Article delegate-en/4251 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4250@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: HTTPS to HTTPS Rewriting
03 Dec 2008 07:25:40 GMT Geeosor <praiabdyi-pbcajt5fjb3r.ml@ml.delegate.org>


Hello Yutaka,

Yutaka Sato wrote:
> Hi,
> 
> In message <_A4249@delegate-en.ML_> on 12/02/08(02:20:58)
> you Geeosor <praiabdyi-pbcajt5fjb3r.ml@ml.delegate.org> wrote:
>  |Apache2 mod_proxy only supports rewriting the HTTP headers, but not the
>  |content. Altough there is an external apache module mod_proxy_html
>  |capable of doing that: http://apache.webthing.com/mod_proxy_html/
> 
> I see. It seems to be a relatively new feature.

Yes, and it must be compiled against apache, which sometimes is not what
you want or are permitted to do.

>  |But i prefer the Delegate approach...
> 
> I'm interested in how they (and other reverse proxies) think about
> rewriting JavaScript because it is difficult and muddy to find URLs
> chopped and scattered in the script.
> DeleGate does the rewriting but not by default.  You need the
> following option to enable rewriting of XML and JavaScript, etc.
> 
>   URICONV=where:any
>
> This should be the default in future.

That's great to know. The website we want to proxy is quite simple and
does not use any ajax, but if needed, that feature comes in really handy.

> 
>  |> It will be helpful for other users to show how you configured
>  |> Apache to do it.
>  |
>  |The complete configuration would be:
>  |
>  |Global config:
>  |        ...
>  |        <ProxyMatch http://localhost:70[0-9][0-9]/.*>
>  |              Order deny,allow
>  |              Allow from all
>  |        </ProxyMatch>
>  |        ...
>  |
>  |Virtualhost:
>  |        ...
>  |        ProxyRequests On
>  |        ProxyPass /support/kb/ http://localhost:8888/kb/
>  |        ProxyPassReverse /support/kb/ http://localhost:8888/kb/
>  |        ...
>  |
>  |Obviously localhost:8888 would be the Delegate as proxy to host2.
>  |
>  |Hope this is enough info. Otherwise just drop me a mail.
> 
> Thank you.  This is the first time I saw the configuration of Apache
> and I thought that "ProxyXXXX" means forwarding the request to the next
> hop regarding it as a HTTP proxy.  But it seems to mean that Apache
> (mod_xxx) itself acts as a proxy server rather than an origin server.

Yes, i think that's the case. With apache2 it's even possible to proxy
SSL request, like so:

SSLProxyEngine on
RewriteRule ^/support/?(.*)$  https://support.domain.tld/$1 [L,P]

>  |>  |> Anyway you seem like to do mapping like this:
>  |>  |> 
>  |>  |>   1) https://secure/support/  <-->  http://support/
>  |>  |>   2) https://secure/support/  <---  https://support/
>  |>  |> 
>  |>  |> Am I right?
>  |>  |
>  |>  |Infact we want to make https://support also available under the 2nd url
>  |>  |https://secure/support/. In order to reduce complexity we decided that
>  |>  |there is no need to have https between host2 and delegate.
>  |> 
>  |> Maybe you can do it with STLS=-fcl STLS=fsv:https if necessary.
> 
> If you don't need SSL between web1/host1 and DeleGate, this STLS=-fcl
> is not necessary.

OK

>  |I tried something similar, but had no success.  If i am right, this
>  |combination should decrypt traffic between delegate and host2 in order
>  |to provide it to host1?
> 
> We can't rewrite HTTPS/SSL message (including URLs to be rewritten)
> without decrypt it, of course.
> 
>  |If so, i would certainly need to accept the
>  |certificate for host2 (support...)?
> 
> DeleGate does not verify the certificate by default.  If the problem
> is in the SSL layer, you will get hints in your LOGFILE of DeleGate
> with TLSCONF=-vd option in detailed level.

Yes i saw posts about this in your list.

Thank you very much for your expert support. Hope to be able to give
back something someday...

cheers

   GeE

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V