[Issues] [mod_gnutls 0000097]: Support for proxying from SSL to plain HTTP

Mantis Bug Tracker issues at outoforder.cc
Fri Jul 8 10:32:25 EDT 2011


The following issue has been ASSIGNED. 
====================================================================== 
http://issues.outoforder.cc/view.php?id=97 
====================================================================== 
Reported By:                belg4mit
Assigned To:                dashula
====================================================================== 
Project:                    mod_gnutls
Issue ID:                   97
Category:                   Apache Integration
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     assigned
Apache Version:             2.0.52 
====================================================================== 
Date Submitted:             2009-04-09 04:59 EET
Last Modified:              2011-07-08 16:32 EET
====================================================================== 
Summary:                    Support for proxying from SSL to plain HTTP
Description: 
With mod_gnutls it does not seem possible to proxy SSL content.
We have an SSL host (one of several thanks to SNI), and wish to
expose some of its contents over an unencrypted connection via
a proxypass. Trying

  LoadModule proxy_module modules/mod_proxy.so
  LoadModule proxy_http_module modules/mod_proxy_http.so
  <VirtualHost example.org:80>
    ProxyPass /NoAuth https://example.org/NoAuth
  </VirtualHost>

begets

[warn] proxy: No protocol handler was valid for the URL /NoAuth/Calendar/42/. If
you are using a DSO version of mod_proxy, make sure the proxy submodules are
included in the configuration using LoadModule.

With mod_ssl, it seems the SSLProxyEngine directive comes into play here.

Additional Information: 
module version 0.4.3


======================================================================
Relationships       ID      Summary
----------------------------------------------------------------------
related to          0000087 mod_gnutls doesn't work with mod_proxy_...
====================================================================== 

---------------------------------------------------------------------- 
 (0000157) nmav (manager) - 2009-06-30 21:09
 http://issues.outoforder.cc/view.php?id=97#c157 
---------------------------------------------------------------------- 
Can you try 0.5.x? 

---------------------------------------------------------------------- 
 (0000162) belg4mit (reporter) - 2009-07-01 01:57
 http://issues.outoforder.cc/view.php?id=97#c162 
---------------------------------------------------------------------- 
Link to http://issues.outoforder.cc/view.php?id=87?

Is Mantis really so lame as to not process email responses, like bugzilla or RT?
Just in case, paste by hand email response to .5.x request:

Once I finally figured out how to get pkg-config to do it's thing*,
I upgraded to .5.5 and still get the same error. mod_proxy, mod_proxy_http
and mod_connect are all loaded.

* Required a more modern gnutls than the stated 2.4 (acutally >2.7.7 for
  the pkg-config meta files, which gnutls *doesn't even install*) 

---------------------------------------------------------------------- 
 (0000171) nmav (manager) - 2009-07-21 00:19
 http://issues.outoforder.cc/view.php?id=97#c171 
---------------------------------------------------------------------- 
Can you check http://issues.outoforder.cc/view.php?id=87
Is your setup related to his? 

---------------------------------------------------------------------- 
 (0000199) doud (reporter) - 2010-03-16 18:07
 http://issues.outoforder.cc/view.php?id=97#c199 
---------------------------------------------------------------------- 
I have exactly the same problem, for me it's not related with issue 0000087

OS: FreeBSD 8
httpd: apache 2.2.8
mod_gnutls : 5.5

I have just migred mod_ssl to mod_gnutls, proxy worked fine.
mod_gnutls work without Proxy Requests.

Do you already fix, or find a solution ? 

---------------------------------------------------------------------- 
 (0000200) doud (reporter) - 2010-03-16 18:31
 http://issues.outoforder.cc/view.php?id=97#c200 
---------------------------------------------------------------------- 
I just notice it work fine when the proxy path is http

        ProxyPass / http://foo.bar.local/
        ProxyPassReverse / http://foo.bar.local/

And not when https:

        ProxyPass / https://foo.bar.local/
        ProxyPassReverse / https://foo.bar.local/

error.log :
[Tue Mar 16 16:30:50 2010] [warn] proxy: No protocol handler was valid for the
URL /. If you are using a DSO version of mod_proxy, make sure the proxy
submodules are included in the configuration using LoadModule. 

---------------------------------------------------------------------- 
 (0000201) nmav (manager) - 2010-03-16 18:51
 http://issues.outoforder.cc/view.php?id=97#c201 
---------------------------------------------------------------------- 
Which version of mod_gnutls do you use? Is it 0.5.5? 

---------------------------------------------------------------------- 
 (0000202) doud (reporter) - 2010-03-16 19:21
 http://issues.outoforder.cc/view.php?id=97#c202 
---------------------------------------------------------------------- 
Yes 0.5.5 

---------------------------------------------------------------------- 
 (0000203) nmav (manager) - 2010-03-16 19:39
 http://issues.outoforder.cc/view.php?id=97#c203 
---------------------------------------------------------------------- 
Then could you please give me the smallest configuration that can be used to
replicate your problem? 

---------------------------------------------------------------------- 
 (0000204) doud (reporter) - 2010-03-17 16:44
 http://issues.outoforder.cc/view.php?id=97#c204 
---------------------------------------------------------------------- 
Client Internet ---HTTPS---> reverse-proxy-with-gnutls ---HTTPS--> internal
server

--------------------------------------------------------------------------
OS: FreeBSD 8
httpd: apache 2.2.8
mod_gnutls : 0.5.5
--------------------------------------------------------------------------
<VirtualHost 10.69.0.50:443>
  ServerName foo.bar.fr

  GnuTLSEnable on
  GnuTLSExportCertificates on
  GnuTLSPriorities SECURE
  GnuTLSCertificateFile "/usr/local/etc/apache22/certificats/foo.bar.fr.crt"
  GnuTLSKeyFile "/usr/local/etc/apache22/certificats/foo.bar.fr.key"

  <Proxy *>
    Order Allow,Deny
    Allow from all
  </Proxy>

  ProxyRequests off
  ProxyPreserveHost On
  ProxyPass / https://internal.host.local/
  ProxyPassReverse / https://internal.host.local/

</VirtualHost>

--------------------------------------------------------------------------
Log :
[Tue Mar 16 16:30:50 2010] [warn] proxy: No protocol handler was valid for the
URL /. If you are using a DSO version of mod_proxy, make sure the proxy
submodules are included in the configuration using LoadModule. 
--------------------------------------------------------------------------
As you can see, the ProxyPass use httpS.

I hope it will help,
Edouard 

---------------------------------------------------------------------- 
 (0000205) nmav (manager) - 2010-03-17 17:48
 http://issues.outoforder.cc/view.php?id=97#c205 
---------------------------------------------------------------------- 
Ok the problems is when mod proxy has to proxy HTTPS content (with plain http it
works fine). I noticed that mod_gnutls has to register hooks for mod_proxy to be
able to make TLS/SSL connections. I cannot work on it, but I if anyone
contributes a patch, I'll include it. 

---------------------------------------------------------------------- 
 (0000267) rg (reporter) - 2011-05-02 13:14
 http://issues.outoforder.cc/view.php?id=97#c267 
---------------------------------------------------------------------- 
The solution in http://issues.outoforder.cc/view.php?id=87 does not work for me,
because c->remote_addr->hostname is always NULL.

Extending the condition from the patch to 'c->remote_addr->hostname  || 
apr_strnatcmp(c->remote_ip,c->local_ip) == 0' makes mod_gnutls usable for me for
TLS termination. 

---------------------------------------------------------------------- 
 (0000272) dashula (manager) - 2011-07-08 16:32
 http://issues.outoforder.cc/view.php?id=97#c272 
---------------------------------------------------------------------- 
Expect mod_gnutls 0.5.10 (due on 11-07-2011) to have this issue resolved. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-04-09 04:59 belg4mit       New Issue                                    
2009-04-09 04:59 belg4mit       Apache Version            => 2.0.52          
2009-06-30 21:09 nmav           Note Added: 0000157                          
2009-07-01 01:57 belg4mit       Note Added: 0000162                          
2009-07-21 00:18 nmav           Relationship added       related to 0000087  
2009-07-21 00:19 nmav           Note Added: 0000171                          
2010-03-16 18:07 doud           Note Added: 0000199                          
2010-03-16 18:31 doud           Note Added: 0000200                          
2010-03-16 18:51 nmav           Note Added: 0000201                          
2010-03-16 19:21 doud           Note Added: 0000202                          
2010-03-16 19:39 nmav           Note Added: 0000203                          
2010-03-17 16:44 doud           Note Added: 0000204                          
2010-03-17 17:48 nmav           Note Added: 0000205                          
2010-07-05 10:23 nmav           Status                   new => acknowledged 
2011-05-02 13:14 rg             Note Added: 0000267                          
2011-07-08 16:32 dashula        Note Added: 0000272                          
2011-07-08 16:32 dashula        Assigned To               => dashula         
2011-07-08 16:32 dashula        Status                   acknowledged =>
assigned
======================================================================




More information about the Issues mailing list