From 46ae889df415eb805dfe13e21d270b8dc2330333 Mon Sep 17 00:00:00 2001 From: eknauel Date: Wed, 2 Jun 2004 14:16:01 +0000 Subject: [PATCH] + added a "ssl with apache" section (draft) --- doc/latex/httpd.tex | 56 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/doc/latex/httpd.tex b/doc/latex/httpd.tex index 1d9f406..579a0e2 100644 --- a/doc/latex/httpd.tex +++ b/doc/latex/httpd.tex @@ -680,6 +680,62 @@ parse these strings. a complaint. \end{desc} +\section{SSL encryption with Apache} + +Network traffic with a HTTP server is usually encrypted and protected +from manipulation using the cryptographic algorithm provided by an +implementation of the \textit{secure socket layer}, SSL for short. +SUNet does not have support for SSL yet. However, an Apache +web-server with SSL support can be configured as a proxy. In this +setup the Apache web-server accepts encrypted requests and forwards +them to a SUNet web-server running locally. This section describes +how to set up Apache as an encrypting proxy, assuming the reader has +basic knowledge about Apache and its configuration directives. + +The following excerpt shows a minimalist SSL virtual host that +forwards requests to a SUNet server. + +\begin{alltt} + + DocumentRoot "/www/some-domain/htdocs" + ServerName www.some-domain.de + ServerAdmin admin@some-domain.de + ErrorLog /www/some-domain/logs/error_log + + ProxyRequests off + ProxyPass / http://localhost:8080/ + ProxyPassReverse / http://localhost:8080/ + + SSLEngine on + SSLRequireSSL + + SSLCertificateFile /www/some-domain/cert/some-domain.cert + SSLCertificateKeyFile /www/some-domain/cert/some-domain.key + +\end{alltt} + +First, a virtual host is added to Apache's configuration file. This +virtual host listens for incoming connections on port 443, which is +the standard port for encrypted HTTP traffic. \texttt{SSLRequireSSL} +ensures that server accepts encrypted connections only. + +In terms of the Apache documentation, the the web-server acts as a so +called \textit{reverse proxy}. The option \texttt{ProxyRequests} has +a misleading name. Setting this option to off does only turns off +Apache's facility to act as a \textit{forward proxy} and has no effect +on the configuration directives for reverse proxies. Actually, +turning on \texttt{ProxyRequests} is dangerous, because this turns +Apache into a proxy server that can be used from anywhere to access +any site that is accessible to the Apache server. + +In this setting, all requests get forwarded to a SUNet web-server +which listens for incoming connections on localhost port 8080 only, +thus, it is not reachable from a remote machine. Apache forwards all +requests to the host and port specified by the \texttt{ProxyPass} +directive. \texttt{ProxyPassReverse} specifies how +\texttt{Location}-Header fields of HTTP redirect messages send by the +SUNet server are translated. + %%% Local Variables: %%% mode: latex %%% TeX-master: "man"