[Solved] how should a proxy based on scheme (http/https) be configured ?
Added by psychicwarrior about 8 years ago
lighttpd 1.4.35 on Slackware 14.1 32 bit
An application server (on the same machine/ip as the lighttpd) listens on port 8080 for http and port 8443 for https.
Lighttpd proxy to the application server over http is fine.
eg. http://example.com/applications/library/myapp proxied to 127.0.0.1 port 8080 works fine.
Lighttpd proxy to the application server over https does not work - just returns a blank page.
eg. https://example.com/applications/library/myapp proxied to 127.0.0.1 port 8443 does not work.
Direct calls to the application server work both over http and https.
I have my proxy sections wrapped in a socket condition (see below).
Question: have I configured this correctly and is this the correct way and if not what is please ?
Thank you
$SERVER["socket"] == ":443" {
proxy.server = ( "/applications/library" =>
( "applib-ssl" =>
(
"host" => "127.0.0.1",
"port" => "8443"
)
)
)
}
$SERVER["socket"] == ":80" {
proxy.server = ( "/applications/library" =>
( "applib" =>
(
"host" => "127.0.0.1",
"port" => "8080"
)
)
)
}
Replies (2)
RE: how should a proxy based on scheme (http/https) be configured ? - Added by gstrauss about 8 years ago
It appears as if you assume lighttpd will magically use TLS when connecting to backend port 8443. No magic; you would have to specify TLS.
Unfortunately, there is no way to do that with lighttpd as lighttpd reverse proxy (mod_proxy) does not support reverse proxy via HTTPS using TLS.
However, if you are proxying to a backend on localhost, what is the benefit of having lighttpd on the box negotiate TLS with the application server on the same box? You might as well use http since the traffic is not leaving the box.
RE: how should a proxy based on scheme (http/https) be configured ? - Added by psychicwarrior about 8 years ago
gstrauss wrote:
It appears as if you assume lighttpd will magically use TLS when connecting to backend port 8443. No magic; you would have to specify TLS.
Unfortunately, there is no way to do that with lighttpd as lighttpd reverse proxy (mod_proxy) does not support reverse proxy via HTTPS using TLS.However, if you are proxying to a backend on localhost, what is the benefit of having lighttpd on the box negotiate TLS with the application server on the same box? You might as well use http since the traffic is not leaving the box.
Thank you for taking the time to comment.
I suppose it was an assumption strictly speaking regarding the TLS proxy; I just expected that if Lighttpd had received the original TLS request, it would just proxy pass it along. Thank you for the info as I did not come across anything suggesting it would not work like expected.
Your second point regarding the application server on the same box in this case is entirely reasonable. Again, in a similar vane as I mentioned previously, I had 'assumed' that as the originating request was TLS, then it would proxy pass it across to the application server. I will switch the proxy pass to simply use http all the time and see if it works.
Therefore, the request to Lighttpd would be https://example.com/applications/library/myapp and it will proxy pass it to 127.0.0.1 port 8080, on the basis that although the original request came in as https, it will simply proxy pass as http.
Thank you.