172.17.33.13:443
> > CONNECT 172.17.33.13:443 HTTP/1.1
> > Host: 172.17.33.13:443
> > User-Agent: curl/7.29.0
> > Proxy-Connection: Keep-Alive
> >
> * Proxy CONNECT aborted
> * Connection #0 to host 172.16.135.4 left intact
> curl: (56) Proxy CONNECT aborted
> 
> 
> 
> curl --proxy-insecure --proxy https://127.0.0.1:8080 https://www.goog
> le.com -v -v
> curl: option --proxy-insecure: is unknown
> curl: try 'curl --help' or 'curl --manual' for more information
> 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-10 Thread Rajesh Cherukuri 
hi

Could you try any of the HTTP urls , i am not sure why it is n't working
for me i can see that you are proxying to 192.IP ,but on mine i still get
connection abort when it try with below configuration

and when tried cul with option --proxy-insecure that option dosen't seems
to be available



# cat  virtualhosts.conf

Listen 443 https




LoadModule proxy_connect_module modules/mod_proxy_connect.so
LogLevel debug


SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA

SSLCertificateFile /etc/pki/tls/certs/1.cert

SSLCertificateKeyFile /etc/pki/tls/private/1.key

SSLCACertificateFile /etc/pki/tls/certs/intermediate.crt
  ProxyRequests On
ProxyVia On
SSLProxyEngine On


 Require expr %{HTTP_HOST} =~ /^example.com:443$/
 Require expr %{HTTP_HOST} =~ /^172.17.33.13:443$/
 











  *curl -k --proxy https://172.16.135.4:443 
https://172.17.33.13  -v -v*
* About to connect() to proxy 172.16.135.4 port 443 (#0)
*   Trying 172.16.135.4...
* Connected to 172.16.135.4 (172.16.135.4) port 443 (#0)
* Establish HTTP proxy tunnel to 172.17.33.13:443
> CONNECT 172.17.33.13:443 HTTP/1.1
> Host: 172.17.33.13:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
* Proxy CONNECT aborted
* Connection #0 to host 172.16.135.4 left intact
*curl: (56) Proxy CONNECT aborted*



curl --proxy-insecure --proxy https://127.0.0.1:8080 https://www.google.com
-v -v
*curl: option --proxy-insecure: is unknown*
curl: try 'curl --help' or 'curl --manual' for more information

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-10 Thread Alexandru Duzsardi 
Just tested this setup , out of pure boredom and it works as expected
(ubuntu 16.04)

Proxy server modules needed to enable: ssl,proxy,proxy_connect
Proxy Config (n1: virtualhost)

ErrorLog error.log
SSLEngine on
SSLCertificateFile  ssl/proxy.crt
SSLCertificateKeyFile ssl/proxy.key

ProxyRequests On
ProxyVia On


   Require expr %{HTTP_HOST} =~
/^192.168.99.11:443$/





Backend server modules needed to enable: ssl
Backend server (n2: virtualhost)

DocumentRoot /var/www/html
ErrorLog error.log

SSLEngine on
SSLCertificateFile  ssl/server.crt
SSLCertificateKeyFile ssl/server.key

# Only from proxy IP
Require ip 192.168.99.10





>From a third VM
$ curl -k --proxy-insecure -x  https://192.168.99.10 -k https://192.168
.99.11
> Hello from n2

$ curl -k --proxy-insecure -x  https://192.168.99.10 -k https://www.goo
gle.com
curl: (56) Received HTTP code 403 from proxy after CONNECT

On Tue, 2018-04-10 at 14:40 +0100, Rajesh Cherukuri wrote:
> Eric 
> 
>  In that case if it uses  connect  over http , do you think this
> would be the reason why i get below in the error logs  then i am not
> sure why would the HTTP urls fail with 400 band request 
> 
> 
> 
> SSL Library Error: error:1407609B:SSL
> routines:SSL23_GET_CLIENT_HELLO:https proxy request -- speaking HTTP
> to HTTPS port!?
> 
> 
> On Tue, Apr 10, 2018 at 1:34 PM, Eric Covener 
> wrote:
> > On Tue, Apr 10, 2018 at 8:10 AM, Rajesh Cherukuri  > om> wrote:
> > > Eric
> > >
> > >  So you mean to say that i can't use a browser that has proxy
> > configuration
> > > as  apache  HTTPS forwarding  proxy and then use it to connect to
> > http and
> > > https urls ?
> > 
> > I'm saying if you configure a browser to use a proxy for HTTPS
> > connections, it uses CONNECT over HTTP to the proxy server.
> > 
> > -
> > 
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> > 
> 
> 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-10 Thread Rajesh Cherukuri 
Eric

 In that case if it uses  connect  over http , do you think this would be
the reason why i get below in the error logs  then i am not sure why would
the HTTP urls fail with 400 band request



SSL Library Error: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO
*:https proxy request -- speaking HTTP to HTTPS port!?*

On Tue, Apr 10, 2018 at 1:34 PM, Eric Covener  wrote:

> On Tue, Apr 10, 2018 at 8:10 AM, Rajesh Cherukuri 
> wrote:
> > Eric
> >
> >  So you mean to say that i can't use a browser that has proxy
> configuration
> > as  apache  HTTPS forwarding  proxy and then use it to connect to http
> and
> > https urls ?
>
> I'm saying if you configure a browser to use a proxy for HTTPS
> connections, it uses CONNECT over HTTP to the proxy server.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-10 Thread Rajesh Cherukuri 
i still get connection abort







>>
>

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-10 Thread Mike Maiorana 
Rajesh,
Try this:
curl -I -x 172.16.130.2:443  https://example.com

Still SSL to example.com, but using the http proxy on port 443. Still
encrypted.

Mike M.


On Tue, Apr 10, 2018 at 8:34 AM, Eric Covener  wrote:

> On Tue, Apr 10, 2018 at 8:10 AM, Rajesh Cherukuri 
> wrote:
> > Eric
> >
> >  So you mean to say that i can't use a browser that has proxy
> configuration
> > as  apache  HTTPS forwarding  proxy and then use it to connect to http
> and
> > https urls ?
>
> I'm saying if you configure a browser to use a proxy for HTTPS
> connections, it uses CONNECT over HTTP to the proxy server.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-10 Thread Eric Covener 
On Tue, Apr 10, 2018 at 8:10 AM, Rajesh Cherukuri  wrote:
> Eric
>
>  So you mean to say that i can't use a browser that has proxy configuration
> as  apache  HTTPS forwarding  proxy and then use it to connect to http and
> https urls ?

I'm saying if you configure a browser to use a proxy for HTTPS
connections, it uses CONNECT over HTTP to the proxy server.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-10 Thread Rajesh Cherukuri 
Eric

 So you mean to say that i can't use a browser that has proxy configuration
as  apache  HTTPS forwarding  proxy and then use it to connect to http and
https urls ?

On Tue, Apr 10, 2018 at 12:42 PM, Eric Covener  wrote:

> On Tue, Apr 10, 2018 at 7:41 AM, Stefan Eissing
>  wrote:
> > I advice to debug this step-by-step. First the SSL connection to your
> Apache. Then the proxy setup. Then any restrictions with "Require...".
>
> +1. It appears curl is using HTTP to talk to your proxy, like a
> browser would, but that's not your requirement.Your requirement is to
> use HTTPS on that hop (a browser wouldn't).
> You could easily verify this with a packet capture and it's no httpd issue.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-10 Thread Eric Covener 
On Tue, Apr 10, 2018 at 7:41 AM, Stefan Eissing
 wrote:
> I advice to debug this step-by-step. First the SSL connection to your Apache. 
> Then the proxy setup. Then any restrictions with "Require...".

+1. It appears curl is using HTTP to talk to your proxy, like a
browser would, but that's not your requirement.Your requirement is to
use HTTPS on that hop (a browser wouldn't).
You could easily verify this with a packet capture and it's no httpd issue.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-10 Thread Stefan Eissing 
I advice to debug this step-by-step. First the SSL connection to your Apache. 
Then the proxy setup. Then any restrictions with "Require...".

> Am 10.04.2018 um 13:31 schrieb Rajesh Cherukuri :
> 
> 
> configured HTTPS on 8080 port and here is the request sent to HTTP and HTTPS 
> found two things by running curl with --insecure 
> 
> 
> 1.) for all HTTP requests  i get 400 bad requests as response 
> 2.) for all HTTPS requests i get HTTP/1.1 400 Bad Request
> 
> 
> below is the output 
> 
> 
> curl --insecure -I -x https://172.16.130.2:8080 http://crl3.digicert.com
> HTTP/1.1 400 Bad Request
> Date: Tue, 10 Apr 2018 11:08:44 GMT
> Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
> Content-Length: 362
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
> 
>  curl --insecure -I -x https://172.16.130.2:8080 https://example.com
> curl: (56) Proxy CONNECT aborted
> 
> 
> 
> 
> 
> error log for https requests (https://example.com)
> 
> 
> [Tue Apr 10 12:12:44.768286 2018] [ssl:info] [pid 13353] [client 
> 172.16.135.4:56408] AH01964: Connection to child 1 established (server 
> testnew1..com:443)
> [Tue Apr 10 12:12:44.769907 2018] [ssl:info] [pid 13353] [client 
> 172.16.135.4:56408] AH02008: SSL library error 1 in handshake (server 
> testnew1..com:443)
> [Tue Apr 10 12:12:44.770033 2018] [ssl:info] [pid 13353] SSL Library Error: 
> error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request -- 
> speaking HTTP to HTTPS port!?
> [Tue Apr 10 12:12:44.770074 2018] [ssl:info] [pid 13353] [client 
> 172.16.135.4:56408] AH01998: Connection closed to child 1 with abortive 
> shutdown (server testnew1..com:443
> 
> --
> 
> Error Log for HTTP request (http://crl3.digicert.com)
> [Tue Apr 10 12:14:41.387149 2018] [ssl:info] [pid 13354] [client 
> 172.16.135.4:56410] AH01964: Connection to child 2 established (server 
> testnew1.com:443)
> [Tue Apr 10 12:14:41.387647 2018] [ssl:info] [pid 13354] [client 
> 172.16.135.4:56410] AH01996: SSL handshake failed: HTTP spoken on HTTPS port; 
> trying to send HTML error page
> [Tue Apr 10 12:14:41.387704 2018] [ssl:info] [pid 13354] SSL Library Error: 
> error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request -- speaking 
> HTTP to HTTPS port!?
> 
> 
> 
> 
> 
> virtual host configuration 
> 
> 
> 
> Listen 172.16.130.2:8080
> 
> 
> 
>  ServerName  testnew1.com
> 
> 
> 
> ProxyRequests On
> ProxyVia On
> SSLProxyEngine On
> SSLEngine On
> SSLProxyVerify none
> SSLCertificateFile 1.cert
> SSLCertificateKeyFile 1.key
> #AllowConnect 80 443 1080 8082
> ProxyPreserveHost On
> 
> 
>  Require expr %{HTTP_HOST} =~ /^example.com:443$/
>  Require expr %{HTTP_HOST} =~ /^crl3.digicert.com:80$/
>  
> 
> 
> 
> 
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-10 Thread Rajesh Cherukuri 
configured HTTPS on 8080 port and here is the request sent to HTTP and
HTTPS found two things by running curl with --insecure


1.) for all HTTP requests  i get 400 bad requests as response
2.) for all HTTPS requests i get HTTP/1.1 400 Bad Request


below is the output


curl --insecure -I -x *https://172.16.130.2:8080
 http://crl3.digicert.com
*
*HTTP/1.1 400 Bad Request*
Date: Tue, 10 Apr 2018 11:08:44 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
Content-Length: 362
Connection: close
Content-Type: text/html; charset=iso-8859-1

 curl --insecure -I -x *https://172.16.130.2:8080
 https://example.com *
curl: (56) Proxy CONNECT aborted





*error log for https requests (**https://example.com )*


[Tue Apr 10 12:12:44.768286 2018] [ssl:info] [pid 13353] [client
172.16.135.4:56408] AH01964: Connection to child 1 established (server
testnew1..com:443)
[Tue Apr 10 12:12:44.769907 2018] [ssl:info] [pid 13353] [client
172.16.135.4:56408] AH02008: SSL library error 1 in handshake (server
testnew1..com:443)
[Tue Apr 10 12:12:44.770033 2018] [ssl:info] [pid 13353] SSL Library Error:
error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request --
speaking HTTP to HTTPS port!?
[Tue Apr 10 12:12:44.770074 2018] [ssl:info] [pid 13353] [client
172.16.135.4:56408] AH01998: Connection closed to child 1 with abortive
shutdown (server testnew1..com:443

--

*Error Log for HTTP request (*
*http://crl3.digicert.com )*[Tue Apr 10
12:14:41.387149 2018] [ssl:info] [pid 13354] [client 172.16.135.4:56410]
AH01964: Connection to child 2 established (server testnew1.com:443)
[Tue Apr 10 12:14:41.387647 2018] [ssl:info] [pid 13354] [client
172.16.135.4:56410] AH01996: SSL handshake failed: HTTP spoken on HTTPS
port; trying to send HTML error page
[Tue Apr 10 12:14:41.387704 2018] [ssl:info] [pid 13354] SSL Library Error:
error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request -- speaking
HTTP to HTTPS port!?





*virtual host configuration *



Listen 172.16.130.2:8080



 ServerName  testnew1.com



ProxyRequests On
ProxyVia On
SSLProxyEngine On
SSLEngine On
SSLProxyVerify none
SSLCertificateFile 1.cert
SSLCertificateKeyFile 1.key
#AllowConnect 80 443 1080 8082
ProxyPreserveHost On


 Require expr %{HTTP_HOST} =~ /^example.com:443$/
 Require expr %{HTTP_HOST} =~ /^crl3.digicert.com:80$/

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-10 Thread Alexandru Duzsardi 
Have you tried

curl --insecure -I -x ... ?

since curl probably doesn't trust your ssl-cert

On Tue, 2018-04-10 at 11:29 +0200, Stefan Eissing wrote:
> Does your curl report any answer from the Apache or does it just lose
> the connection? Try 'curl -v -D - ...' maybe for more details.
> 
> > Am 10.04.2018 um 11:12 schrieb Rajesh Cherukuri  > >:
> > 
> > HI 
> > 
> >  i am not looking for end to end encryption , all i want to do is
> > make apache a forwordproxy configured on SSL and accpect  HTTPS and
> > proxy the urls based on the ACL's' below is my Vhost configuration
> > where i have a forward proxy which is configured to allow only to
> > example.com 
> > 
> >   when i disabled SSL everything works fine and i can proxy to http
> > s://example.com below is the curl output , but when i have proxy
> > configured as SSL  the request seems to be failing 
> > 
> > SSL enabled -dosen't work 
> > 
> > curl -I -x https://172.16.130.2:443 https://example.com
> > curl: (56) Proxy CONNECT aborted
> > 
> > 
> > ProxyRequests On
> > ProxyVia On
> > SSLProxyEngine On
> > SSLEngine On
> > SSLProxyVerify none
> > SSLCertificateFile /etc/pki/tls/certs/1.cert
> > SSLCertificateKeyFile /etc/pki/tls/private1.key
> > 
> > 
> >  Require expr %{HTTP_HOST} =~ /^example.com:443$/
> > 
> > 
> > 
> > 
> > 
> > SSL disabled -works fine 
> > 
> > 
> > curl -I -x http://172.16.135.4:8082  https://example.com
> > HTTP/1.0 200 Connection Established
> > Proxy-agent: Apache/2.4.6 (Red Hat Enterprise Linux)
> > OpenSSL/1.0.2k-fips
> > 
> > HTTP/1.1 200 OK
> > Accept-Ranges: bytes
> > Cache-Control: max-age=604800
> > Content-Type: text/html
> > Date: Tue, 10 Apr 2018 09:08:37 GMT
> > Etag: "1541025663+gzip"
> > Expires: Tue, 17 Apr 2018 09:08:37 GMT
> > Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
> > Server: ECS (lga/1318)
> > X-Cache: HIT
> > Content-Length: 1270
> > 
> > 
> > 
> > NON-SSL configuration 
> > Listen 172.16.130.2:80
> > 
> > 
> > 
> > ProxyRequests On
> > ProxyVia On
> > 
> > 
> > 
> >  Require expr %{HTTP_HOST} =~ /^example.com:443$/
> > 
> > 
> > 
> >  
> > 
> > On Tue, Apr 10, 2018 at 9:34 AM, Stefan Eissing  > enbytes.de> wrote:
> > 
> > 
> > > Am 10.04.2018 um 10:24 schrieb Rajesh Cherukuri  > > om>:
> > > 
> > > hi
> > > 
> > > thanks for the info , wanted to know if there is a way we can
> > > configure SSL on  a apache forword proxy   so that the
> > > communication between the client (browser) to the Proxy server is
> > > encrypted
> > 
> > Not sure what exactly you looking for. If you have:
> > 
> > Browser <-c1-> Apache <-c2-> Backend
> > 
> > where Apache acts as forward proxy, the both c1 and c2 can be TLS
> > connections, e.g. encrypted. But that means that the data is
> > unencrypted "inside" the Apache server. There is no end-to-end
> > encryption between Browser and Backend.
> > 
> > As for the TLS c2 connection setup, you have to specify "https:"
> > for your proxied backend and can influence the setup with the
> > various "SSLProxy*" directives.
> > 
> > Cheers,
> > 
> > Stefan
> > -
> > 
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> > 
> > 
> 
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-10 Thread Stefan Eissing 
Does your curl report any answer from the Apache or does it just lose the 
connection? Try 'curl -v -D - ...' maybe for more details.

> Am 10.04.2018 um 11:12 schrieb Rajesh Cherukuri :
> 
> HI 
> 
>  i am not looking for end to end encryption , all i want to do is make apache 
> a forwordproxy configured on SSL and accpect  HTTPS and proxy the urls based 
> on the ACL's' below is my Vhost configuration where i have a forward proxy 
> which is configured to allow only to example.com 
> 
>   when i disabled SSL everything works fine and i can proxy to 
> https://example.com below is the curl output , but when i have proxy 
> configured as SSL  the request seems to be failing 
> 
> SSL enabled -dosen't work 
> 
> curl -I -x https://172.16.130.2:443 https://example.com
> curl: (56) Proxy CONNECT aborted
> 
> 
> ProxyRequests On
> ProxyVia On
> SSLProxyEngine On
> SSLEngine On
> SSLProxyVerify none
> SSLCertificateFile /etc/pki/tls/certs/1.cert
> SSLCertificateKeyFile /etc/pki/tls/private1.key
> 
> 
>  Require expr %{HTTP_HOST} =~ /^example.com:443$/
> 
> 
> 
> 
> 
> SSL disabled -works fine 
> 
> 
> curl -I -x http://172.16.135.4:8082  https://example.com
> HTTP/1.0 200 Connection Established
> Proxy-agent: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips
> 
> HTTP/1.1 200 OK
> Accept-Ranges: bytes
> Cache-Control: max-age=604800
> Content-Type: text/html
> Date: Tue, 10 Apr 2018 09:08:37 GMT
> Etag: "1541025663+gzip"
> Expires: Tue, 17 Apr 2018 09:08:37 GMT
> Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
> Server: ECS (lga/1318)
> X-Cache: HIT
> Content-Length: 1270
> 
> 
> 
> NON-SSL configuration 
> Listen 172.16.130.2:80
> 
> 
> 
> ProxyRequests On
> ProxyVia On
> 
> 
> 
>  Require expr %{HTTP_HOST} =~ /^example.com:443$/
> 
> 
> 
>  
> 
> On Tue, Apr 10, 2018 at 9:34 AM, Stefan Eissing 
>  wrote:
> 
> 
> > Am 10.04.2018 um 10:24 schrieb Rajesh Cherukuri :
> >
> > hi
> >
> > thanks for the info , wanted to know if there is a way we can configure SSL 
> > on  a apache forword proxy   so that the communication between the client 
> > (browser) to the Proxy server is encrypted
> 
> Not sure what exactly you looking for. If you have:
> 
> Browser <-c1-> Apache <-c2-> Backend
> 
> where Apache acts as forward proxy, the both c1 and c2 can be TLS 
> connections, e.g. encrypted. But that means that the data is unencrypted 
> "inside" the Apache server. There is no end-to-end encryption between Browser 
> and Backend.
> 
> As for the TLS c2 connection setup, you have to specify "https:" for your 
> proxied backend and can influence the setup with the various "SSLProxy*" 
> directives.
> 
> Cheers,
> 
> Stefan
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 
> 


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-10 Thread Rajesh Cherukuri 
HI

 i am not looking for end to end encryption , all i want to do is make
apache a forwordproxy configured on SSL and accpect  HTTPS and proxy the
urls based on the ACL's' below is my Vhost configuration where i have a
forward proxy which is configured to allow only to example.com

  when i disabled SSL everything works fine and i can proxy to
https://example.com below is the curl output , but when i have proxy
configured as SSL  the request seems to be failing

*SSL enabled -dosen't work *

curl -I -x https://172.16.130.2:443  ht
tps://example.com
*curl: (56) Proxy CONNECT aborted*


ProxyRequests On
ProxyVia On
SSLProxyEngine On
SSLEngine On
SSLProxyVerify none
SSLCertificateFile /etc/pki/tls/certs/1.cert
SSLCertificateKeyFile /etc/pki/tls/private1.key


 Require expr %{HTTP_HOST} =~ /^example.com:443$/





*SSL disabled -works fine *


curl -I -x http://172.16.135.4:8082  *https://example.com
*
HTTP/1.0 200 Connection Established
Proxy-agent: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips

*HTTP/1.1 200 OK*
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: text/html
Date: Tue, 10 Apr 2018 09:08:37 GMT
Etag: "1541025663+gzip"
Expires: Tue, 17 Apr 2018 09:08:37 GMT
Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
Server: ECS (lga/1318)
X-Cache: HIT
Content-Length: 1270



*NON-SSL configuration *
Listen 172.16.130.2:80 

http://172.16.130.2:443/>>

ProxyRequests On
ProxyVia On



 Require expr %{HTTP_HOST} =~ /^example.com:443$/





On Tue, Apr 10, 2018 at 9:34 AM, Stefan Eissing <
stefan.eiss...@greenbytes.de> wrote:

>
>
> > Am 10.04.2018 um 10:24 schrieb Rajesh Cherukuri :
> >
> > hi
> >
> > thanks for the info , wanted to know if there is a way we can configure
> SSL on  a apache forword proxy   so that the communication between the
> client (browser) to the Proxy server is encrypted
>
> Not sure what exactly you looking for. If you have:
>
> Browser <-c1-> Apache <-c2-> Backend
>
> where Apache acts as forward proxy, the both c1 and c2 can be TLS
> connections, e.g. encrypted. But that means that the data is unencrypted
> "inside" the Apache server. There is no end-to-end encryption between
> Browser and Backend.
>
> As for the TLS c2 connection setup, you have to specify "https:" for your
> proxied backend and can influence the setup with the various "SSLProxy*"
> directives.
>
> Cheers,
>
> Stefan
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-10 Thread Stefan Eissing 


> Am 10.04.2018 um 10:24 schrieb Rajesh Cherukuri :
> 
> hi 
> 
> thanks for the info , wanted to know if there is a way we can configure SSL 
> on  a apache forword proxy   so that the communication between the client 
> (browser) to the Proxy server is encrypted 

Not sure what exactly you looking for. If you have:

Browser <-c1-> Apache <-c2-> Backend

where Apache acts as forward proxy, the both c1 and c2 can be TLS connections, 
e.g. encrypted. But that means that the data is unencrypted "inside" the Apache 
server. There is no end-to-end encryption between Browser and Backend.

As for the TLS c2 connection setup, you have to specify "https:" for your 
proxied backend and can influence the setup with the various "SSLProxy*" 
directives.

Cheers,

Stefan
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-10 Thread Rajesh Cherukuri 
hi

thanks for the info , wanted to know if there is a way we can configure SSL
on  a apache forword proxy   so that the communication between the client
(browser) to the Proxy server is encrypted

Re: [users@httpd] Apache2.4 forward proxy ssl between client and proxy server

2018-04-10 Thread Nick Kew 

> On 10 Apr 2018, at 07:31, Rajesh Cherukuri  wrote:
> 
> HI 
> 
> I am looking for some help in configuring a forward proxy , the proxy has to 
> listing on HTTPS port , clients needs to.connect. to proxy using  https .and 
> below is how i wanted this to work , 

This won’t work.  Your intended proxy is a “man in the middle” attack.  Clients 
will
see that its certificate doesn’t match the domain they’re visiting, and rightly
refuse to make an SSL connection that’s being eavesdropped.

— 
Nick Kew
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org