[undertow-dev] Some help on Reverse Proxy Server
Stuart Douglas
sdouglas at redhat.com
Tue Sep 15 20:45:06 EDT 2015
If you want to use client-cert mode with a proxy you need to actually send the cert as a header (otherwise you would need a 1:1 mapping between front and back end connections).
Basically on the backend server you need to have a io.undertow.server.handlers.SSLHeaderHandler installed, this will look for the headers and set up the appropriate SSL structures (don't install this handler on an internet facing server).
In your proxy server you then need to add the following code:
proxyHandler.addRequestHeader(Headers.SSL_CLIENT_CERT, "%{SSL_CLIENT_CERT}");
proxyHandler.addRequestHeader(Headers.SSL_CIPHER, "%{SSL_CIPHER}");
proxyHandler.addRequestHeader(Headers.SSL_SESSION_ID, "%{SSL_SESSION_ID}");
(I really should add a simpler way of doing this).
Now the certificate information will be sent on every request as a header, and the backend server can deal with it as normal. This also means you don't have to use HTTPS for the connection to the backend server.
Stuart
----- Original Message -----
> From: "Devl Devel" <devl.development at gmail.com>
> To: "Stuart Douglas" <sdouglas at redhat.com>
> Cc: undertow-dev at lists.jboss.org
> Sent: Wednesday, 16 September, 2015 12:59:55 AM
> Subject: Re: [undertow-dev] Some help on Reverse Proxy Server
>
> Hi Stuart
>
> Thanks for this. I tried the example with a proxy server that has a valid
> ssl context, byte buffer slice pool, undertow xnio ssl with worker, and
> load balancing proxy client as per your example. Using 1.2.12.Final
>
> On the receiving webserver (which works fine with other https: and other
> SSL requests) I have enabled SSLCLientMode.Required and other settings
> similar to DefaultServer. This works when I go direct to the webserver in
> the browser - I can use it normally but when I use the proxy and issue a
> https request I get:
>
> ERROR proxy - UT005028: Proxy request to / failed
>
> java.io.IOException: overflow
>
> at
> io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:801)
>
> at
> io.undertow.protocols.ssl.SslConduit.write(SslConduit.java:336)
>
> at
> io.undertow.client.http.HttpRequestConduit.processWrite(HttpRequestConduit.java:321)
>
> at
> io.undertow.client.http.HttpRequestConduit.flush(HttpRequestConduit.java:573)
>
> at
> io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.flush(AbstractFixedLengthStreamSinkConduit.java:229)
>
> at
> org.xnio.conduits.ConduitStreamSinkChannel.flush(ConduitStreamSinkChannel.java:162)
>
> at
> io.undertow.client.http.HttpClientConnection.initiateRequest(HttpClientConnection.java:299)
>
> at
> io.undertow.client.http.HttpClientConnection.sendRequest(HttpClientConnection.java:228)
>
> at
> io.undertow.server.handlers.proxy.ProxyHandler$ProxyAction.run(ProxyHandler.java:502)
>
> at
> io.undertow.util.SameThreadExecutor.execute(SameThreadExecutor.java:35)
>
> at
> io.undertow.server.HttpServerExchange.dispatch(HttpServerExchange.java:759)
>
> at
> io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.completed(ProxyHandler.java:269)
>
> at
> io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.completed(ProxyHandler.java:245)
>
> at
> io.undertow.server.handlers.proxy.ProxyConnectionPool.connectionReady(ProxyConnectionPool.java:292)
>
> at
> io.undertow.server.handlers.proxy.ProxyConnectionPool.access$800(ProxyConnectionPool.java:54)
>
> at
> io.undertow.server.handlers.proxy.ProxyConnectionPool$1.completed(ProxyConnectionPool.java:245)
>
> at
> io.undertow.server.handlers.proxy.ProxyConnectionPool$1.completed(ProxyConnectionPool.java:233)
>
> at
> io.undertow.client.http.HttpClientProvider.handleConnected(HttpClientProvider.java:163)
>
> at
> io.undertow.client.http.HttpClientProvider.access$000(HttpClientProvider.java:50)
>
> at
> io.undertow.client.http.HttpClientProvider$2.handleEvent(HttpClientProvider.java:126)
>
> at
> io.undertow.client.http.HttpClientProvider$2.handleEvent(HttpClientProvider.java:123)
>
> at
> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
>
> at
> io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:312)
>
> at
> io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:294)
>
> at
> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
>
> at
> org.xnio.nio.WorkerThread$ConnectHandle.handleReady(WorkerThread.java:324)
>
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:539)
>
>
>
> Will the proxy forward the browser cert to the webserver or is there some
> other cause? I cannot share any code but any pointers are appreciated.
>
>
>
> Thanks
>
> Devl
>
>
>
> On Mon, Sep 14, 2015 at 2:17 AM, Stuart Douglas <sdouglas at redhat.com> wrote:
>
> > And example of this can be found in this test:
> >
> >
> > https://github.com/undertow-io/undertow/blob/master/core/src/test/java/io/undertow/server/handlers/proxy/LoadBalancingProxyHttpsTestCase.java
> >
> > Stuart
> >
> > ----- Original Message -----
> > > From: "Devl Devel" <devl.development at gmail.com>
> > > To: undertow-dev at lists.jboss.org
> > > Sent: Saturday, 12 September, 2015 12:00:48 AM
> > > Subject: [undertow-dev] Some help on Reverse Proxy Server
> > >
> > > At present the git example for Reverse Proxy is a non https/ssl example.
> > >
> > >
> > >
> > https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/reverseproxy/ReverseProxyServer.java
> > >
> > > Please can you help with an example using SSL and https?
> > >
> > > I take it the .addHost( new URI ( " http://localhost:8081 " ) method
> > >
> > > needs and XNioSSL object to work with https redirection? If so, please
> > can
> > > you provide an example of how to configure this?
> > >
> > > Thanks
> > > Devl
> > >
> > >
> > >
> > > _______________________________________________
> > > undertow-dev mailing list
> > > undertow-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/undertow-dev
> >
>
More information about the undertow-dev
mailing list