atom feed1 message in org.apache.apache-bugdbmod_proxy/4233: Reverse proxy of SSL ...
FromSent OnAttachments
Liz HelmekeApr 12, 1999 10:38 am 
Subject:mod_proxy/4233: Reverse proxy of SSL requests fails with " @" 403
From:Liz Helmeke (helm@us.ibm.com)
Date:Apr 12, 1999 10:38:59 am
List:org.apache.apache-bugdb

Number: 4233 Category: mod_proxy Synopsis: Reverse proxy of SSL requests fails with " @" 403 Confidential: no Severity: critical Priority: medium Responsible: apache State: open Class: sw-bug Submitter-Id: apache Arrival-Date: Mon Apr 12 10:40:04 PDT 1999 Last-Modified: Originator: helm@us.ibm.com Organization: apache Release: 1.3.4-dev Environment: AIX 4.3.2, ibm xlc compiler 3.6.4, Apache 1.3.4-dev Description:

Using ProxyPass and ProxyPassReverse with IP-based Virtual Hosts works fine for HTTP requests, but all HTTPS requests fail with " @" 403 in Apache access_log. Does Apache support reverse proxy of SSL requests? I have searched extensively the documentation, Web, and USENET news groups, but cannot find any examples on how to accomplish this.

We have ifconfig aliases on the real server for the Virtual Host IP addresses and are using the following VirtualHost containers:

#This one works fine! <VirtualHost 1.2.3.4> ServerName wwwa.server.dom ProxyPass / http://wwwa.server.dom/ ProxyPassReverse / http://wwwa.server.dom/ </VirtualHost>

#The next two fail with " @" 403 in access_log. #Requests are never sent to the remote server. <VirtualHost 1.2.3.5:443/ ServerName wwwb.server.dom ProxyPass / https://wwwb.server.dom/ ProxyPassReverse / https://wwwb.server.dom/ </VirtualHost>

#wwwb.server.dom is also listening on port 80 for SSL requests, so #we also need: <VirtualHost 1.2.3.5:80> ServerName wwwb.server.dom ProxyPass / https://wwwb.server.dom:80/ ProxyPassReverse / https://wwwb.server.dom:80/ </VirtualHost>

The IP addresses for wwwa and wwwb are actually the real and aliased addresses of a single internal server. Of course, accessing the internal servers directly works successfully (not through the proxy).

How-To-Repeat: Set up VirtualHost container for an internal SSL server as given above. Fix:

Audit-Trail: Unformatted:

[In order for any reply to be added to the PR database, ] [you need to include <apb@Apache.Org> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]