Re: AW: apache as ssl-proxy - recommended way?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 14/05/2012 14:26, Stefan Bauer wrote:
thank you for your answer. Unfortunately we want to have several machines behind the proxy. So if i understood you correctly, mod_ssl is required for mod_proxy even though we _only_ want to forward specific requests like .. ?

domain:443/webmail -->  webmail:443
domain:443/sharepoint -->  sharepoint:443
domain:443/wiki -->  wiki:443

The client should talk to the servers directly. according to the path /webmail or /sharepoint, the decisions should be made by apache to which server the forward is made.


Unfortunately, the URI path is not readable unless the proxy first decrypts the request. At which point there is no point in re-encrypting the data just to forward it to one of your web-farm servers.
A better way:

domain:443/webmail [Proxy, strip SSL (mod_ssl) , route (mod_proxy) ---> webmail:80
domain:443/sharepoint (Proxy, strip SSL, route) --> sharepoint:80

and so on.

The issue you may have is having unencrypted traffic between the proxy and your farm, you _can_ re-encrypt the traffic, but it's a pain and usually unnecessary overhead. You might be better off having host to host IPsec tunnels if you're concerned with traffic being visible on the wire.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux