Connecting to app through IIRF Proxy results in "partially encrypted" communication

Topics: Developer Forum, Project Management Forum, User Forum
Mar 15, 2011 at 11:22 PM

Hello!

Am trying to create a transparent proxy (reverse proxy). One machine has IIS 6.0 installed  and the other one has apache server, The IIS machine has the proper

SSL certificate installed, so whenever i connect to it through the SSL port (https://mydomain.me) it does the proper proxy and  it establishes a good encrypted connection, but when i try to open a bug tracking application that is installed in the apache machine, it changes to being partially encrypted. this is the IIRf.ini file:

RewriteLog c:\logs\iirf
RewriteLogLevel 1
IterationLimit 10
MaxMatchCount 10
RewriteEngine ON
StatusInquiry ON

ProxyPass          ^/(.*)$   http://192.168.xx.xxx/$1
ProxyPassReverse   /         http://192.168.xx.xxx/

 

and this is the latest log

Mar 15 16:26:37 -   764 - -------------------------------------------------------
Tue Mar 15 16:26:37 -   764 - Ionic ISAPI Rewriting Filter (IIRF) 2.1.1.25 x86 RELEASE
Tue Mar 15 16:26:37 -   764 - IIRF was built on: Jan  7 2011 07:30:24
Tue Mar 15 16:26:37 -   764 - Cached: DLL_PROCESS_ATTACH
Tue Mar 15 16:26:37 -   764 - Cached: Process ID: 3784
Tue Mar 15 16:26:37 -   764 - Cached: DLL_PROCESS_ATTACH - complete
Tue Mar 15 16:26:37 -   764 - Cached: GetFilterVersion
Tue Mar 15 16:26:37 -   764 - GetLogFile: app:'/LM/W3SVC/1/ROOT'  new log:'c:\logs\iirf.3784.log'
Tue Mar 15 16:26:37 -   764 - ReadVdirConfig: actual log file 'c:\logs\iirf.3784.log'
Tue Mar 15 16:26:37 -   764 - ReadVdirConfig: ini file: 'c:\inetpub\wwwroot\Iirf.ini'
Tue Mar 15 16:26:37 -   764 - ReadVdirConfig: ini file timestamp: 2011/03/15 15:52:27 (local time)
Tue Mar 15 16:26:37 -   764 - ReadVdirConfig: cfg(0x01276960)
Tue Mar 15 16:26:37 -   764 - ReadVdirConfig: LogLevel = 1
Tue Mar 15 16:26:37 -   764 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(8): IterationLimit 10
Tue Mar 15 16:26:37 -   764 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(9): MaxMatchCount 10
Tue Mar 15 16:26:37 -   764 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(10): RewriteEngine will be enabled.
Tue Mar 15 16:26:37 -   764 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(11): StatusInquiry ON (--) (--)
Tue Mar 15 16:26:37 -   764 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(11): IIRF Status Inquiry is enabled at path '/iirfStatus' for local requests only.
Tue Mar 15 16:26:37 -   764 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(18): ProxyPass (rule 1)  '^/(.*)$'  'http://192.168.11.100/$1'   (null)
Tue Mar 15 16:26:37 -   764 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(19): ProxyPassReverse   /  http://192.168.11.100/
Tue Mar 15 16:26:37 -   764 - ReadVdirConfig: Done reading INI for the root vdir, found 1 rules (0 errors, 0 warnings) on 20 lines

 

so again, if i do

https://something.server.com

it does exactly what i want and to where i want with the secure connection but if i do

https://something,server.com/manits/login_page.php

then the connection becomes partially encrypted... what can this be?

thanks in advance!

Coordinator
Mar 16, 2011 at 12:11 AM
Edited Mar 16, 2011 at 12:14 AM

I don't know exactly what you mean by "partially encrypted".  I am thinking that you mean that IE is complaining that some of the content is not being delivered over a secure channel. I've seen this message, though I don't recall the exact syntax or text of the message. 

If this is what you mean, then I will make a guess as to the reason .  If I understand your scenario correctly, you are using a secure channel (https) between the browser and the IIS/IIRF server.  Then, in some cases you are proxying over an insecure channel from the IIRF filter to an Apache application.  the content this application renders is then returned directly to the requesting browser, which is what you want a transparent proxy to do.

Now suppose that the content itself employs non-relative links in it, which refer to images, stylesheets, XML content, or other stuff; If IIRF requests the service over http://192.168.xx.yy on behalf of the original client, then the apache app may generate references to such resources using the same URL prefix.  In other words, within the HTML content there may be a reference to a stylesheet that looks like this:

    <link rel="stylesheet" type="text/css" href='http://192.168.xx.yy/styles/reset.css'>
    </link>

If that is the case, then a browser that connects to the service via a proxy over https will see that link in the page content as a directive to download the referenced stylesheet over an insecure channel (not https), and the browser will notify you, the user, of the discrepancy between the originally specified protocol (https) and the protocol it is being asked to use for this style (http).

To determine if this is happening, I suggest you do a "view source" on the content in the browser, and search for non-relative links. Any link or reference with an http: in it will be a clear indication that the service is generating content pages that contain non-relative links. 

The fix for this is to make sure that the proxied app emits links only in relative form.  Relative links will be relayed to any client that accesses the service, and will be correctly interpreted by the client as being consistent with its original request, whether the client connects to the service via a proxy (over HTTPS or not) or connects directly (over HTTPs or not).

There is nothing to change in the IIRF rules to fix this.  You'd  need to fix your app.

IF I have misunderstood what you are describing, then it's a different story.  But for that, please clarify the problem you're having.

  

Mar 16, 2011 at 5:06 PM

Hmmm Damn Cheeso, youre pretty smart! it seems like thats it... am gonna look into it a little bit more, and if thats it ill come back and thank you again!

Thanks man!

Mar 16, 2011 at 5:21 PM

You are a god cheeso,

Nailed it!

Thanks a lot again!!!

Coordinator
Mar 16, 2011 at 11:24 PM

Glad to help! 

Mar 22, 2011 at 6:23 PM

Hello again!

I have another question, so if anyone knows a little bit about it, ill really appreciate it!

hehe, well right now i got the reverse proxy working internally, the problem is that every request that it gets externally its completely related to port 443, and it has an specific ssl certificate, so my question is, if i use a wildcard certifcate, and install it in port 443, can i use iirf to write a rule that states that when the url requested is:

https://superman.mydomain.com it reverse proxies to the local webserver, and if it doesnt comply with the rule, just continue with the actual application that is located in the default folder for the iis?(the iirf.ini file containing the rule is in the default website)

 

This is the last part for this! so am very interested in getting it to work! hehe

Thanks in advance