使用SSL终止的Apache正向代理

时间:2017-10-30 18:23:03

标签: apache ssl proxy

我正在尝试设置一个终止SSL连接的Apache Forward Proxy。我尝试这样做的原因是在返回的代码上运行Apache过滤器(特别是mod_pagespeed)。在我处理mod_pagespeed之前,我正在通过尝试在响应中插入一个标头来测试这个POC(这将证明我可以编辑响应),但我遇到了SSL代理问题(非SSL代理工作正常)

请注意,我并不关心任何证书错误等 - 这纯粹是为了内部测试。

我已经设置了服务器并在非SSL页面上看到了X-MSCProxy Header:

jshannon-macbookpro:pagespeed_proxy jshannon$ curl -vv --proxy pagespeed_proxy:3ja82ad9@localhost:8080 -D - -o /dev/null http://www.slate.com

* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
* Proxy auth using Basic with user 'pagespeed_proxy'
> GET http://www.slate.com/ HTTP/1.1
> Host: www.slate.com
...
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 30 Oct 2017 18:10:40 GMT
Date: Mon, 30 Oct 2017 18:10:40 GMT
< Server: Apache/2.2.29 (Amazon)
Server: Apache/2.2.29 (Amazon)
...
< Content-Length: 187051
Content-Length: 187051
...
< X-Instart-Request-ID: 8286987369135064135:FWP01-NPPRY22:1509387040:0
X-Instart-Request-ID: 8286987369135064135:FWP01-NPPRY22:1509387040:0
< Via: 1.1 172.17.0.2:8080
Via: 1.1 172.17.0.2:8080
< X-MSCProxy: SansPS
X-MSCProxy: SansPS

但是当我向Slate的SSL页面发出相同的请求时,我看不到我的代理:

jshannon-macbookpro:pagespeed_proxy jshannon$ curl -vv --proxy pagespeed_proxy:3ja82ad9@localhost:8080 -D - -o /dev/null https://www.slate.com

* Connected to localhost (::1) port 8080 (#0)
* Establish HTTP proxy tunnel to www.slate.com:443
* Proxy auth using Basic with user 'pagespeed_proxy'
> CONNECT www.slate.com:443 HTTP/1.1
> Host: www.slate.com:443

< HTTP/1.0 200 Connection Established
HTTP/1.0 200 Connection Established
< Proxy-agent: Apache/2.4.25 (Debian)
Proxy-agent: Apache/2.4.25 (Debian)
< 

* Proxy replied OK to CONNECT request
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: ssl004.insnw.net
* Server certificate: GlobalSign CloudSSL CA - SHA256 - G3
* Server certificate: GlobalSign Root CA
> GET / HTTP/1.1
> Host: www.slate.com
> User-Agent: curl/7.54.0
> Accept: */*
> 

< Content-Length: 187044
Content-Length: 187044
< Connection: keep-alive
Connection: keep-alive
< Server: Apache/2.2.29 (Amazon)
Server: Apache/2.2.29 (Amazon)
< X-Instart-Request-ID: 762420041708891440:FWP01-NPPRY21:1509387251:0
X-Instart-Request-ID: 762420041708891440:FWP01-NPPRY21:1509387251:0

我发现很多帖子都说这是可能的(而且,从技术上来说,它应该是)有各种httpd.conf建议,但我尝试的没有任何效果。现在我的httpd.conf看起来像:

<VirtualHost *:8080>
  ProxyRequests On
  ProxyVia On

  Header set X-MSCProxy SansPS

  #SSLEngine On
  # suggestion that this allows termination
  ProxyPreserveHost On

  SSLProxyEngine on
  SSLProxyCheckPeerCN Off
  SSLProxyCheckPeerExpire Off
  SSLProxyCheckPeerName Off

  SSLCertificateFile /etc/apache2/ssl/localhost.crt
  SSLCertificateKeyFile /etc/apache2/ssl/localhost.key

  ModPagespeed Off
</VirtualHost>

FWIW,当我在这个代理上启用SSLEngine时(如建议的那样),那么请求根本无法解决Apache的错误:

[Mon Oct 30 18:20:20.705047 2017] [ssl:info] [pid 372:tid 140147985901312] [client 172.17.0.1:34012] AH01996: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page
[Mon Oct 30 18:20:20.705107 2017] [ssl:info] [pid 372:tid 140147985901312] SSL Library Error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request -- speaking HTTP to HTTPS port!?

我认为这是有道理的,因为代理协议不期望直接与代理建立HTTPS连接。

2 个答案:

答案 0 :(得分:0)

我会尝试使用输出过滤器feautre fom apache。

https://www.modpagespeed.com/doc/configuration#apache_specific

  

AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER text / html

答案 1 :(得分:0)

尝试将https://添加到curl代理命令中,如下所示:

jshannon-macbookpro:pagespeed_proxy jshannon$ curl -vv --proxy https://pagespeed_proxy:3ja82ad9@localhost:8080 -D - -o /dev/null https://www.slate.com

即使该端口配置了https,Apache也抱怨使用http连接到8080端口。