[users@httpd] mod_proxy SSL forward proxy

Wed, 24 Aug 2011 02:18:06 -0700 

Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8r
OS X 10.6.8

I need help with a forward proxy setup and SSL.

I have created a simple httpd.conf file with two virtual hosts, listening on
8080 and 8443 (accepting SSL connections).  I'm using a self-signed
certificate for testing.  WIth this config both of these requests work just
fine:

http://localhost:8080/foo.txt
https://localhost:8443/foo.txt (issues a warning about the self-signed cert,
of course)


I enabled mod_proxy (and _http and _connect) and then I set up both Firefox
and Chrome to proxy http to localhost:8080 and https to localhost:8443.

The forward proxy works fine for non-SSL requests.  Any non-SSL site I go to
is passed through my local Apache proxy.  But, the SSL pages do not work,
and with LogLevel debug I see:

[Wed Aug 24 11:54:42 2011] [info] SSL Library Error: 336027803
error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request
speaking HTTP to HTTPS port!?

So, I assume I'm not understanding the configuration needed to proxy the SSL
requests.

Here's my httpd.config.  Again, this config will serve local files over http
or https fine.  And when a browser is set up to proxy via localhost:8080
normal http proxy works fine (and I can see all we pages I access logged as
they are proxied).

But, with the browser https proxy config set to localhost 8443 https
requests fails with the error above.


moseley@bair ~/Documents/apache $ cat httpd.conf

ServerRoot /Users/moseley/Documents/apache
PidFile apache.pid
Lockfile accept.lock

LoadModule ssl_module         /usr/libexec/apache2/mod_ssl.so

LoadModule proxy_module         /usr/libexec/apache2/mod_proxy.so
LoadModule proxy_http_module         /usr/libexec/apache2/mod_proxy_http.so
LoadModule proxy_connect_module
/usr/libexec/apache2/mod_proxy_connect.so

LoadModule log_config_module  /usr/libexec/apache2/mod_log_config.so

LogLevel Debug


CustomLog logs/access_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"



Listen localhost:8080
Listen localhost:8443


DocumentRoot /Users/moseley/Documents/apache/htdocs

ServerName hank.org

SSLSessionCache dbm:ssl.cache

<VirtualHost *:8080>
    ProxyRequests ON
</VirtualHost>

<VirtualHost *:8443>
    ProxyRequests ON

    # This needed?
    AllowCONNECT 443 8443

    SSLEngine on

    SSLCertificateFile certs3/server.crt
    SSLCertificateKeyFile certs3/server.key

    #SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
</VirtualHost>

-- 
Bill Moseley
mose...@hank.org

Reply via email to