d2jsp
Log InRegister
d2jsp Forums > Off-Topic > Computers & IT > Programming & Development > Any Networking Superstars Around Here? > Apache Question
Add Reply New Topic New Poll
Member
Posts: 4,605
Joined: Sep 15 2011
Gold: 9,464.00
May 8 2013 03:02am
I want to set up an Apache forward and reverse proxy that does SSL in both directions. The idea behind this is that I want to have Apache handling the SSL protocol in both directions so that the services sitting behind the proxy don't have to.

Code

Reverse proxy part:
1. Incoming HTTP traffic
My Services <-- HTTP <-- Apache <-- HTTP <-- External endpoint

2. Incoming HTTPS traffic
My Services <-- HTTP <-- Apache <-- HTTPS -- External endpoint

Forward proxy part:
3. Outgoing HTTP traffic
My Services --> HTTP --> Apache --> HTTP --> External endpoint

4. Outgoing HTTPS traffic
My Services --> HTTP --> Apache --> HTTPS --> External endpoint


The reverse proxy portion of this is fairly straightforward and used by a lot of people, but I'm not seeing any examples from my searches of people doing the forward proxy part.

I'm *thinking* something along the lines of mucking with iptables so that outgoing connections to 443 get forwarded to a specific handler in the localhost apache module (using plain http). But I'm not so sure if Apache can be set up to then rewrite these requests and establish an HTTPS connection with the external endpoint.


Anybody have any clue how to do this?
Member
Posts: 4,605
Joined: Sep 15 2011
Gold: 9,464.00
May 8 2013 03:18am
Actually I'm having a hard time imagining how I could even configure iptables to redirect all traffic to a proxy on localhost but not redirect traffic coming out of that proxy. Hmm...
Member
Posts: 3,386
Joined: May 4 2013
Gold: 1,780.00
May 8 2013 01:01pm
First, why apache? Stunnel is a program dedicated to it. Apache shouldn't even be visible directly from the internet, it's bugged piece of shit. If you really want to use apache for any reason put varnish or haproxy in front of it.

reverse is simple:

Code
visitor(443) -> stunnel(443) -> httpd(80)
visitor(80) -> httpd(80)


forward, what's the point of putting plain through apache or any other service? You can do something like

Code
service -> stunnel(80) -> external(443)
service -> external(80)



Now if you really want to force all outgoing traffic to some local service you could use something like

Code
/sbin/iptables -t nat -A PREROUTING -s 127.0.0.1/255.255.255.0 -p tcp -m tcp --dport 443 -m owner --uid-owner yourservicesuserdifferentthantheproxy -j DNAT --to-destination 127.0.0.1

then all connections by user "yourservicesuserdifferentthantheproxy" to port 443 anywhere will be redirected to localhost instead. Something like this should work, but instead I'd prefer to disallow any external access from your services, and if yuo need to contact external sites - whitelist them, possibly write the wrapper for them in stunnel.

also2: I strongly suggest to put your "services" into some kind of jail (lxc > openvz > etc) and have it on loopback ip, for example 10.0.0.2. NAT them. Then edit iptables above accordingly. I'm not even sure if it is possible without NAT in this case

This post was edited by nuvo on May 8 2013 01:06pm
Member
Posts: 4,605
Joined: Sep 15 2011
Gold: 9,464.00
May 8 2013 01:18pm
Thanks for the info and suggestion. I mentioned Apache because we already currently have it running as a reverse proxy on the machine (and works fairly well I might add).

I recall we used to have stunnel set up too, but for some reason or another it's been replaced by other things for a lot of the services. stunnel does seem to be great fit for this though, so thanks for suggesting that! Will have to experiment some more to see if I can get this thing to work...
Member
Posts: 4,605
Joined: Sep 15 2011
Gold: 9,464.00
May 8 2013 05:50pm
Hmm, one potential problem that might make stunnel a non-starter is its lack of built-in support for X-Forwarded-For headers to do Client Auth, which is something Apache is quite capable of doing...

Hmm, it might be worth thinking about implementing stunnel as my forward proxy and continue using Apache as the reverse proxy though. Might get the best of both worlds that way, at least, if they both use the same certificate mechanism (and I think they both use openssl).

This post was edited by irimi on May 8 2013 06:00pm
Member
Posts: 3,386
Joined: May 4 2013
Gold: 1,780.00
May 9 2013 03:27am
take a look at http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt which works well with stunnel and should do what you expect it to do (preserve client's ip)

this is the setup I use in production:

visitor(80) -> haproxy(80)
visitor(443) -> stunnel(443) -> haproxy(80)

then

haproxy(80) -> lxc-nginx1(80)

then depending on vhost and url, parsed by nginx1

lxc-nginx1(80) -> lxc-nginx2/3/4/5 ... depending on needs. Different services, for example blog, wiki, cms, search... Each has its own lxc container, they are all NATed on loopback, with internal ip. lxc-nginx1 has no dynamic features its only serving static files and reroutes requests to other backend services (nginx+php, ruby+thin, twistd and so on)

stunnel is also in its own container (security reasons yo, ssl certs are so valuable)
Member
Posts: 4,605
Joined: Sep 15 2011
Gold: 9,464.00
May 9 2013 03:25pm
Yeah, a coworker mentioned nginx as well. I'll definitely be checking out and trying various setups, and I'm very glad to have yours as an example.

Thanks a lot!
Member
Posts: 161,550
Joined: Oct 18 2006
Gold: 4.03
Warn: 20%
May 11 2013 06:41pm
apache is shit, use nginx or anything else, seriously
Go Back To Programming & Development Topic List
Add Reply New Topic New Poll