+ added a "ssl with apache" section (draft)
This commit is contained in:
eknauel
parent
7afbfadc42
commit
46ae889df4
|
|
@ -680,6 +680,62 @@ parse these strings.
|
|||
a complaint.
|
||||
\end{desc}
|
||||
|
||||
\section{SSL encryption with Apache}
|
||||
|
||||
Network traffic with a HTTP server is usually encrypted and protected
|
||||
from manipulation using the cryptographic algorithm provided by an
|
||||
implementation of the \textit{secure socket layer}, SSL for short.
|
||||
SUNet does not have support for SSL yet. However, an Apache
|
||||
web-server with SSL support can be configured as a proxy. In this
|
||||
setup the Apache web-server accepts encrypted requests and forwards
|
||||
them to a SUNet web-server running locally. This section describes
|
||||
how to set up Apache as an encrypting proxy, assuming the reader has
|
||||
basic knowledge about Apache and its configuration directives.
|
||||
|
||||
The following excerpt shows a minimalist SSL virtual host that
|
||||
forwards requests to a SUNet server.
|
||||
|
||||
\begin{alltt}
|
||||
<VirtualHost 134.2.12.82:443>
|
||||
DocumentRoot "/www/some-domain/htdocs"
|
||||
ServerName www.some-domain.de
|
||||
ServerAdmin admin@some-domain.de
|
||||
ErrorLog /www/some-domain/logs/error_log
|
||||
|
||||
ProxyRequests off
|
||||
ProxyPass / http://localhost:8080/
|
||||
ProxyPassReverse / http://localhost:8080/
|
||||
|
||||
SSLEngine on
|
||||
SSLRequireSSL
|
||||
|
||||
SSLCertificateFile /www/some-domain/cert/some-domain.cert
|
||||
SSLCertificateKeyFile /www/some-domain/cert/some-domain.key
|
||||
</VirtualHost>
|
||||
\end{alltt}
|
||||
|
||||
First, a virtual host is added to Apache's configuration file. This
|
||||
virtual host listens for incoming connections on port 443, which is
|
||||
the standard port for encrypted HTTP traffic. \texttt{SSLRequireSSL}
|
||||
ensures that server accepts encrypted connections only.
|
||||
|
||||
In terms of the Apache documentation, the the web-server acts as a so
|
||||
called \textit{reverse proxy}. The option \texttt{ProxyRequests} has
|
||||
a misleading name. Setting this option to off does only turns off
|
||||
Apache's facility to act as a \textit{forward proxy} and has no effect
|
||||
on the configuration directives for reverse proxies. Actually,
|
||||
turning on \texttt{ProxyRequests} is dangerous, because this turns
|
||||
Apache into a proxy server that can be used from anywhere to access
|
||||
any site that is accessible to the Apache server.
|
||||
|
||||
In this setting, all requests get forwarded to a SUNet web-server
|
||||
which listens for incoming connections on localhost port 8080 only,
|
||||
thus, it is not reachable from a remote machine. Apache forwards all
|
||||
requests to the host and port specified by the \texttt{ProxyPass}
|
||||
directive. \texttt{ProxyPassReverse} specifies how
|
||||
\texttt{Location}-Header fields of HTTP redirect messages send by the
|
||||
SUNet server are translated.
|
||||
|
||||
%%% Local Variables:
|
||||
%%% mode: latex
|
||||
%%% TeX-master: "man"
|
||||
|
|
|
|||
Loading…
Reference in New Issue