Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Forward Proxy on behalf of the client instead of as a tunnel |
|
| Author |
|
danthehitman
Joined: 28 Feb 2017
Posts: 2
Location: USA
|
 Posted: Tue 28 Feb '17 20:49 Post subject: Forward Proxy on behalf of the client instead of as a tunnel |
 |
|
All,
I am trying to set Apache up as a forward proxy to help solve an issue that we have where an HTTP Client in our application does not support TLS 1.2 but an API that we need to consume only supports TLS 1.2. What I am attempting to do is use Apache to talk HTTPS/TLS 1.2 to the target API but allow my internal client to talk to the proxy over HTTP.
There will be 1..N of the target APIs on IPs/URIs that we dont control so we are not able to enumerate the endpoints we will be connecting to. The whole appliance will be deployed into an unknown environment that is out of our control.
I had it in my head that this was what a forward proxy was going to give me so after having set up a forward proxy and configuring my application to use it I was surprised to see that I was getting exactly the same behavior that I was getting when I had no proxy configured (failure of my internal client to speak TLS 1.2).
So my question is; can Apache be configured as a FORWARD proxy to speak HTTP with the caller but HTTPS to the callee?
I have spent a lot of time searching in various archives and the Apache docs but it's entirely possible that I just dont even know what to search for to get a good answer so if this is a dumb question I sincerely apologize for wasting the groups time.
Thanks in advance for any help.
-Dan |
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 149
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Fri 03 Mar '17 0:53 Post subject: |
|
|
Hello Dan,
I don't understand the complete question (maybe because I am not a native english-speaker?).
Are you sure that you didn't mix up reverse proxy and forward proxy? 
See http://www.jscape.com/blog/bid/87783/Forward-Proxy-vs-Reverse-Proxy to see the difference between both. Of course there are a lot of other pages that explain the difference.
Apache is able to be used as a reverse proxy listening to http and forward the requests to a https-backend-webserver. In this example some config lines are added to NOT verify the backend-webservers SSL-certificate.
| Code: | SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass /pi2/ https://192.168.0.8/
ProxyPassReverse /pi2/ https://192.168.0.8/ |
I do NOT recommend this as there normally is a reason why a webserver only speaks https. You create a BIG security hole  as maybe others see the traffic readable on the line that should normally be encrypted (at least that was the backend-webserver's admin's intention)
Using Apache as a forward proxy is not common (but possible) so I doubt that you use it as forward proxy. Maybe you can post the relevant config-lines that you are already using  |
|
| Back to top |
|
danthehitman
Joined: 28 Feb 2017
Posts: 2
Location: USA
|
| Posted: Fri 03 Mar '17 1:02 Post subject: |
|
|
Thank you for the response. You are right, it does seem that use as a forward proxy is uncommon, I have not found a lot of information on use as a forward proxy.
However, I am trying to use it as a forward proxy, not a reverse proxy. I have a client running inside a server that needs to call out to 1..N APIs that are configured after the system is deployed and comes up. My client does not support TLS1.2 but the APIs only support TLS1.2. I would like to set up Apache as a proxy (outbound, thus the forward proxy) to allow my internal client to speak TLS1.0 to the proxy and then have Apache speak TLS1.2 to the target API.
Is that possible with Apache?
Thanks again for the response.
-Dan |
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 149
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Fri 03 Mar '17 1:44 Post subject: |
|
|
Hello Dan,
if a client wants to get a http-URL via a forward-proxy the request is like this:
| Code: | | GET http://host.example.com/dir/file HTTP/1.0 |
Then the forward-proxy starts a new tcp-connection to the host.example.com, fetches the requested /dir/file using http and returns this data on the origin tcp-connection.
If a client wants to get a https-URL (https://host.example.com/dir/file) it sends the following command to the forward-proxy:
| Code: | | CONNECT host.example.com:443 HTTP/1.0 |
The forward-proxy now establishes a tcp-connection to the destination-server an from now on all packets are simply forwarded to the other end (from the destination-webserer to you client and from your client to the destination-webserver) including the SSL-handshake (which protocol, which cipher, present a certificate, ...). The forward-proxy is (normally) not able to modify the encrypted data as it needs a private key for the hostname that the client wants to access (and this key is normally only available at the destination-server).
"normally" because: There are solutions available that can inspect outgoing https-traffic using a CA-certificate (that has to be trusted by the clients) to create matching server-certificates on the fly for every destination-server that is requested to inspect the https traffic (example: McAfee WebGateway - used in companies to check user's traffic to the internet for viruses or deny access to drugs, porn, violence, ...). A quick search showed that it might be possible with squid, too. But I couldn't find a hint if you can change/restrict the used encryption 
Searched at google and stackoverflow.com but was not able to find a solution that matches your requests, sorry  |
|
| Back to top |
|
|
|
|
|
|
