September 08, 2005

SSL Reverse Proxy With Apache

This is in response to a comment by Carlos on a previous blog entry.

We've got a web-based application that does not work with SSL, but we need to put this application over SSL to protect user data, confidentiality, etc... What I eventually came up with was to use Apache as a reverse proxy server. Requests would come into Apache and Apache would forward the requests to the web application, take the application's response, and return it back to the user.

Everything you need to know about how to configure Apache as a reverse proxy can be found in this article at Apache Week.

How to setup SSL with Apache is something better covered by many others, so I suggest searching around and see what you find.

What little expertise I might have to bring to this topic is what follows.

First is that I wanted to force everyone to SSL. This means taking requests on the default, non-ssl port (80) and redirecting to the SSL side. A simple mod_rewrite 

RewriteCond %{SERVER_PORT} !443
RewriteCond %{REQUEST_URI} !^/robots.txt [NC]
RewriteRule ^(.*) https://www.example.com:443$1 [R=301,L]

This includes a rule to allow requests for robots.txt to come through the non-ssl channel, but probably isn't necessary.

The only other bit I can offer some insight into is a problem I found when users tried to download files (other than webpages and images) through this proxy. The problem was that default cache-control headers for SSL transactions would block the storage of the content. So very strict browsers (IE) would not even store the file in a temporary location. When the external application was called to open the file, there was no file or temp file to load and so the user received a "file not found" error message.

To fix the cache-control issue I used mod_headers to change the cache-related header values. That looks something like this: 

<Location ~ "/*.(doc|pdf|ppt|txt|mdb|xls|mp3|wma|ram|rm|wav|wmv|avi|mov|mpg|qt|swf)">
	Header	set	Cache-Control	private
	Header	unset	Pragma
</Location>

And you can add to that list of file extensions as you see fit. I've used that list for about a year now and I haven't heard of any more "file not found" errors from users.

That's about it. Anything else I might offer is already better covered in the article I linked to.

Cheers!

Posted by Ruthsarian at 03:58 PM | Comments (1)

Comments

Hey Ruthsarian, the link to the modified SoS code does not work. :( This is the link in your code: http://carroll.org.uk/sandbox/suckerfish/bones2.html but when I click on it I get an error popup saying it could not find carroll.org.uk. Are you sure the address is right?? I will try searching for it on google. P.S. VERY Impatiently waiting for your next layout and drop down menu! Can't wait to see what you do next. I've just modified your vertical navigation just a bit to support nested menu lists. Posted by: Javier at September 12, 2005 08:03 PM

Post a comment










Code:
Type Code:

Remember personal info?