^

rsw@jfet.org

• 200812 ( 1)
• 200811 ( 2)
• 200809 ( 1)
• 200808 ( 1)
• 200806 ( 2)
• 200805 ( 2)
• 200804 ( 2)
• 200803 ( 5)
• 200802 ( 4)
• 200801 ( 1)
• 200712 ( 5)
• 200711 ( 3)
• 200709 ( 1)
• 200706 ( 1)
• 200704 ( 4)
• 200703 ( 1)
• 200702 ( 3)
• 200701 ( 5)
• 200612 ( 3)
• 200610 ( 2)
• 200609 ( 2)
• 200608 ( 3)
• 200607 (10)
• 200606 (10)
• 200605 ( 9)
• 200604 ( 7)
• 200603 ( 9)
• 200602 (11)
• 200601 (26)
• 200512 (20)
• 200511 (22)
• 200510 (19)
• 200509 (13)
• 200508 ( 2)
• 200507 ( 3)
• 200506 ( 7)
• 200505 (26)
• 200504 ( 9)
• 200503 (15)
• 200502 (20)
• 200501 (28)
• 200412 (16)
• 200411 ( 5)
• 200410 (18)
• 200409 ( 7)
• all

blogroll

• Amrys
• Anna
• Ariel
• Brittany
• Christine
• Cyrus
• Gautham
• Hippo
• Issel
• Jack
• Jeff
• Jim
• Johnston
• Kristin
• Mar
• May
• Mich
• Michelle
• Rodin
• Russ
• Sam
• Stephanie
• Wax0r
• Woz

mod_proxy + openssl s_client

At the gym today, I was ruminating on how to run both an HTTPS and an SSH server on port 443 of a machine so as to allow it to both serve secure content and function as the outside endpoint for proxy tunnels which exploit open HTTPS access and/or HTTPS CONNECT tunnels.

Until earlier today, I'd completely forgotten about Apache's mod_proxy, a cute little module that provides basic proxy functionality from Apache. Clearly, this little honey is exactly what we want, though: a proxy server which supports CONNECT and runs in parallel with your HTTP server.

Setup is extremely easy on the server side. For you debian users, make the appropriate symblinks in /etc/apache2/mods-enabled and edit /etc/apache2/mods-available/proxy.conf as appropriate.

You can telnet to port 80 and verify that CONNECT works as expected. Now, give it a whirl using the OpenSSL binary (openssl s_client -connect yourserver:443 -nbio -quiet is a good start) and you'll be disappointed. Yup, there's a bug in mod_proxy_connect that makes it bypass HTTPS and just dump unencrypted data directly on the socket once the CONNECT session starts. Never fear, however, for that same link has the patch you'll need to fix it. apt-get build-dep apache2, apt-get source apache2, cd into upstream/tarballs, untar it, apply the patch, tar it back up, and dpkg-buildpackage -rfakeroot -b.

Now, armed with your hot new Apache build, you're ready to take on the world. The only thing left is a daemon for the client side. Mine is called sprox.pl. I decided to use a wrapper around the openssl binary because I found that IO::Socket::SSL is substantially slower.

[ permalink | 0 comments (add one you lazy bastard!) ]