7

I followed the example in the following SO question to successfully set up an Apache forwarding proxy: Setting up an Apache Proxy with Authentication

It works well, except that when accessing sites via https, it says it cannot find the site. For example, Chrome gives

Error 111 (net::ERR_TUNNEL_CONNECTION_FAILED): Unknown error.

And on the server, I do not even see something in the access logs. For my proxy settings, I have configured the same for http and https (i.e. port 80 on my proxy server).

Do you perhaps have an example of how to set up a forward proxy with Apache for https?

Community
  • 1
  • 1
mydoghasworms
  • 18,233
  • 11
  • 61
  • 95

2 Answers2

15

It seems the only thing I was missing is that I had not enabled mod_proxy_connect which was achieved with

sudo a2enmod proxy_connect

To quote the mod_proxy_connect documentation page:

This module requires the service of mod_proxy. It provides support for the CONNECT HTTP method. This method is mainly used to tunnel SSL requests through proxy servers.

mydoghasworms
  • 18,233
  • 11
  • 61
  • 95
3

Are you attempting to terminate the SSL or just trying to create a forward proxy without handling any SSL certs? The issue that you are having is because during HTTPS proxying, the browser attempts to create an HTTP tunnel and it seems that your server is not correctly configured to handle tunneling. You can see another example here: Implementing a Simple HTTPS Proxy Application.

Here is another helpful thread on proxying HTTPS traffic with HTTP tunneling: Tunnel over HTTPS.

If you can choose something else other than Apache, I would suggest you use a robust forward proxy such as Squid or TrafficServer that are built to handle this type of setup.

Community
  • 1
  • 1
Zorayr
  • 23,770
  • 8
  • 136
  • 129
  • Firstly, thanks for your answer, though you give me a link to the same SO question I referred to :-) Yes, I am trying to forward all requests, including SSL. Is there a How-to on that? I would look at Squid maybe another time. For now I just want to get it working with Apache, if possible. – mydoghasworms Jun 09 '13 at 11:32
  • Try using iptables for redirecting all traffic going to 443, to your server's HTTPS port. This enables transparent proxying which will not require HTTP tunneling. – Zorayr Jun 09 '13 at 17:51
  • 1
    Also checkout: [Set Up Apache Server And SSH Client To Allow Tunneling SSH Over HTTP(S)](http://www.ezunix.org/index.php?title=Set_up_Apache_server_and_SSH_client_to_allow_tunneling_SSH_over_HTTP%28s%29). – Zorayr Jun 09 '13 at 17:53
  • does Squid or ATS support mutual TLS/SSL or not? Any doc/guide can share on it? Thanks – Baodi Di Jul 14 '21 at 08:56