I have a java application which is trying to call a HTTPS endpoint which is setup in my internal network. Also this request go through a corporate proxy.
Having said that, I don't want to implement a HTTPS client at my application level. Instead I will just trigger a plain http request, then further my proxy will take the http request and delegate it to the HTTPS endpoint. So that the proxy will take care of handling the SSL certificates & keys.
Is this something possible with Apache Httpd or Squid ?
Basically I dont want my application to worry about the SSL cerificates etc. Instead this can be managed at the proxy level ?
this should be easy with apache. in your virtual host add
ProxyPass /myapp https://somehost.com/myapp
ProxyPassReverse /myapp https://somehost.com/myapp
then you can use yourinternalhost.company.com/myapp/
then watch your error log about SSLProxyCheck* messages (depends on the ssl certificate)
see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeercn
mod_proxy:
httpd.apache.org/docs/2.4/mod/mod_proxy.html (see proxyremote for using another (corporate) proxy
Related
I'm building a proxy chain to access an internal proxy from the outside with additional authentication:
Internet -> [Apache Forward Proxy] -> [Internal Squid Proxy] -> Internal Website
The Apache Forward Proxy is doing TLS including Certificate Based Authentication (CBA), the Squid Proxy requires basic auth with username / password. Authentication works as expected for both components.
Challenge is now to get the Apache to act as a Forward Proxy and to forward the Proxy-Authorization header from the user to the internal Proxy.
Here is the current configuration I'm using (mod_proxy and mod_proxy_connect are enabled):
# Enable forward proxy
ProxyRequests On
# Pass all requests on to the squid proxy
ProxyRemote * http://proxy.internal:3128
# Only allow proxy connect to port 443
AllowCONNECT 443
With this setup the Apache doesn't forward the Proxy-Authorization header to the internal proxy. All settings I could find for this topic (Proxy-Chain-Auth, ProxyAddHeaders, rewrite rules etc.) only work in Reverse Proxy mode using ProxyPass. But a Reverse Proxy doesn't fit here since in this mode the Apache modifies the header and the CONNECT for TLS webservers won't work.
The Apache doesn't forward any header fields from the client, in the end a request from the Apache to the internal Proxy looks like this:
CONNECT someserver.de:443 HTTP/1.0\r\n
Proxy-agent: Apache/2.4.18 (Ubuntu)\r\n
\r\n
I'm aware the Proxy-Authorization field is a Hop-by-hop field which is normally not allowed to passed to the next proxy.
Is it still possible to get the Apache to forward a Proxy-Authorization header to the internal Proxy when acting as Forward Proxy?
There is a bug for a related topic in the Apache bugtracker. But this one is to specify the username/password hard-coded in the apache config which is not what I need. I want to forward the client authorization individually.
https://bz.apache.org/bugzilla/show_bug.cgi?id=37355
I am working with a Golang app and Caddy as the HTTP server. The golang app rejects every http connection, it only can be used over HTTPS. This app is a kind of API/service that is consumed by other apps. As, it requires HTTPS I installed Caddy so I can take advantage of the automatic SSL certificate and use proxy to switch between the ports.
The application is running in the port 9000, so, the consumers will only writte mysite.com and caddy should be in charge of redirect that petitions to the port 9000 but maintaining the HTTPS. The configuration in caddy for the site is:
mysite.com {
proxy / :9000 {
max_fails 1
}
log logfile
}
Nevertheless, it seems like when the proxy is made the HTTPS is lost. I checked the logs for the application (no the logs of caddy) and I get this:
http: TLS handshake error from xxx.xxx.xxx.xxx:xxxx: tls: oversized record received with length 21536
So, based in this error, to me looks like the HTTP proxy made by caddy is losing the HTTPS. What can I do?
From the caddy docs
to is the destination endpoint to proxy to. At least one is required,
but multiple may be specified. If a scheme (http/https) is not
specified, http is used. Unix sockets may also be used by prefixing
"unix:".
So maybe it is sending http requests to the proxied https endpoint.
Does
mysite.com {
proxy / https://localhost:9000 {
max_fails 1
}
log logfile
}
fix it?
If that is the case, you may not strictly need your app on :9000 to listen https. It may simplify your deployment or cert management to just have it listen http and have caddy manage all the certs.
We are running Tomcat 7 behind a load balancer that works also as SSL terminator, and an Apache HTTP Server 2.4. The Apache connects to the Tomcat via mod_proxy_ajp.
For the application it is important that Tomcat is aware that the request is coming in via HTTPS and is thus secure. As e.g. this article recommends, it is common to configure this on the Tomcat's Connector using the attributes secure="true" and possibly scheme="https" proxyPort="443". While this works, it is inconvenient since we are using HTTP for some purposes as well, and thus we would need to set up two Tomcat connectors for this purpose. And it has a smell, since this way we basically tell Tomcat to override the wrong information it gets from the Apache HTTP Server that the request is HTTPS instead of HTTP, instead of telling the Apache that it should send the correct information on the protocol and secure status.
So my question: is it somehow possible to configure the Apache HTTP Server itself that it passes the correct information via the AJP protocol: that the request is received via HTTPS and is secure? The problem is that it doesn't know it's HTTPS, since there is a SSL terminator before it and the requests arrives via HTTP, as far as it is concerned. Can I tell the Apache somehow that it's actually HTTPS?
A partial solution seems to be to set the protocol on a ServerName directive in the virtual host in the Apache HTTP server:
ServerName https://whatever
This way any Location: headers in redirects seem to be rewritten to https in the Apache, but the Tomcat is still passed the wrong information via AJP.
I always thought that AJP transfers this information automagically - but I'm not using mod_proxy_ajp, rather mod_jk. It's one of the reasons why I much prefer AJP over HTTP (and proxying).
Might be worth to change the module/connection
i am using apache web server on localhost:80 and Geoserver served from tomcat on localhost:8080
I recently installed SSL certificate on apache and it works fine except for that i get the message that says i have insecure content which i thought they were GeoServer layers. So now I'm trying to enable SSL for GeoServer and have Openlayers content like htis https://example.org:8080/geoserver but still not sure what's the best approach to do that.
My suggestion:
Add a (reverse) proxy in Apache and configure your web application that is connects only to the Apache proxying the GeoServer.
ProxyPass "/geoserver" "http://localhost:8080/geoserver"
ProxyPassReverse "/geoserver" "http://localhost:8080/geoserver"
This way you only need to allow HTTPS in the firewall and nobody from outside will have the chance to reach GeoServers web interface unless you enable port 8080 on the firewall. Also see https://gis.stackexchange.com/q/4323/109339 for further details.
Please note that you should set the https://docs.geoserver.org/stable/en/user/configuration/globalsettings.html#proxy-base-url of GeoServer with the public reachable URL via your Apache, e.g. https://your-apache.com/geoserver - otherwise the absolute URLs generated from GeoServer in e.g. GetCapabilities start with http://localhost:8080/geoserver (which is not reachable anymore).
If you had not already Apache in use, I would recommend nginx.
I have an application that acts as both a HTTP server as well as a HTTP client. For security reasons, the application runs on a server on a protected/internal network. I would like to setup a HTTP proxy that acts as an external interface for external parties to access the application.
For external HTTP clients to access my application, I would like to have a reverse proxy to handle such scenarios.
For HTTP request from my application to external parties, I would like to have a forward proxy to ensure my proper external URL's are sent to the external parties.
Question: Can Apache HTTPD proxy be configured to run a both a forward proxy and reverse proxy at the same time?
The short answer (from my reading of the docs) is No.
The forward proxy is activated using the ProxyRequests directive
A reverse proxy is activated using the ProxyPass directive.
The reverse proxy docs state
The ProxyRequests directive should
usually be set off when using
ProxyPass.
I think if you enable both on the same server, there will be a possible clash in your Allow, Deny settings for IPs etc