7:45 p.m.
If you want to use client-cert mode with a proxy you need to actually send the cert as a
header (otherwise you would need a 1:1 mapping between front and back end connections).
Basically on the backend server you need to have a
io.undertow.server.handlers.SSLHeaderHandler installed, this will look for the headers and
set up the appropriate SSL structures (don't install this handler on an internet
facing server).
In your proxy server you then need to add the following code:
proxyHandler.addRequestHeader(Headers.SSL_CLIENT_CERT,
"%{SSL_CLIENT_CERT}");
proxyHandler.addRequestHeader(Headers.SSL_CIPHER, "%{SSL_CIPHER}");
proxyHandler.addRequestHeader(Headers.SSL_SESSION_ID,
"%{SSL_SESSION_ID}");
(I really should add a simpler way of doing this).
Now the certificate information will be sent on every request as a header, and the backend
server can deal with it as normal. This also means you don't have to use HTTPS for the
connection to the backend server.
Stuart
----- Original Message -----
From: "Devl Devel" <devl.development(a)gmail.com>
To: "Stuart Douglas" <sdouglas(a)redhat.com>
Cc: undertow-dev(a)lists.jboss.org
Sent: Wednesday, 16 September, 2015 12:59:55 AM
Subject: Re: [undertow-dev] Some help on Reverse Proxy Server
Hi Stuart
Thanks for this. I tried the example with a proxy server that has a valid
ssl context, byte buffer slice pool, undertow xnio ssl with worker, and
load balancing proxy client as per your example. Using 1.2.12.Final
On the receiving webserver (which works fine with other https: and other
SSL requests) I have enabled SSLCLientMode.Required and other settings
similar to DefaultServer. This works when I go direct to the webserver in
the browser - I can use it normally but when I use the proxy and issue a
https request I get:
ERROR proxy - UT005028: Proxy request to / failed
java.io.IOException: overflow
at
io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:801)
at
io.undertow.protocols.ssl.SslConduit.write(SslConduit.java:336)
at
io.undertow.client.http.HttpRequestConduit.processWrite(HttpRequestConduit.java:321)
at
io.undertow.client.http.HttpRequestConduit.flush(HttpRequestConduit.java:573)
at
io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.flush(AbstractFixedLengthStreamSinkConduit.java:229)
at
org.xnio.conduits.ConduitStreamSinkChannel.flush(ConduitStreamSinkChannel.java:162)
at
io.undertow.client.http.HttpClientConnection.initiateRequest(HttpClientConnection.java:299)
at
io.undertow.client.http.HttpClientConnection.sendRequest(HttpClientConnection.java:228)
at
io.undertow.server.handlers.proxy.ProxyHandler$ProxyAction.run(ProxyHandler.java:502)
at
io.undertow.util.SameThreadExecutor.execute(SameThreadExecutor.java:35)
at
io.undertow.server.HttpServerExchange.dispatch(HttpServerExchange.java:759)
at
io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.completed(ProxyHandler.java:269)
at
io.undertow.server.handlers.proxy.ProxyHandler$ProxyClientHandler.completed(ProxyHandler.java:245)
at
io.undertow.server.handlers.proxy.ProxyConnectionPool.connectionReady(ProxyConnectionPool.java:292)
at
io.undertow.server.handlers.proxy.ProxyConnectionPool.access$800(ProxyConnectionPool.java:54)
at
io.undertow.server.handlers.proxy.ProxyConnectionPool$1.completed(ProxyConnectionPool.java:245)
at
io.undertow.server.handlers.proxy.ProxyConnectionPool$1.completed(ProxyConnectionPool.java:233)
at
io.undertow.client.http.HttpClientProvider.handleConnected(HttpClientProvider.java:163)
at
io.undertow.client.http.HttpClientProvider.access$000(HttpClientProvider.java:50)
at
io.undertow.client.http.HttpClientProvider$2.handleEvent(HttpClientProvider.java:126)
at
io.undertow.client.http.HttpClientProvider$2.handleEvent(HttpClientProvider.java:123)
at
org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at
io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:312)
at
io.undertow.protocols.ssl.UndertowXnioSsl$StreamConnectionChannelListener.handleEvent(UndertowXnioSsl.java:294)
at
org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at
org.xnio.nio.WorkerThread$ConnectHandle.handleReady(WorkerThread.java:324)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:539)
Will the proxy forward the browser cert to the webserver or is there some
other cause? I cannot share any code but any pointers are appreciated.
Thanks
Devl
On Mon, Sep 14, 2015 at 2:17 AM, Stuart Douglas <sdouglas(a)redhat.com> wrote:
> And example of this can be found in this test:
>
>
>
https://github.com/undertow-io/undertow/blob/master/core/src/test/java/io...
>
> Stuart
>
> ----- Original Message -----
> > From: "Devl Devel" <devl.development(a)gmail.com>
> > To: undertow-dev(a)lists.jboss.org
> > Sent: Saturday, 12 September, 2015 12:00:48 AM
> > Subject: [undertow-dev] Some help on Reverse Proxy Server
> >
> > At present the git example for Reverse Proxy is a non https/ssl example.
> >
> >
> >
>
https://github.com/undertow-io/undertow/blob/master/examples/src/main/jav...
> >
> > Please can you help with an example using SSL and https?
> >
> > I take it the .addHost( new URI ( " http://localhost:8081 " ) method
> >
> > needs and XNioSSL object to work with https redirection? If so, please
> can
> > you provide an example of how to configure this?
> >
> > Thanks
> > Devl
> >
> >
> >
> > _______________________________________________
> > undertow-dev mailing list
> > undertow-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/undertow-dev
>