Article delegate-en/4245 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4233@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: HTTPS to HTTPS Rewriting
01 Dec 2008 09:48:45 GMT Geeosor <praiabdyi-p5lznxp5zfxr.ml@ml.delegate.org>


Hi Yutaka,

Yutaka Sato wrote:
> Hi,
> 
> In message <_A4232@delegate-en.ML_> on 11/29/08(02:30:42)
> you Geeosor <praiabdyi-p5lznxp5zfxr.ml@ml.delegate.org> wrote:
>  |Basically we have a site support.domain.tld which is accessible by http
>  |and by https. Then there is the other site https://secure.domain.tld/ in
>  |which we want to have the *content* of the support domain with all links
>  |appearing as secure. Let me visualize this:
>  |
>  |Apache on Host 1                  Apache on Host2
>  |- serves https://secure...        - server httpX://support...
>  |
>  |           ^                                 ^
>  |           |__         Delegate            __|
> 
>                             ^
>                             |
>                as what is this server referred?
>                1) origin server https://delegate-host:8888 or
>                2) HTTP proxy server at delegate-host:8888 

We want to have Apache and Delegate on the same host1, since we have no
control over host2. And since Apache (with SSL) is in front of Delegate,
Delegate is doing HTTP to the backend, which is sufficient in our eyes.

> The way 1) is a usual approach and can be configured as follows for example:
> 
>   MOUNT="/*        https://secure/*"
>   MOUNT="/supp-s/* https://support/*"
>   MOUNT="/supp-h/* http://support/*"
>   STLS=fsv:https
>   STLS=fcl
>   SERVER=https
>   -P8888
> 
> With this configuration, each URL-path will be mapped as follows:
> 
>   https://delegate-host/*         <--> https://secure/*
>   https://delegate-host/supp-s/*  <--> https://support/*
>   https://delegate-host/supp-h/*  <--> http://support/*
> 
> In this case the target servers are switched with the url-path part but 
> you can switch them with vertual host name with the "nvhost" MountOption.
> See <URL:http://www.delegate.org/delegate/nvproxy> for more details.
> 
> You seem to writing abouth the way 2) but I can't figure out the reason.
> Using DeleGate as a proxy with rewriting HTTPS/SSL content, at least
> you need decrypt and encrypt it with STLS=mitm.

I think either one of your ways. Since we need:

Browser <-HTTPS-> Apache <-HTTP-> Delegate <-HTTP-> Apache
                  https://secure...                 http://support...

> 
>  |So we do not only want the URL and HTTP stuff rewritten, but also the
>  |absolute urls in the html body from httpX://support
>  |
>  |My approach was:
>  |
>  |Apache on Host1:
>  |----------------------------------------------------------
>  |ProxyRequests On
>  |ProxyPass /support/kb/ http://localhost:8888/kb/
>  |ProxyPassReverse /support/kb/ http://localhost:8888/kb/
>  |
>  |Delegate on Host1:
>  |----------------------------------------------------------
>  |./delegated -fv \
>  |-P8888 \
>  |SERVER=http \
>  |ADMIN=hostmaster@domain.. \
>  |PERMIT="*:*:*" \
>  |MOUNT="https://secure.domain.tld/* http://support.domain.tld/*"
>  |
>  |But apparently the vURL parameter cannot match. I also tried with SSL,
>  |but since the frontend apache serves already SSL there is no need for it
>  |from the backend servers.
> 
> Cheers,
> Yutaka
> --
>   9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
>  ( ~ )  National Institute of Advanced Industrial Science and Technology
> _<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
> Do the more with the less -- B. Fuller

GeE

BTW: Delegate is a fantastic piece of software!

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V