It’s a common pattern to have TLS terminating proxy in your DMZ before proxying to an internal server using HTTP.
I want the opposite however: be able to access a HTTPS server using HTTP. HTTPS server is on internet, and HTTP client is within same LAN as the proxy.
Any ideas?
Related
I have an Apache server in front of a Websocket Tomcat server, and I would like to restrict access to secure websockets only (wss://).
How can I achieve that in Apache configuration ?
One thing that I do not understand is that even if I block port 80 (not 443) on AWS, it is still possible for me to connect to my unsecured ws via Simple WebSocket Client, whereas a telnet myHost 80 is logically failing...
Actually, configuring Apache with SSL is enough : it will redirect all HTTP traffic to HTTPS.
I did not figure out that quickly, but I can only connect with WS protocol only after I have been redirected by the browser with a simple HTTP request to HTTPS. And then, when I try to connect with WS, looking at Chrome Developer tools, I can see in request headers that the final endpoint is WSS.
So, in Simple WebSocket Client, I am actually silently redirected to WSS endpoint when trying to connect with insecure WS. As I said previously, this silent redirection is enabled only after a HTTP to HTTPS redirection on a simple call in the browser. You can check it by closing your browser and trying to reconnect in WS via Simple WebSocket Client : you will get a 403 HTTP error.
How can I set up proxy which listens on https and proxies the requests to other server on https without setting up SSL certificate on Apache for inbound https requests?
I just need to proxy the request over https connection.
If you don't have the SSL certificate in question on your apache box, it will be very difficult to set up proxying. The site configurations usually rely on the Host header and the URI path, which you won't have if you can't unwrap SSL.
Instead, if all SSL traffic is to be forwarded unconditionally, you might consider a TCP proxy instead of an application proxy.
There are several ways of setting this up, and it will vary depending on your chosen platform. If you're running on Linux, you can easily set up an iptables rule to forward requests to 443 to some remote host.
I've used both Apache and nginx as a reverse proxy performing HTTPS termination (listening on port 443) and forwarding the unencrypted HTTP traffic to Tomcat on port 8080 before.
However, what I need to do now is do the opposite. I have some client applications running on localhost that are (for simplicity) just talking plain HTTP. I want to be able to tell these client apps to use a forward proxy (on localhost) that will convert them to HTTPS and use a client-side certificate for the communication to the origin. Ie, the client will think it is communicating plain HTTP on port 80, but the traffic will actually leave the host as HTTPS on port 443.
Does anyone know how to configure mod_proxy to do this (or even if it is possible)?
At a further stage, I may need to configure the proxy to use different client certificates based on headers set by the client and also have mod_proxy use RFC 5077 (quick session resumption).
It doesn't have to be Apache (so if nginx or squid can do the function I'm happy with that) as long as it's not a resource hog. We already have Apache running as a reverse proxy anyway so it would be handy if Apache can do it.
I have successfully implemented the two different jboss 5 instaces with Apache HTTP Server and can access the application through the HTTP server (i.e. http://localhost:8089) where my http server is listening on port 8089 This was the smooth case. But when talking about HTTP Secured layer have enabled the Apache HTTP SSL by following the steps provided on this page and on default secure port (i.e. 443) now i can access the HTTP Server from secure layer by url: https://localhost/. But when i hit my jboss application, I ended up with following error in browser:
Not Found
The requested URL /myApp was not found on this server.
can anyone let me know how to deal with this?
Thanks
First of all I want to make clear that i am not talking about accessing content which is on origin servers that deliver using https which can be done using the module mod_proxy_connect.
What I want is a secured connection between the client and the proxy, also when the origin that is requested actually is served by an unsecured standard http server.
I am using apache 2.2 and also would like to make this possible with apache if that works.
I sniffed some requests using wireshark and noted the following:
A usual http of the url http://example.com/file looksl ike this:
on a connection to the origin server:
GET /file HTTP 1.1
Host: example.com
Note that the host information is stripped from the actual request and the host header is supplied instead (which can be handled server side in named virtual hosts).
When the request goes through a proxy server it looks slightly different:
on a connection to the proxy server:
GET http://example.com/file HTTP 1.1
Host: example.com
Note that the request line now actually contains the full url including protocol and hostname.
The host header is probably redundant, bus if I read the RFC correctly it is required by HTTP 1.1.
So I think about setting up an apache webserver listening on port 443, enable a virtualhost with ssl engine and certificates up and do not bind it to any hostname.
I think that should get apache to talk ssl, but however the certificates common name will not match the host specfied in the connect line to the proxys server ip adress.
Is what I want to to even possible with current standards and if so how can I do it?
Yes of course, that's what HTTPS proxy is.
Client connects to proxy over SSL, sends commands to proxy in text.
It is also possible to use HTTP CONNECT to establish HTTPS connection "inside" the SSL connection to HTTPS proxy, though not all clients support this:
HTTPS connection over HTTPS proxy
client proxy server
ssl \-------/ ssl
connect---------200 OK
ssl \---------------------------/ ssl
data-------------------------------data
/---------------------------\
/-------\
HTTP connection over HTTPS proxy
client proxy server
ssl \-------/ ssl
GET http://server/ ->
GET /
Host: server ->
<---------OK, data
<--------------OK, data
/-------\