On 14/05/2012 14:26, Stefan Bauer wrote:
Unfortunately, the URI path is not readable unless the proxy first decrypts the request. At which point there is no point in re-encrypting the data just to forward it to one of your web-farm servers.thank you for your answer. Unfortunately we want to have several machines behind the proxy. So if i understood you correctly, mod_ssl is required for mod_proxy even though we _only_ want to forward specific requests like .. ? domain:443/webmail --> webmail:443 domain:443/sharepoint --> sharepoint:443 domain:443/wiki --> wiki:443 The client should talk to the servers directly. according to the path /webmail or /sharepoint, the decisions should be made by apache to which server the forward is made.
A better way:domain:443/webmail [Proxy, strip SSL (mod_ssl) , route (mod_proxy) ---> webmail:80
domain:443/sharepoint (Proxy, strip SSL, route) --> sharepoint:80 and so on.The issue you may have is having unencrypted traffic between the proxy and your farm, you _can_ re-encrypt the traffic, but it's a pain and usually unnecessary overhead. You might be better off having host to host IPsec tunnels if you're concerned with traffic being visible on the wire.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature