top button
Flag Notify
    Connect to us
      Facebook Login
      Site Registration Why to Join

Facebook Login
Site Registration

HTTPS tunnelling to a backend server through Apache proxy

+5 votes
284 views

WE are trying to setup HTTPS tunnelling to a backend server through Apache proxy but we are finding the client connect but Apache does not send through the traffic the backend server.

Config we have on our Apache proxy virtual host is

DocumentRoot "/usr/local/apache/htdocs/ibcm/" 
ServerName test.testdom.local 
ErrorLog logs/ibcm 
ServerAdmin webmaster@testdom.local 
ProxyRequests On 
AllowConnect 443 
SSLEngine on 
SSLHonorCipherOrder On 
SSLProtocol -ALL SSLv3 TLSv1 
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4RSA:HIGH:MEDIUM 
SSLCertificateFile "/etc/ssl/crt/ibcm.crt" 
SSLCertificateKeyFile "/etc/ssl/crt/testdom.key" 
SSLCertificateChainFile "/etc/ssl/crt/CA-DOM.crt" 
 Order deny,allow 
 Deny from all 
 Order deny,allow 
 Allow from all 

Anybody know what we are not doing correctly. Also we found Apache would not start without us putting in the root certificate. Thought it would not need any certificate for tunnelling so wonder if we have missed something.

posted Feb 11, 2014 by Meenal Mishra

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote

Are you trying to set up a Forward Proxy or a Reverse Proxy (explanation: http://www.jscape.com/blog/bid/87783/Forward-Proxy-vs-Reverse-Proxy )?

Your configuration looks like a forward proxy but your post implies that you really want a reverse proxy.
See this part of the HTTPD manual for more about reverse proxy setup: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#forwardreverse

A reverse proxy is activated using the ProxyPass directive or the [P] flag to the RewriteRule directive. It is NOT necessary to turn ProxyRequests on in order to configure a reverse proxy.

answer Feb 11, 2014 by Mandeep Sehgal
It is forward proxy we are trying to setup now because reverse proxy does not work for our backend application which is on IIS and required client certificate information to be passed to the backend.

Can you help us  why the forward proxy configuration is not working?
In order to use forward proxy, your client must be configured for it - in which case your client will pass ALL of its traffic through the proxy.Have you done that?

If that is not what you want, then what you are trying to do is not possible with Apache.
Similar Questions
+1 vote

How do I checks what ciphers are available to the https compiled binary, and how do I check with of those are active in the configuration?

Is there any technical reason that ECDHE-RSA-AES128-SHA256 cannot be used on a server with a self-signed cert (there's no e-commerce or any financial data of any sort on the server).

If an existing server wants to switch so that all traffic is encrypted using DH if possible (interested in implementing Perfect Forward Secrecy) are there any "Gotcha's" lurking in the bushes?

If you enable ECDHE-RSA-AES128-SHA256, should you disable EDH?

To be accessible for most people (including some Windows XP users), what else do I need to enable in the cipher suite? RC4? RC4-SHA? TLSv1? AES?

Which ones do I need to avoid?

+1 vote

I have Apache SSL virtuals behind the Nginx proxy defined with this directive:

SetEnvIf X-Forwarded-Proto https HTTPS=on

Users often use the following rewrite rule in their htaccess files for detecting SSL connection, but the variable HTTPS is not treated as expected:

RewriteCond %{HTTPS} =on

Is there any workaround for this? So far, I tried to disable mod_ssl completely and also checked modules hooks and it seems that environment files are loaded before the rewrite module.

+1 vote

I use https with client cert authentication

AccessLogValve cannot be placed inservice, only in engine (host, context), but if client has bad/untrusted cert or no cert at all, possibly connector doesn't pass him to engine and to AccessLogValve.

How can I log such access attempts with tomcat ?

+1 vote

I'm using apache 2.2 as front end and apache tomcat 6.0.37 as backend. I'm using mod_jk for connecting them.

The problem is. I'm using ssl certificates and configured ssl on apache. when I connect the site with https it works but when I click on an link it no more secure i.e. its not secure browsing anymore.

My requirement is as follows.

If user connects as https all the links should work as https. If the user connects as http all the links should work as http is such thing is possible?

0 votes

I have Intranet access to SVN/DAV over HTTPS and it works fine.

Now I need to open it up to external access, using mod_proxy_html to forward requests to the /repos/ path to the SVN server from our corporate server (which is where we port-forward 80 and 443 from the outside).

I've been playing with this a couple of hours, but can't get it to work.

In particular, the mod_proxy_html doesn't seem to know what to do with methods like OPTIONS from what I can decipher.

Anyone does this before? Or have any ideas how to do it?

Contact Us
+91 9880187415
sales@queryhome.net
support@queryhome.net
#280, 3rd floor, 5th Main
6th Sector, HSR Layout
Bangalore-560102
Karnataka INDIA.
QUERY HOME
...