[users@httpd] How to encrypt traffic between client and apache proxy server

Thu, 24 Apr 2008 08:15:25 -0700 

Hi,

     I was trying to setup a forward proxy solution with apache, but via
port 443(SSL) rather than just via 80. So I hope it should work as the
following diagram:  

 

Client(IP1:Random)     (IP2:443)Apache(IP2:Random) (IP3:443)Web Server

1  |--------SSL Hand Shake-----(443)|

2  |-CONNECT IP3:443 HTTP/1.1->(443)|

3                                   |----TCP hand shake---(443)|

4  |<-HTTP/1.0 200 Established-(443)|

 

6  |----------------------SSL Hand Shake------------------(443)|

7  |------GET / HTTP/1.1------>(443)|----GET / HTTP/1.1-->(443)|

8  |<------------HTML----------(443)|<---------HTML-------(443)|

 

     So I configured my apache server like this: 

<VirtualHost _default_:443>

ProxyRequests On

<Proxy *>

    Order deny,allow

    Allow from all

</Proxy>

 

     I did the following test. It looks like apache works, after SSL hand
shake, I sent "CONNECT IP3:443 HTTP/1.1" to apache proxy(encrypted), apache
decrypted the CONNECT instruction correctly and tried to connect IP3 and
returned "HTTP/1.0 200 Connection Established..", BUT the only problem is
apache returned the HTTP/1.0 200 in PLAN TEXT, so my client doesn't
understand it and stops. Here is the test log: 

 

1. Connect to proxy: 

openssl s_client -connect IP2:443 -state -debug

 

SSL handshake has read 1361 bytes and written 340 bytes

---

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

Server public key is 1024 bit

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : DHE-RSA-AES256-SHA

    Session-ID:
FC2A51765458493165B386D05A1DAF2CEAE4C762078D534ADD862E1802381486

    Session-ID-ctx: 

    Master-Key:
695B9E094F07F7ECD0B73EC8E0FC0A441B8A96C41CE2B85E771C85DC5AADC5BBB41F1DDA7F38
7D62B0C808A6411BFDB6

    Key-Arg   : None

    Krb5 Principal: None

    Start Time: 1209048482

    Timeout   : 300 (sec)

    Verify return code: 18 (self signed certificate)

---

 

2. I sent CONNECT instruction: 

CONNECT 209.47.41.27:443 HTTP/1.1

Host: www.testhost.com

 

SSL3 alert write:fatal:protocol version

32713:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:288:

 

SSL3 alert write:warning:close notify

 

     I traced on proxy server, actually, it returned: "HTTP/1.0 200
Connection Established.." in PLAN TEXT and caused this problem.

 

Very Best Regards!
Stephen

Reply via email to