<div dir="ltr"><font color="#000000">Thanks for the tip,</font><div><font color="#000000"><br></font></div><div><font color="#000000">I tried adding the headers on the proxy and sslheaderhandler on the server but now I get:</font></div><div><font color="#000000"><br></font></div><div><span class="im"><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000">UT005028: Proxy request to /<u></u><u></u></font></p></span><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000">java.io.IOException: UT001000: Connection closed<u></u><u></u></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000"> at io.undertow.client.http.HttpClientConnection$ClientReadListener.handleEvent(HttpClientConnection.java:415)<u></u><u></u></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000"> at io.undertow.client.http.HttpClientConnection$ClientReadListener.handleEvent(HttpClientConnection.java:372)<u></u><u></u></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000"> at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)<u></u><u></u></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000"> at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)<u></u><u></u></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000"> at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1045)<u></u><u></u></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000"> at io.undertow.protocols.ssl.SslConduit$1.run(SslConduit.java:225)<u></u><u></u></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000"> at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:560)<u></u><u></u></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000"> at org.xnio.nio.WorkerThread.run(WorkerThread.java:462)</font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000"><br></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000">On the proxy when I make the request to the proxy form a browser. I take it this means there's a problem on the back end? But when I get to the back end directly it works fine. Any more tips would be appreciated.</font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000"><br></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000">Thanks</font></p></div><div class="gmail_extra"><font color="#000000"><br></font><div class="gmail_quote"><font color="#000000">On Wed, Sep 16, 2015 at 1:45 AM, Stuart Douglas <span dir="ltr"><<a href="mailto:sdouglas@redhat.com" target="_blank">sdouglas@redhat.com</a>></span> wrote:<br></font><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><font color="#000000">If you want to use client-cert mode with a proxy you need to actually send the cert as a header (otherwise you would need a 1:1 mapping between front and back end connections).<br>
<br>
Basically on the backend server you need to have a io.undertow.server.handlers.SSLHeaderHandler installed, this will look for the headers and set up the appropriate SSL structures (don't install this handler on an internet facing server).<br>
<br>
In your proxy server you then need to add the following code:<br>
<br>
<br>
proxyHandler.addRequestHeader(Headers.SSL_CLIENT_CERT, "%{SSL_CLIENT_CERT}");<br>
proxyHandler.addRequestHeader(Headers.SSL_CIPHER, "%{SSL_CIPHER}");<br>
proxyHandler.addRequestHeader(Headers.SSL_SESSION_ID, "%{SSL_SESSION_ID}");<br>
<br>
(I really should add a simpler way of doing this).<br>
<br>
Now the certificate information will be sent on every request as a header, and the backend server can deal with it as normal. This also means you don't have to use HTTPS for the connection to the backend server.<br>
<span class="im HOEnZb"><br>
Stuart<br>
<br>
<br>
----- Original Message -----<br>
> From: "Devl Devel" <<a href="mailto:devl.development@gmail.com">devl.development@gmail.com</a>><br>
</span></font><div class="HOEnZb"><div class="h5"><font color="#000000">> To: "Stuart Douglas" <<a href="mailto:sdouglas@redhat.com">sdouglas@redhat.com</a>><br>
> Cc: <a href="mailto:undertow-dev@lists.jboss.org">undertow-dev@lists.jboss.org</a><br>
> Sent: Wednesday, 16 September, 2015 12:59:55 AM<br>
> Subject: Re: [undertow-dev] Some help on Reverse Proxy Server<br>
><br>
> Hi Stuart<br>
><br>
> Thanks for this. I tried the example with a proxy server that has a valid<br>
> ssl context, byte buffer slice pool, undertow xnio ssl with worker, and<br>
> load balancing proxy client as per your example. Using 1.2.12.Final<br>
><br>
> On the receiving webserver (which works fine with other https: and other<br>
> SSL requests) I have enabled SSLCLientMode.Required and other settings<br>
> similar to DefaultServer. This works when I go direct to the webserver in<br>
> the browser - I can use it normally but when I use the proxy and issue a<br>
> https request I get:<br>
><br>
> ERROR proxy - UT005028: Proxy request to / failed<br>
><br>
> java.io.IOException: overflow<br>
><br>
> at<br>
> io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:801)<br>
><br>
> at<br>
> io.undertow.protocols.ssl.SslConduit.write(SslConduit.java:336)<br>
><br>
> at<br>
> io.undertow.client.http.HttpRequestConduit.processWrite(HttpRequestConduit.java:321)<br>
><br>
> at<br>
> io.undertow.client.http.HttpRequestConduit.flush(HttpRequestConduit.java:573)<br>
><br>
> at<br>
> io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.flush(AbstractFixedLengthStreamSinkConduit.java:229)<br>
><br>
> at<br>
> org.xnio.conduits.ConduitStreamSinkChannel.flush(ConduitStreamSinkChannel.java:162)<br>
><br>
> at<br>
> io.undertow.client.http.HttpClientConnection.initiateRequest(HttpClientConnection.java:299)<br>
><br>
> at<br>
> io.undertow.client.http.HttpClientConnection.sendRequest(HttpClientConnection.java:228)<br>
><br>
> at<br>
> io.undertow.server.handlers.proxy.ProxyHandler$ProxyAction.run(ProxyHandler.java:502)<br>
><br>
> at<br>
> io.undertow.util.SameThreadExecutor.execute(SameThreadExecutor.java:35)<br>
><br>
> at<br>
> io.undertow.server.HttpServerExchange.dispatch(HttpServerExchange.java:759)<br>
><br>
> at<br>
> io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.completed(ProxyHandler.java:269)<br>
><br>
> at<br>
> io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.completed(ProxyHandler.java:245)<br>
><br>
> at<br>
> io.undertow.server.handlers.proxy.ProxyConnectionPool.connectionReady(ProxyConnectionPool.java:292)<br>
><br>
> at<br>
> io.undertow.server.handlers.proxy.ProxyConnectionPool.access$800(ProxyConnectionPool.java:54)<br>
><br>
> at<br>
> io.undertow.server.handlers.proxy.ProxyConnectionPool$1.completed(ProxyConnectionPool.java:245)<br>
><br>
> at<br>
> io.undertow.server.handlers.proxy.ProxyConnectionPool$1.completed(ProxyConnectionPool.java:233)<br>
><br>
> at<br>
> io.undertow.client.http.HttpClientProvider.handleConnected(HttpClientProvider.java:163)<br>
><br>
> at<br>
> io.undertow.client.http.HttpClientProvider.access$000(HttpClientProvider.java:50)<br>
><br>
> at<br>
> io.undertow.client.http.HttpClientProvider$2.handleEvent(HttpClientProvider.java:126)<br>
><br>
> at<br>
> io.undertow.client.http.HttpClientProvider$2.handleEvent(HttpClientProvider.java:123)<br>
><br>
> at<br>
> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)<br>
><br>
> at<br>
> io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:312)<br>
><br>
> at<br>
> io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:294)<br>
><br>
> at<br>
> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)<br>
><br>
> at<br>
> org.xnio.nio.WorkerThread$ConnectHandle.handleReady(WorkerThread.java:324)<br>
><br>
> at org.xnio.nio.WorkerThread.run(WorkerThread.java:539)<br>
><br>
><br>
><br>
> Will the proxy forward the browser cert to the webserver or is there some<br>
> other cause? I cannot share any code but any pointers are appreciated.<br>
><br>
><br>
><br>
> Thanks<br>
><br>
> Devl<br>
><br>
><br>
><br>
> On Mon, Sep 14, 2015 at 2:17 AM, Stuart Douglas <<a href="mailto:sdouglas@redhat.com">sdouglas@redhat.com</a>> wrote:<br>
><br>
> > And example of this can be found in this test:<br>
> ><br>
> ><br>
> > <a href="https://github.com/undertow-io/undertow/blob/master/core/src/test/java/io/undertow/server/handlers/proxy/LoadBalancingProxyHttpsTestCase.java" rel="noreferrer" target="_blank">https://github.com/undertow-io/undertow/blob/master/core/src/test/java/io/undertow/server/handlers/proxy/LoadBalancingProxyHttpsTestCase.java</a><br>
> ><br>
> > Stuart<br>
> ><br>
> > ----- Original Message -----<br>
> > > From: "Devl Devel" <<a href="mailto:devl.development@gmail.com">devl.development@gmail.com</a>><br>
> > > To: <a href="mailto:undertow-dev@lists.jboss.org">undertow-dev@lists.jboss.org</a><br>
> > > Sent: Saturday, 12 September, 2015 12:00:48 AM<br>
> > > Subject: [undertow-dev] Some help on Reverse Proxy Server<br>
> > ><br>
> > > At present the git example for Reverse Proxy is a non https/ssl example.<br>
> > ><br>
> > ><br>
> > ><br>
> > <a href="https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/reverseproxy/ReverseProxyServer.java" rel="noreferrer" target="_blank">https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/reverseproxy/ReverseProxyServer.java</a><br>
> > ><br>
> > > Please can you help with an example using SSL and https?<br>
> > ><br>
> > > I take it the .addHost( new URI ( " <a href="http://localhost:8081" rel="noreferrer" target="_blank">http://localhost:8081</a> " ) method<br>
> > ><br>
> > > needs and XNioSSL object to work with https redirection? If so, please<br>
> > can<br>
> > > you provide an example of how to configure this?<br>
> > ><br>
> > > Thanks<br>
> > > Devl<br>
> > ><br>
> > ><br>
> > ><br>
> > > _______________________________________________<br>
> > > undertow-dev mailing list<br>
> > > <a href="mailto:undertow-dev@lists.jboss.org">undertow-dev@lists.jboss.org</a><br>
> > > <a href="https://lists.jboss.org/mailman/listinfo/undertow-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/undertow-dev</a><br>
> ><br>
><br>
</font></div></div></blockquote></div><br></div></div>