the fast, reliable localhost tunneling solution


Frontend behind Apache reverse proxy

2012-11-02, 08:07

Hi

I am trying to run my own frontend behind an Apache reverse proxy, but I am having trouble, which I think stems from the way that pagekite is using the CONNECT instructions. I want to do this because we want to use Apache to terminate the SSL connections and enforce client authentication.

Here is the setup that works (with out the Apache reverse proxy in between):

Fronted: ./pagekite.py --clean --frontend=localhost:9000 --backend=ssh:pc.test:localhost:22:SECRET

Backend: ./pagekite.py --logfile=pagekite.log --clean --isfrontend --ports=9000 --rawport=virtual --proto=raw --domain=raw:*.test:SECRET

If I introduce the Apache reverse proxy with the following config, things to stop working:

   Listen *:8000

   <VirtualHost *:8000>
        <a href="/wiki/ServerAdmin/">ServerAdmin</a> webmaster@localhost

        <a href="/wiki/ProxyPass/">ProxyPass</a> / http://localhost:9000/
        <a href="/wiki/ProxyPassReverse/">ProxyPassReverse</a> / http://localhost:9000/

    &lt;/VirtualHost&gt;

And then use the following:

Frontend: ./pagekite.py --clean --logfile=pagekite.log --frontend=localhost:9000 --backend=ssh:pc.test:localhost:22:SECRET

Backend: ./pagekite.py --logfile=pagekite.log --clean --isfrontend --ports=8000 --rawport=virtual --proto=raw --domain=raw:*.test:SECRET

The error message on the backend is:

      "Not connected to any front-ends, will retry..."

The logfile on the backend contains:

info=Collecting entropy for a secure secret.; ll=1; ts=50937c15; t=2012-11-02T00:53:57 debug=Seeded signatures using /dev/urandom, hooray!; ll=2; ts=50937c15; t=2012-11-02T00:53:57 debug=UiComm: Created; ll=3; ts=50937c15; t=2012-11-02T00:53:57 ts=50937c15; t=2012-11-02T00:53:57; ll=4; debug=FIXME: Should try epoll! ts=50937c15; t=2012-11-02T00:53:57; ll=5; info=Failed to connect; FE=127.0.0.1:8000 ts=50937c17; t=2012-11-02T00:53:59; ll=6; debug=AuthThread: done ts=50937c18; t=2012-11-02T00:54:00; ll=7; debug=UiCommunicator: done

The logfile on the frontend contains:

started=./pagekite.py; ll=0; ts=50937ca2; argv=--logfile=pagekite.log --clean --isfrontend --ports=9000 --rawport=virtual --proto=raw --domain=raw:*.test:SECRET; platform=linux2; version=0.4.6a; t=2012-11-02T00:56:18; ca_certs=/etc/ssl/certs/ca-certificates.crt info=Collecting entropy for a secure secret.; ll=1; ts=50937ca2; t=2012-11-02T00:56:18 debug=Seeded signatures using /dev/urandom, hooray!; ll=2; ts=50937ca2; t=2012-11-02T00:56:18 debug=UiComm: Created; ll=3; ts=50937ca2; t=2012-11-02T00:56:18 id=s1; ll=4; listen=:9000; ts=50937ca2; t=2012-11-02T00:56:18 ts=50937ca2; t=2012-11-02T00:56:18; ll=5; debug=FIXME: Should try epoll! ts=50937cad; t=2012-11-02T00:56:29; ll=6; accept=~0.1:43937; id=s1 ts=50937cad; t=2012-11-02T00:56:29; ll=7; debug=No back-end; on_port=9000; proto=http; domain=localhost; is=FE; id=s2/~0.1:43937 ts=50937cad; t=2012-11-02T00:56:29; ll=8; wrote=349; wbps=0; read=0; eof=1; id=s2/~0.1:43937

I think that the problem lies in what Apache is doing to the CONNECT string. Looking at the tcpdump output I see that pagekite generates a initial connection that looks like this:

CONNECT PageKite:1 HTTP/1.0^M X-PageKite-Version: 0.4.6a^M X-PageKite-Features: ZChunks^M X-PageKite: raw-22:pc.test:4be594f530eb5ccd0871b83c42b073741060::68cc1d6fdb0a6eacf358e4b333033bbffd71^M

But when Apache makes the onward connection to the frontend it does this:

CONNECT / HTTP/1.1^M Host: localhost:9000^M X-PageKite-Version: 0.4.6a^M X-PageKite-Features: ZChunks^M X-PageKite: raw-22:pc.test:4be594f530eb5ccd0871b83c42b073741060::68cc1d6fdb0a6eacf358e4b333033bbffd71^M X-Forwarded-For: 127.0.0.1^M X-Forwarded-Server: dist-361152580.eu-west-1.elb.amazonaws.com^M Connection: Keep-Alive^M

Any clues as to what I might try to make this work?

Thanks

Richard

Comments

  1. Bjarni RĂșnar Einarsson said on 2012-11-05, 10:13
    Interesting. Apache is being a bit too clever and is rewriting the request, not sure there is much we can do about that. The recommended configuration for a frontend which needs to coexist with a local web server is usually the other way around: PageKite listening on ports 80 and 443 and then forwarding certain requests to an Apache (or other HTTPD) behind it.
    Permalink

Leave a comment

( (Please leave these blank: )

We use Gravatar for commenter's photos. Get your own, it's free!