HTTPS, Proxy, & Headers--please clarify

HTTPS, Proxy, & Headers--please clarify

Post by Amy Parke » Fri, 04 May 2001 00:01:59



Hi,

We use a secure Apache server to front-end IBM mainframe
applications that have been web-enabled by a 3rd party screen-
scraping software package. The mainframe "web server" doesn't
support SSL (but is on secure subnet). Apache is compiled with
mod_proxy and mod_rewrite and we use RewriteRules with [P] to get
user requests over to the mainframe. (General proxy function is
not enabled.) So far, so good.

However, we were hoping to use Apache mod_headers to issue HTTP
headers (Expires, Cache-control, & Location), as the mainframe
environment is too primitive to support this. It doesn't work.
From answers to previous inquiries, I see that this may be
inherent to using HTTPS as a proxy:

Quote:>the Proxy doesn't really proxy when you're doing HTTPS. It would
>completely mess up the key exchange handshake of SSL, so the proxy just
>opens a pass-through TCP connection from the client to the server and
>doesn't see the HTTP request nor can it insert any headers.  Look up the
>CONNECT method if you're interested. . .

I have a couple specific questions:

First, does our setup (https frontend, http backend) fit the model of
a pass-through connection, or tunnel? The only handshaking is between
the browser and the Apache server. Apache *has* to look at the HTTP
request in order to get into RewriteRules, doesn't it?

Second, I'd appreciate a reference on CONNECT and/or SSH tunnel.
RFC2616 only cites an unpublished paper on CONNECT, and there's
about 10 RFC's related to tunnels, and I'm lost.

Third, given that it's a dedicated server, is there any kind of
kluge to do this? I'm wondering about executing a script (that
does nothing other than issue headers) before doing the forced
proxy. Any comments appreciated.

Thanks for your assistance.

Amy

Amy Parker
Administrative Computing
State University of New York at Binghamton

 
 
 

HTTPS, Proxy, & Headers--please clarify

Post by adam » Fri, 04 May 2001 00:31:33



> We use a secure Apache server to front-end IBM mainframe
> applications that have been web-enabled by a 3rd party screen-
> scraping software package. The mainframe "web server" doesn't
> support SSL (but is on secure subnet). Apache is compiled with
> mod_proxy and mod_rewrite and we use RewriteRules with [P] to get
> user requests over to the mainframe. (General proxy function is
> not enabled.) So far, so good.

> However, we were hoping to use Apache mod_headers to issue HTTP
> headers (Expires, Cache-control, & Location), as the mainframe
> environment is too primitive to support this. It doesn't work.
> From answers to previous inquiries, I see that this may be
> inherent to using HTTPS as a proxy:

> >the Proxy doesn't really proxy when you're doing HTTPS. It would
> >completely mess up the key exchange handshake of SSL, so the proxy just
> >opens a pass-through TCP connection from the client to the server and
> >doesn't see the HTTP request nor can it insert any headers.  Look up the
> >CONNECT method if you're interested. . .

I believe those are my words above.  They apply in the case where a
client is specifically configured to use a proxy server, not when the
client is hitting a site that transpariently does ReverseProxy.  In your
case, the SSL connection is only between the client and the apache
server, there is no CONNECT method used, no pass-through TCP traffic,
etc.

Quote:> I have a couple specific questions:

> First, does our setup (https frontend, http backend) fit the model of
> a pass-through connection, or tunnel? The only handshaking is between
> the browser and the Apache server. Apache *has* to look at the HTTP
> request in order to get into RewriteRules, doesn't it?

No, hopefully the clarification above helped.  You're not doing
pass-through CONNECT methods.  So yes, apache/mod_rewrite can see the
http request the client sent.

Quote:> Second, I'd appreciate a reference on CONNECT and/or SSH tunnel.
> RFC2616 only cites an unpublished paper on CONNECT, and there's
> about 10 RFC's related to tunnels, and I'm lost.

I assume you don't need this now.

Quote:> Third, given that it's a dedicated server, is there any kind of
> kluge to do this? I'm wondering about executing a script (that
> does nothing other than issue headers) before doing the forced
> proxy. Any comments appreciated.

Another issue:  For security reasons browsers do not cache documents
loaded via HTTPS.  If you're trying to increase the performance of this
application, I don't think sending any of the cache control headers will
help.  
--
-adam                 | "Be liberal in what you accept, and
Systems Administrator |  conservative in what you send"
Indiana University    |      -Jon Postel
Bloomington, Indiana  |

 
 
 

HTTPS, Proxy, & Headers--please clarify

Post by Amy Parke » Fri, 04 May 2001 22:43:19




> > ... Apache is compiled with mod_proxy and mod_rewrite and we use
> > RewriteRules with [P] to get user requests over to the mainframe.
> > (General proxy function is not enabled.)

> > However, we were hoping to use Apache mod_headers to issue HTTP
> > headers (Expires, Cache-control, & Location), as the mainframe
> > environment is too primitive to support this. It doesn't work.
> > From answers to previous inquiries ...
> ... the SSL connection is only between the client and the apache
> server, there is no CONNECT method used, no pass-through TCP traffic,
> etc. ...

OK, thanks for the clarification. As I said, mod_rewrite with forced
proxy works fine, so I doubted that our setup matched the method you
commented on several weeks back.

Quote:> Another issue:  For security reasons browsers do not cache documents
> loaded via HTTPS.  If you're trying to increase the performance of this
> application, I don't think sending any of the cache control headers will
> help.  

Browsers certainly cache in memory, and redisplay anything (including
filled-out dynamically generated forms) if you don't explicitly
prevent it.  We need to pre-expire dynamically generated login panels,
forms, and displays that contain sensitive data. Right now we only have
<META>-tags and javascript, which is a junky way of doing things. We
really do want to issue proper HTTP headers ("Expires", "Location", and
"Cache-control") on our mainframe business app's. For now, performance
at the level of the Apache server is a secondary issue.

So, is it possible to combine usage of mod_rewrite, mod_proxy, and
mod_headers for specific requests?  The documentation on mod_headers is
very sparse compared to the wealth of examples I found on mod_rewrite.
I would be grateful for an example of how to do this, or for suggestions
for a workaround that would allow us to insert the necessary HTTP
headers. (For what it's worth, I actually wrote a little cgi that
did a transparent proxy to mainframe & inserted HTTP headers, but it
wasn't anything to take production...)

Thank you,
Amy

Amy Parker
Administrative Computing
State University of New York at Binghamton

 
 
 

1. Please clarify the use of stdout && stderr in this example

Hi everyone,

     In several scripts I've seen syntax very similar to the following:

...
...
...
${SOME_COMMAND} > /dev/null 2>&1 &

Now, I understand (somewhat) what's happening here.  I know that 2 and 1
represent stdout (1) and stderr(2).  I know that the very last '&'
starts the process in the background, but what is really confusing to me
is how does the above syntax funnel everything to /dev/null, and what is
that middle '&' for?

Andy

2. Help deciding "Make vs. Buy" for new dual-boot Linux-Win system

3. proxy https & http request using apache

4. SOLVED! Problem with PLIP. (I'm not sure what to blame)

5. apache http proxy - http/1.0 vs http/1.1

6. Print filters

7. Apache proxy and HTTP header

8. Port 135 = ?

9. Http reverse proxy depending on header fields

10. rewrite rule with proxy, http headers

11. ftp client proxy ms proxy firewall http proxy unix

12. How to add a http header using .htaccess for apache http server under windows environment

13. HTTP-EQUIV & headers