Problem with Reverse non-SSL proxy to SSL website using proxy chain
I am trying to configure SJSWProxy v4.0.3 to be a non-SSL proxy that has a regular mapping to an SSL website. The problem is that I need to make the request via an upstream forward proxy (proxy chain). The issue seems to be that the http client in the proxy is not making a CONNECT request to the upstream proxy. Instead, it is making a GET request with an absolute URL. The upstream proxy is rejecting this request with a 400 response.
A forward proxy is needed to reproduce the problem. Starting with a new proxy instance that has not had it's configuration changed yet, add a NameTrans for the regular mapping such as:
NameTrans fn="map" from="/" to="https://www.verisign.com" rewrite-host="true"
Then add the forward proxy details to the "https:.*" object:
Route fn="set-proxy-server" server="192.168.1.100:8080"
After a restart, make a request to the reverse proxy for the root document.
In my case I see the reverse proxy making a request that begins with:
GET https://www.verisign.com/ HTTP/1.1
to which the forward proxy responds:
HTTP/1.0 400 Bad Request
To make this work I am expecting to see something like:
CONNECT www.verisign.com:443 HTTP/1.0
which should result in a response of:
HTTP/1.0 200 Connection established
Would anyone have an insight into how to make this work?
[1380 byte] By [
webappdeva] at [2007-11-26 18:44:18]
# 2
Thanks for your assistance.
The forward proxy is a Cisco Content Engine appliance.
I don't understand what you mean by a client receiving a CONNECT response. I am trying to have the browser make non-SSL GET request to the SJSW reverse proxy which represents my intranet site. There are many mappings some of which are to https servers. The problem is that to access the problem https server I need to go through a forward proxy. To do this I need the reverse proxy to initiate the SSL connection to the https server by tunnelling it through the forward proxy using the CONNECT method. I need the tunnel so that my reverse proxy is the SSL endpoint as I can't have the forward proxy be the SSL endpoint.
If I set my browser up to use the forward proxy and then try to access the https server I see a CONNECT request go out, thus a tunnel is established through the forward proxy. Since I need the https server to be accessed through my reverse proxy I need the reverse proxy to make the same type of request.
Here are the headers that I captured for the browser talking http to the SJSW Proxy v4.03 reverse proxy which has the regular mapping I described in the first post to an https server, along with the headers that the reverse proxy sent to the forward proxy.
browser to reverse proxy
========================
GET / HTTP/1.1
Accept: application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0)
Host: revproxy.my-site.com:8080
Connection: Keep-Alive
reverse proxy to forward proxy
==============================
GET https://www.verisign.com/ HTTP/1.1
Proxy-agent: Sun-Java-System-Web-Proxy-Server/4.0
Accept: application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0)
Host: www.verisign.com
Via: 1.1 proxy-server1
Connection: close
forward proxy respose to reverse proxy
======================================
HTTP/1.0 400 Bad Request
Proxy-Connection: Close
reverse proxy response to browser
=================================
HTTP/1.1 400 Bad Request
Server: Sun-Java-System-Web-Proxy-Server/4.0.3
Date: Wed, 21 Feb 2007 22:03:38 GMT
Proxy-connection: Close
Via: 1.0 proxy-server1
Proxy-agent: Sun-Java-System-Web-Proxy-Server/4.0
Transfer-encoding: chunked
Now here are the headers that I captured when a browser makes the request directly throught the forward proxy. This is the type of request I need the reverse proxy to make. By the way, the browser is setup to speak HTTP 1.0 through proxies, but that is not relevant to the tunnel request using the CONNECT.
browser to forward proxy
========================
CONNECT www.verisign.com:443 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 4.0)
Host: www.verisign.com
Content-Length: 0
Proxy-Connection: Keep-Alive
Pragma: no-cache
forward proxy response to browser
=================================
HTTP/1.0 200 Connection established
then the SSL certificate exchange occurs followed by encrypted requests and responses.
