[H-GEN] Setting up reverse proxy for SSL
Michael Anthon
michael at anthon.net
Tue Feb 20 09:29:06 EST 2001
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Please observe the list's charter. ]
[ Worthwhile understanding: http://www.humbug.org.au/netiquette.html ]
Martin Pool wrote:
<snip>
> The certificates must be installed on the proxy, and the proxy's
> forward and reverse DNS settings must match the name in the cert. I
> think the SSL credentials will probably not be visible to the app
> server, although you may be able to kludge this e.g. with rewrite
> rules.
That's what I was concerned about and the reaason for the question.
Josh Marshall suggested in another message to me the use of sslwrap to
do this, although I'd like to investigate apache a bit further, from my
understanding of it, I should be able to use mod_proxy and mod_rewrite
to do what I need, namely, use ssl to make connections from the
internet, then rewrite the requests to retrieve the pages from the
internal http server without ssl. Alternatively, can I make that
internal request using ssl? I don't know, will be testing all this in
the next few days to assess the options.
<snip>
> IE has various SSL bugs. You might try searching their support
> website.
>
One of the first things I tried... didn't find anything helpful
<snip>
> That sounds like a good and fairly easy workaround. The $PATH_INFO
> variable will give you the text that occurs in the URL after the bit
> that matches the PHP file. You shouldn't need to reconfigure Apache;
> just do
>
> http://foohost/thing/download.php/sales.xls
>
> with download.php being
>
> <? /* filename=$PATH_INFO; validate filename with regexp; Send
> content-type; etc. Send binary. */ ?>
>
Yep, exactly what I ended up with. While marginally more difficult to
code it makes for much cleaner looking links and removes the need to
send the content-disposition header which IE seems to have a couple of
minor issues with. Good thing we have standards so that we don't have
to work around these sorts of issues isn't it?
The only uncertainty I have about this is the passing of parameters, is
this a valid URL? In particular, is putting "=" in the URL valid? It
does seem to work quite happily in all my testing
http://myhost.com/app/script/parameter1=val/parameter2=val2/filename.txt
Cheers
Michael
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.
More information about the General
mailing list