[H-GEN] Setting up reverse proxy for SSL
Martin Pool
mbp at linuxcare.com.au
Mon Feb 19 23:32:07 EST 2001
On 20 Feb 2001, Michael Anthon <michael at anthon.net> wrote:
> I'm currently investigating a setup whereby I have a web server that is
> visible to the internet and an application server inside a WAN. I need
> to enable SSL access to this application server.
>
> Poking around in the apache configs, I have found that the mod_proxy
> seems to be able to do this, however I'm a little confused about
> something still. My main concern is to do with the certificates. If I
> use the ProxyPass option to proxy requests from the web server to the
> app server, does it correctly handle the certificates?
I haven't checked in detail, but I'm fairly sure that the browser will
only see a connection to the proxy server. You don't quite say so,
but I think what you want is to do SSL on the proxy rather than on the
application server.
The certificates must be installed on the proxy, and the proxy's
forward and reverse DNS settings must match the name in the cert. I
think the SSL credentials will probably not be visible to the app
server, although you may be able to kludge this e.g. with rewrite
rules.
> On another note re SSL, I have a PHP script that I am using to deliver
> content. This content may be one of several different formats (html,
> pdf, ms word and ms excel so far). To handle this, I was looking at the
> document type, then sending the appropriate Content-type header, a
> Content-length header (Netscape has trouble with PDF documents without
> this... odd) and a Content-disposition header to specify a suggested
> filename. This was all working rather nicely and works with IE, NS4,
> NS6, Mozilla and Opera.
That sounds like a good approach.
> However, when I switched over to using SSL to
> connect to the server it didn't work so well. For some reason IE will
> not download the files, it returns some vague error about not being able
> to download the file, showing the name of the script, not the name
> provided in the Content-disposition header.
IE has various SSL bugs. You might try searching their support
website.
> Anyone got an idea what might be going on here, or perhaps there's a
> better way to do what I want to do? (I'm tossing up the idea of
> using the method where you map the first part of a URL to a script
> so that I can provide the complete filename at the end of the
> URL... can't recall the name of this method at the moment)
That sounds like a good and fairly easy workaround. The $PATH_INFO
variable will give you the text that occurs in the URL after the bit
that matches the PHP file. You shouldn't need to reconfigure Apache;
just do
http://foohost/thing/download.php/sales.xls
with download.php being
<? /* filename=$PATH_INFO; validate filename with regexp; Send
content-type; etc. Send binary. */ ?>
--
Martin Pool, Human Resource
Linuxcare. Inc. +61 2 6262 8990
mbp at linuxcare.com.au, http://linuxcare.com.au/
Linuxcare. Putting Open Source to work.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.humbug.org.au/pipermail/general/attachments/20010220/d5576d29/attachment.sig>
More information about the General
mailing list