ProxyPass HTTPS

Topics: User Forum
May 19, 2010 at 9:44 PM
Edited May 19, 2010 at 9:48 PM

Hi,

on my WHS I have a third party HTTPS application running on port 10443 because WHS remote management (IIS 6.0) is running on port 443.

I'd like this application to be accessible via virtual folder like this: https://myserver/application.

However, when I try this it just won't work and IIRF will give me a 500 / internal server error:
ProxyPass             ^/application/(.*)$  https://127.0.0.1:1044/$1
ProxyPassReverse   /application          https://127.0.0.1:10443/

IIRF.log:
Wed May 19 22:17:31 - 4356 - DoRewrites: Proxy to: 'https://127.0.0.1:10443/'
Wed May 19 22:17:31 - 4356 - IirfProxy_SendRequest: Error in WinHttpSendRequest(): 12175

Is HTTPS forwarding simply not possible with IIRF?
I think it is working with mod_ssl in apache.

It also seems noone has ever tried this before...
All I was able to google was "redirect HTTP to HTTPS" which is something completely diferent ...

Any ideas, anybody?

Thanks, Hermes

Coordinator
May 20, 2010 at 12:15 AM

ya, 

The error you're getting, 12175, is ERROR_WINHTTP_SECURE_FAILURE - so yes, it looks like a problem proxying that http request traffic.

I believe proxying https traffic has been done before, but I don't know that it's failed before.  The failure usually indicates a revoked certificate, an  untrusted CA, a mismatch between the cert and the hostname, and so on.

There's a way to get the details for the SSL error, but IIRF currently doesn't do that.  Seems like a good thing to do, though.

Also, I will have to double-check the HTTP status code IIRF should reply with, when an SSL error is detected.  A 500 error in this case might be wrong.

 

Coordinator
May 20, 2010 at 12:18 AM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.
Coordinator
May 20, 2010 at 2:00 AM

I uploaded an interim build to the work item.  to test it:  Stop IIS.  Download that zip file, unzip it, and temporarily replace your IIRF.dll with the one from the zip file.  Restart IIS.  Then run the request again.  In the IIRF log file you should see additional details regarding the failure of the proxy request. 

http://iirf.codeplex.com/WorkItem/View.aspx?WorkItemId=27119

May 20, 2010 at 8:14 PM

Yes!!! Brilliant :-D

It was in fact a mismatch between certificate and host.

I now set the rules to

ProxyPass             ^/application/(.*)$  https://server.homeserver.com:1044/$1
ProxyPassReverse   /application          https://server.homeserver.com:10443/

and it works like a charm

And about the 500: I must have mixed it up with another error I had before.
The actual resulte was: 12175 (0x00002f8f) just like you said it would be.

Thank you so much! :-)

Cheers, Hermes

Coordinator
May 21, 2010 at 1:43 AM

Hermes, how did you determine that it was a mismatch between the cert and host?  Did you determine that from the messages in the IIRF log file?

The reason I Ask is, I want to know if the changes I made in IIRF for that interim build are useful, and whether I should keep them.

thanks

 

 

May 22, 2010 at 12:54 PM

Hey Cheeso,

I determined it from your post (and plain deduction ;-) and I did not even need the build you provided to fix it.

If you’d still like me to try it, of course I can do that.

Cheers, Hermes

From: Cheeso [mailto:notifications@codeplex.com]
Sent: Friday, May 21, 2010 2:44 AM
To: klein_m@gmx.de
Subject: Re: ProxyPass HTTPS [IIRF:213220]

From: Cheeso

Hermes, how did you determine that it was a mismatch between the cert and host? Did you determine that from the messages in the IIRF log file?

The reason I Ask is, I want to know if the changes I made in IIRF for that interim build are useful, and whether I should keep them.

thanks

Read the full discussion online.

To add a post to this discussion, reply to this email (IIRF@discussions.codeplex.com)

To start a new discussion for this project, email IIRF@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe on CodePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at CodePlex.com

Coordinator
May 22, 2010 at 1:52 PM

If it's not too much trouble, I'd like to see that the error messages for SSL problems, *worked*.