DevHeads.net

Apache Proxy https

Hi
can some one help me on this , i am trying to configure Apache as forward
proxy so that client can connect to the HTTPS url , below is my
configuration , i get 403 when connecting to HTTPS urls , i can connect
to http url without any issues if i update below vhost with* <Proxy
"http://example.com <http://example.com>"> *my apache version is 2.4

*Vhost configuration*

Listen xxx.xx.xxx.x:8082

<VirtualHost xxx.xx.xxx.x:8082>
ServerName testnew1.com
ProxyRequests On
ProxyVia On
SSLProxyEngine On

*<Proxy "*"> Require all denied </Proxy> <Proxy "https://example.com
<https://example.com>"> ProxySet connectiontimeout=5 timeout=30 Require all
granted </Proxy> *
</VirtualHost>

error log

[Tue Mar 13 14:33:10.305463 2018] [ssl:debug] [pid 28530]
ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost testnew1.com:80,
skipping SSL setup
[Tue Mar 13 14:33:10.437213 2018] [ssl:debug] [pid 28530]
ssl_engine_pphrase.c(181): AH02199: SSL not enabled on vhost testnew1.com:80,
skipping SSL setup
[Tue Mar 13 14:33:10.479295 2018] [proxy:debug] [pid 28536]
proxy_util.c(1843): AH00925: initializing worker <a href="https://example.com" title="https://example.com">https://example.com</a> shared
[Tue Mar 13 14:33:10.479327 2018] [proxy:debug] [pid 28536]
proxy_util.c(1885): AH00927: initializing worker <a href="https://example.com" title="https://example.com">https://example.com</a> local
[Tue Mar 13 14:33:10.479394 2018] [proxy:debug] [pid 28536]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28536 for (example.com)
[Tue Mar 13 14:33:10.479428 2018] [proxy:debug] [pid 28536]
proxy_util.c(1843): AH00925: initializing worker proxy:forward shared
[Tue Mar 13 14:33:10.479438 2018] [proxy:debug] [pid 28536]
proxy_util.c(1885): AH00927: initializing worker proxy:forward local
[Tue Mar 13 14:33:10.479477 2018] [proxy:debug] [pid 28536]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28536 for (*)
[Tue Mar 13 14:33:10.493164 2018] [proxy:debug] [pid 28537]
proxy_util.c(1843): AH00925: initializing worker <a href="https://example.com" title="https://example.com">https://example.com</a> shared
[Tue Mar 13 14:33:10.493195 2018] [proxy:debug] [pid 28537]
proxy_util.c(1885): AH00927: initializing worker <a href="https://example.com" title="https://example.com">https://example.com</a> local
[Tue Mar 13 14:33:10.493263 2018] [proxy:debug] [pid 28537]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28537 for (example.com)
[Tue Mar 13 14:33:10.493298 2018] [proxy:debug] [pid 28537]
proxy_util.c(1843): AH00925: initializing worker proxy:forward shared
[Tue Mar 13 14:33:10.493309 2018] [proxy:debug] [pid 28537]
proxy_util.c(1885): AH00927: initializing worker proxy:forward local
[Tue Mar 13 14:33:10.493351 2018] [proxy:debug] [pid 28537]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28537 for (*)
[Tue Mar 13 14:33:10.496458 2018] [proxy:debug] [pid 28538]
proxy_util.c(1843): AH00925: initializing worker <a href="https://example.com" title="https://example.com">https://example.com</a> shared
[Tue Mar 13 14:33:10.496488 2018] [proxy:debug] [pid 28538]
proxy_util.c(1885): AH00927: initializing worker <a href="https://example.com" title="https://example.com">https://example.com</a> local
[Tue Mar 13 14:33:10.496556 2018] [proxy:debug] [pid 28538]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28538 for (example.com)
[Tue Mar 13 14:33:10.496590 2018] [proxy:debug] [pid 28538]
proxy_util.c(1843): AH00925: initializing worker proxy:forward shared
[Tue Mar 13 14:33:10.496601 2018] [proxy:debug] [pid 28538]
proxy_util.c(1885): AH00927: initializing worker proxy:forward local
[Tue Mar 13 14:33:10.496643 2018] [proxy:debug] [pid 28538]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28538 for (*)
[Tue Mar 13 14:33:10.500193 2018] [proxy:debug] [pid 28539]
proxy_util.c(1843): AH00925: initializing worker <a href="https://example.com" title="https://example.com">https://example.com</a> shared
[Tue Mar 13 14:33:10.500226 2018] [proxy:debug] [pid 28539]
proxy_util.c(1885): AH00927: initializing worker <a href="https://example.com" title="https://example.com">https://example.com</a> local
[Tue Mar 13 14:33:10.500296 2018] [proxy:debug] [pid 28539]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28539 for (example.com)
[Tue Mar 13 14:33:10.500333 2018] [proxy:debug] [pid 28539]
proxy_util.c(1843): AH00925: initializing worker proxy:forward shared
[Tue Mar 13 14:33:10.500344 2018] [proxy:debug] [pid 28539]
proxy_util.c(1885): AH00927: initializing worker proxy:forward local
[Tue Mar 13 14:33:10.500400 2018] [proxy:debug] [pid 28539]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28539 for (*)
[Tue Mar 13 14:33:10.504005 2018] [proxy:debug] [pid 28535]
proxy_util.c(1843): AH00925: initializing worker <a href="https://example.com" title="https://example.com">https://example.com</a> shared
[Tue Mar 13 14:33:10.504035 2018] [proxy:debug] [pid 28535]
proxy_util.c(1885): AH00927: initializing worker <a href="https://example.com" title="https://example.com">https://example.com</a> local
[Tue Mar 13 14:33:10.504105 2018] [proxy:debug] [pid 28535]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28535 for (example.com)
[Tue Mar 13 14:33:10.504141 2018] [proxy:debug] [pid 28535]
proxy_util.c(1843): AH00925: initializing worker proxy:forward shared
[Tue Mar 13 14:33:10.504152 2018] [proxy:debug] [pid 28535]
proxy_util.c(1885): AH00927: initializing worker proxy:forward local
[Tue Mar 13 14:33:10.504191 2018] [proxy:debug] [pid 28535]
proxy_util.c(1936): AH00931: initialized single connection worker in child
28535 for (*)
[Tue Mar 13 14:33:24.883644 2018] [core:debug] [pid 28536] vhost.c(1170):
[client 172.16.135.4:57782] AH02417: Replacing host header 'example.com:443'
with host 'example.com:443' given in the request uri
[Tue Mar 13 14:33:24.884073 2018] [authz_core:debug] [pid 28536]
mod_authz_core.c(809): [client 172.16.135.4:57782] AH01626: authorization
result of Require all denied: denied
[Tue Mar 13 14:33:24.884090 2018] [authz_core:debug] [pid 28536]
mod_authz_core.c(809): [client 172.16.135.4:57782] AH01626: authorization
result of <RequireAny>: denied
[Tue Mar 13 14:33:24.884099 2018] [authz_core:error] [pid 28536] [client
172.16.135.4:57782] AH01630: client denied by server configuration: proxy:
example.com:443
(END)

*curl test *
* About to connect() to proxy xxx.xx.xxx.x port 8082 (#0)
* Trying xxx.xx.xxx.x..
* Connected to xxx.xx.xxx.x (xxx.xx.xxx.x) port 8082 (#0)
* Establish HTTP proxy tunnel to example.com:443
* Received HTTP code 403 from proxy after CONNECT
* Connection #0 to host xxx.xx.xxx.x left intact
curl: (56) Received HTTP code 403 from proxy after CONNECT

Comments

Re: Apache Proxy https

By Eric Covener at 03/13/2018 - 14:32

AFAICT you cannot match/limit the connectable hosts this way. Fwd
proxy always uses "*".

I don't see good recipes out there, but this worked in my quick test:

<Proxy *>
<RequireAll>
Require host *.mylan.com
Require expr %{HTTP_HOST} =~ /^example.com:443$/
</RequireAll>
<Proxy>

Re: Apache Proxy https

By Rajesh Cherukuri at 03/14/2018 - 08:15

eric

Thanks for the details, however i have list of URL's that needs to be
allowed , i assume we need to use RequireAny is that correct also i have
few of the urls that like <a href="https://www.hp.com/*us/en/hp-news" title="https://www.hp.com/*us/en/hp-news">https://www.hp.com/*us/en/hp-news</a> *can i add uri
with in require expr or do i need to use proxy Match

Re: Apache Proxy https

By Eric Covener at 03/14/2018 - 08:23

On Wed, Mar 14, 2018 at 9:15 AM, Rajesh Cherukuri < ... at gmail dot com> wrote:

The requireall was only to make sure that the example showed limiting
who can connect also. You could nest a requireany inside with a list
of target hosts.

Re: Apache Proxy https

By Rajesh Cherukuri at 03/14/2018 - 10:50

yes the requireany works for the list , but i wanted to understand if we
can do both uri and host for a single url like Require expr %{HTTP_HOST}
%{REQUEST_URI} for example " https://www.hp.com/us/en/hp-news" to allow
only specific part of website