Thanks for the tip,

I tried adding the headers on the proxy and sslheaderhandler on the server but now I get:

UT005028: Proxy request to /

java.io.IOException: UT001000: Connection closed

               at io.undertow.client.http.HttpClientConnection$ClientReadListener.handleEvent(HttpClientConnection.java:415)

               at io.undertow.client.http.HttpClientConnection$ClientReadListener.handleEvent(HttpClientConnection.java:372)

               at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)

               at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)

               at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1045)

               at io.undertow.protocols.ssl.SslConduit$1.run(SslConduit.java:225)

               at org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:560)

               at org.xnio.nio.WorkerThread.run(WorkerThread.java:462)


On the proxy when I make the request to the proxy form a browser. I take it this means there's a problem on the back end? But when I get to the back end directly it works fine. Any more tips would be appreciated.


Thanks


On Wed, Sep 16, 2015 at 1:45 AM, Stuart Douglas <sdouglas@redhat.com> wrote:
If you want to use client-cert mode with a proxy you need to actually send the cert as a header (otherwise you would need a 1:1 mapping between front and back end connections).

Basically on the backend server you need to have a io.undertow.server.handlers.SSLHeaderHandler installed, this will look for the headers and set up the appropriate SSL structures (don't install this handler on an internet facing server).

In your proxy server you then need to add the following code:


        proxyHandler.addRequestHeader(Headers.SSL_CLIENT_CERT, "%{SSL_CLIENT_CERT}");
        proxyHandler.addRequestHeader(Headers.SSL_CIPHER, "%{SSL_CIPHER}");
        proxyHandler.addRequestHeader(Headers.SSL_SESSION_ID, "%{SSL_SESSION_ID}");

(I really should add a simpler way of doing this).

Now the certificate information will be sent on every request as a header, and the backend server can deal with it as normal. This also means you don't have to use HTTPS for the connection to the backend server.

Stuart


----- Original Message -----
> From: "Devl Devel" <devl.development@gmail.com>
> To: "Stuart Douglas" <sdouglas@redhat.com>
> Cc: undertow-dev@lists.jboss.org
> Sent: Wednesday, 16 September, 2015 12:59:55 AM
> Subject: Re: [undertow-dev] Some help on Reverse Proxy Server
>
> Hi Stuart
>
> Thanks for this. I tried the example with a proxy server that has a valid
> ssl context, byte buffer slice pool, undertow xnio ssl with worker, and
> load balancing proxy client as per your example. Using 1.2.12.Final
>
> On the receiving webserver (which works fine with other https: and other
> SSL requests) I have enabled SSLCLientMode.Required and other settings
> similar to DefaultServer.  This works when I go direct to the webserver in
> the browser - I can use it normally but when I use the proxy and issue a
> https request I get:
>
> ERROR proxy - UT005028: Proxy request to / failed
>
> java.io.IOException: overflow
>
>                at
> io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:801)
>
>                at
> io.undertow.protocols.ssl.SslConduit.write(SslConduit.java:336)
>
>                at
> io.undertow.client.http.HttpRequestConduit.processWrite(HttpRequestConduit.java:321)
>
>                at
> io.undertow.client.http.HttpRequestConduit.flush(HttpRequestConduit.java:573)
>
>                at
> io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.flush(AbstractFixedLengthStreamSinkConduit.java:229)
>
>                at
> org.xnio.conduits.ConduitStreamSinkChannel.flush(ConduitStreamSinkChannel.java:162)
>
>                at
> io.undertow.client.http.HttpClientConnection.initiateRequest(HttpClientConnection.java:299)
>
>                at
> io.undertow.client.http.HttpClientConnection.sendRequest(HttpClientConnection.java:228)
>
>                at
> io.undertow.server.handlers.proxy.ProxyHandler$ProxyAction.run(ProxyHandler.java:502)
>
>                at
> io.undertow.util.SameThreadExecutor.execute(SameThreadExecutor.java:35)
>
>                at
> io.undertow.server.HttpServerExchange.dispatch(HttpServerExchange.java:759)
>
>                at
> io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.completed(ProxyHandler.java:269)
>
>                at
> io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.completed(ProxyHandler.java:245)
>
>                at
> io.undertow.server.handlers.proxy.ProxyConnectionPool.connectionReady(ProxyConnectionPool.java:292)
>
>                at
> io.undertow.server.handlers.proxy.ProxyConnectionPool.access$800(ProxyConnectionPool.java:54)
>
>                at
> io.undertow.server.handlers.proxy.ProxyConnectionPool$1.completed(ProxyConnectionPool.java:245)
>
>                at
> io.undertow.server.handlers.proxy.ProxyConnectionPool$1.completed(ProxyConnectionPool.java:233)
>
>                at
> io.undertow.client.http.HttpClientProvider.handleConnected(HttpClientProvider.java:163)
>
>                at
> io.undertow.client.http.HttpClientProvider.access$000(HttpClientProvider.java:50)
>
>                at
> io.undertow.client.http.HttpClientProvider$2.handleEvent(HttpClientProvider.java:126)
>
>                at
> io.undertow.client.http.HttpClientProvider$2.handleEvent(HttpClientProvider.java:123)
>
>                at
> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
>
>                at
> io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:312)
>
>                at
> io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:294)
>
>                at
> org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
>
>                at
> org.xnio.nio.WorkerThread$ConnectHandle.handleReady(WorkerThread.java:324)
>
>                at org.xnio.nio.WorkerThread.run(WorkerThread.java:539)
>
>
>
> Will the proxy forward the browser cert to the webserver or is there some
> other cause? I cannot share any code but any pointers are appreciated.
>
>
>
> Thanks
>
> Devl
>
>
>
> On Mon, Sep 14, 2015 at 2:17 AM, Stuart Douglas <sdouglas@redhat.com> wrote:
>
> > And example of this can be found in this test:
> >
> >
> > https://github.com/undertow-io/undertow/blob/master/core/src/test/java/io/undertow/server/handlers/proxy/LoadBalancingProxyHttpsTestCase.java
> >
> > Stuart
> >
> > ----- Original Message -----
> > > From: "Devl Devel" <devl.development@gmail.com>
> > > To: undertow-dev@lists.jboss.org
> > > Sent: Saturday, 12 September, 2015 12:00:48 AM
> > > Subject: [undertow-dev] Some help on Reverse Proxy Server
> > >
> > > At present the git example for Reverse Proxy is a non https/ssl example.
> > >
> > >
> > >
> > https://github.com/undertow-io/undertow/blob/master/examples/src/main/java/io/undertow/examples/reverseproxy/ReverseProxyServer.java
> > >
> > > Please can you help with an example using SSL and https?
> > >
> > > I take it the .addHost( new URI ( " http://localhost:8081 " ) method
> > >
> > > needs and XNioSSL object to work with https redirection? If so, please
> > can
> > > you provide an example of how to configure this?
> > >
> > > Thanks
> > > Devl
> > >
> > >
> > >
> > > _______________________________________________
> > > undertow-dev mailing list
> > > undertow-dev@lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/undertow-dev
> >
>