
<div dir="ltr"><font color="#000000">Thanks for the tip,</font><div><font color="#000000"><br></font></div><div><font color="#000000">I tried adding the headers on the proxy and sslheaderhandler on the server but now I get:</font></div><div><font color="#000000"><br></font></div><div><span class="im"><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000">UT005028: Proxy request to /<u></u><u></u></font></p></span><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000">java.io.IOException: UT001000: Connection closed<u></u><u></u></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000">               at io.undertow.client.http.HttpClientConnection$ClientReadListener.handleEvent(HttpClientConnection.java:415)<u></u><u></u></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000">               at io.undertow.client.http.HttpClientConnection$ClientReadListener.handleEvent(HttpClientConnection.java:372)<u></u><u></u></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000">               at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)<u></u><u></u></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000">               at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)<u></u><u></u></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000">               at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1045)<u></u><u></u></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000">               at io.undertow.protocols.ssl.SslConduit$1.run(SslConduit.java:225)<u></u><u></u></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000">               at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:560)<u></u><u></u></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000">               at org.xnio.nio.WorkerThread.run(WorkerThread.java:462)</font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000"><br></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000">On the proxy when I make the request to the proxy form a browser. I take it this means there&#39;s a problem on the back end? But when I get to the back end directly it works fine. Any more tips would be appreciated.</font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000"><br></font></p><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-family:Calibri,sans-serif"><font color="#000000">Thanks</font></p></div><div class="gmail_extra"><font color="#000000"><br></font><div class="gmail_quote"><font color="#000000">On Wed, Sep 16, 2015 at 1:45 AM, Stuart Douglas <span dir="ltr">&lt;<a href="mailto:sdouglas@redhat.com" target="_blank">sdouglas@redhat.com</a>&gt;</span> wrote:<br></font><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><font color="#000000">If you want to use client-cert mode with a proxy you need to actually send the cert as a header (otherwise you would need a 1:1 mapping between front and back end connections).<br>

<br>

Basically on the backend server you need to have a io.undertow.server.handlers.SSLHeaderHandler installed, this will look for the headers and set up the appropriate SSL structures (don&#39;t install this handler on an internet facing server).<br>

<br>

In your proxy server you then need to add the following code:<br>

<br>

<br>

        proxyHandler.addRequestHeader(Headers.SSL_CLIENT_CERT, &quot;%{SSL_CLIENT_CERT}&quot;);<br>

        proxyHandler.addRequestHeader(Headers.SSL_CIPHER, &quot;%{SSL_CIPHER}&quot;);<br>

        proxyHandler.addRequestHeader(Headers.SSL_SESSION_ID, &quot;%{SSL_SESSION_ID}&quot;);<br>

<br>

(I really should add a simpler way of doing this).<br>

<br>

Now the certificate information will be sent on every request as a header, and the backend server can deal with it as normal. This also means you don&#39;t have to use HTTPS for the connection to the backend server.<br>

<span class="im HOEnZb"><br>

Stuart<br>

<br>

<br>

----- Original Message -----<br>

&gt; From: &quot;Devl Devel&quot; &lt;<a href="mailto:devl.development@gmail.com">devl.development@gmail.com</a>&gt;<br>

</span></font><div class="HOEnZb"><div class="h5"><font color="#000000">&gt; To: &quot;Stuart Douglas&quot; &lt;<a href="mailto:sdouglas@redhat.com">sdouglas@redhat.com</a>&gt;<br>

&gt; Cc: <a href="mailto:undertow-dev@lists.jboss.org">undertow-dev@lists.jboss.org</a><br>

&gt; Sent: Wednesday, 16 September, 2015 12:59:55 AM<br>

&gt; Subject: Re: [undertow-dev] Some help on Reverse Proxy Server<br>

&gt;<br>

&gt; Hi Stuart<br>

&gt;<br>

&gt; Thanks for this. I tried the example with a proxy server that has a valid<br>

&gt; ssl context, byte buffer slice pool, undertow xnio ssl with worker, and<br>

&gt; load balancing proxy client as per your example. Using 1.2.12.Final<br>

&gt;<br>

&gt; On the receiving webserver (which works fine with other https: and other<br>

&gt; SSL requests) I have enabled SSLCLientMode.Required and other settings<br>

&gt; similar to DefaultServer.  This works when I go direct to the webserver in<br>

&gt; the browser - I can use it normally but when I use the proxy and issue a<br>

&gt; https request I get:<br>

&gt;<br>

&gt; ERROR proxy - UT005028: Proxy request to / failed<br>

&gt;<br>

&gt; java.io.IOException: overflow<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:801)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.protocols.ssl.SslConduit.write(SslConduit.java:336)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.client.http.HttpRequestConduit.processWrite(HttpRequestConduit.java:321)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.client.http.HttpRequestConduit.flush(HttpRequestConduit.java:573)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.flush(AbstractFixedLengthStreamSinkConduit.java:229)<br>

&gt;<br>

&gt;                at<br>

&gt; org.xnio.conduits.ConduitStreamSinkChannel.flush(ConduitStreamSinkChannel.java:162)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.client.http.HttpClientConnection.initiateRequest(HttpClientConnection.java:299)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.client.http.HttpClientConnection.sendRequest(HttpClientConnection.java:228)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.server.handlers.proxy.ProxyHandler$ProxyAction.run(ProxyHandler.java:502)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.util.SameThreadExecutor.execute(SameThreadExecutor.java:35)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.server.HttpServerExchange.dispatch(HttpServerExchange.java:759)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.completed(ProxyHandler.java:269)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.completed(ProxyHandler.java:245)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.server.handlers.proxy.ProxyConnectionPool.connectionReady(ProxyConnectionPool.java:292)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.server.handlers.proxy.ProxyConnectionPool.access$800(ProxyConnectionPool.java:54)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.server.handlers.proxy.ProxyConnectionPool$1.completed(ProxyConnectionPool.java:245)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.server.handlers.proxy.ProxyConnectionPool$1.completed(ProxyConnectionPool.java:233)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.client.http.HttpClientProvider.handleConnected(HttpClientProvider.java:163)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.client.http.HttpClientProvider.access$000(HttpClientProvider.java:50)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.client.http.HttpClientProvider$2.handleEvent(HttpClientProvider.java:126)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.client.http.HttpClientProvider$2.handleEvent(HttpClientProvider.java:123)<br>

&gt;<br>

&gt;                at<br>

&gt; org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:312)<br>

&gt;<br>

&gt;                at<br>

&gt; io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:294)<br>

&gt;<br>

&gt;                at<br>

&gt; org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)<br>

&gt;<br>

&gt;                at<br>

&gt; org.xnio.nio.WorkerThread$ConnectHandle.handleReady(WorkerThread.java:324)<br>

&gt;<br>

&gt;                at org.xnio.nio.WorkerThread.run(WorkerThread.java:539)<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; Will the proxy forward the browser cert to the webserver or is there some<br>

&gt; other cause? I cannot share any code but any pointers are appreciated.<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; Thanks<br>

&gt;<br>

&gt; Devl<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; On Mon, Sep 14, 2015 at 2:17 AM, Stuart Douglas &lt;<a href="mailto:sdouglas@redhat.com">sdouglas@redhat.com</a>&gt; wrote:<br>

&gt;<br>

&gt; &gt; And example of this can be found in this test:<br>

&gt; &gt;<br>

&gt; &gt;<br>

&gt; &gt; <a href="https://github.com/undertow-io/undertow/blob/master/core/src/test/java/io/undertow/server/handlers/proxy/LoadBalancingProxyHttpsTestCase.java" rel="noreferrer" target="_blank">https://github.com/undertow-io/undertow/blob/master/core/src/test/java/io/undertow/server/handlers/proxy/LoadBalancingProxyHttpsTestCase.java</a><br>

&gt; &gt;<br>

&gt; &gt; Stuart<br>

&gt; &gt;<br>

&gt; &gt; ----- Original Message -----<br>

&gt; &gt; &gt; From: &quot;Devl Devel&quot; &lt;<a href="mailto:devl.development@gmail.com">devl.development@gmail.com</a>&gt;<br>

&gt; &gt; &gt; To: <a href="mailto:undertow-dev@lists.jboss.org">undertow-dev@lists.jboss.org</a><br>

&gt; &gt; &gt; Sent: Saturday, 12 September, 2015 12:00:48 AM<br>

&gt; &gt; &gt; Subject: [undertow-dev] Some help on Reverse Proxy Server<br>

&gt; &gt; &gt;<br>

&gt; &gt; &gt; At present the git example for Reverse Proxy is a non https/ssl example.<br>

&gt; &gt; &gt;<br>

&gt; &gt; &gt;<br>

&gt; &gt; &gt;<br>

&gt; &gt; <a href="https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/reverseproxy/ReverseProxyServer.java" rel="noreferrer" target="_blank">https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/reverseproxy/ReverseProxyServer.java</a><br>

&gt; &gt; &gt;<br>

&gt; &gt; &gt; Please can you help with an example using SSL and https?<br>

&gt; &gt; &gt;<br>

&gt; &gt; &gt; I take it the .addHost( new URI ( &quot; <a href="http://localhost:8081" rel="noreferrer" target="_blank">http://localhost:8081</a> &quot; ) method<br>

&gt; &gt; &gt;<br>

&gt; &gt; &gt; needs and XNioSSL object to work with https redirection? If so, please<br>

&gt; &gt; can<br>

&gt; &gt; &gt; you provide an example of how to configure this?<br>

&gt; &gt; &gt;<br>

&gt; &gt; &gt; Thanks<br>

&gt; &gt; &gt; Devl<br>

&gt; &gt; &gt;<br>

&gt; &gt; &gt;<br>

&gt; &gt; &gt;<br>

&gt; &gt; &gt; _______________________________________________<br>

&gt; &gt; &gt; undertow-dev mailing list<br>

&gt; &gt; &gt; <a href="mailto:undertow-dev@lists.jboss.org">undertow-dev@lists.jboss.org</a><br>

&gt; &gt; &gt; <a href="https://lists.jboss.org/mailman/listinfo/undertow-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/undertow-dev</a><br>

&gt; &gt;<br>

&gt;<br>

</font></div></div></blockquote></div><br></div></div>