Re: reverse proxy: connect to origin servers via http or https?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> The question is: from the proxy performance/scalability point of view is it better to configure backends (origin servers) with http or with https?

"Better" depends on what you want to achieve. Do you want to securely deliver simple html content with no fancy stuff ? Do you want to have authentication internally ? If so, do you care if your users can see other user's authentication data (if they are knowledgeable on how to do it) ?


> Is it true that if proxy is setup https->http then it only has to decrypt/encrypt the headers and the body is encrypted/decrypted on the backend?

What ? Eh, no. If you configure your frontend with https and your backends with http, then you just told apache to NOT use SSL between mod_proxy and the backend servers. Only your frontends will do SSL handshakes in this setup. That's pretty much SSL Offloading, maybe you got that confused ?


> How either setup affects latency of handling requests?

Involving SSL as opposed to not involving SSL will always slow things down. How much ? Depends on your settings, on your hardware (SSL accelerators), etc. Are you going to deal with large amounts of users ? If so you might want to consider using SSL only for some parts of your page(s).


It all boils down to writing down your requirements. First you should get a hold on what you actually want, then worry about how to do it. Secondly, seeing how easy it is to set up basic configurations using the docs you should start there and dig into specific issues later.



On Fri, Feb 7, 2014 at 4:20 AM, Jakub Moscicki <Jakub.Moscicki@xxxxxxx> wrote:
Hello,

I have a reverse proxy (apache 2.2) with mod_proxy_balancer with https visible to the outside world.

The question is: from the proxy performance/scalability point of view is it better to configure backends (origin servers) with http or with https?

Is it true that if proxy is setup https->http then it only has to decrypt/encrypt the headers and the body is encrypted/decrypted on the backend? I do not use mod_proxy_html (but maybe there are other modules which affect this behaviour on the proxy?.

How either setup affects latency of handling requests? With https->https do I have to do two handshakes (on the proxy and on the backend) for every connection? I have KeepAlive both on the proxy and the backends.

Many thanks.

Best regards,

kuba

--
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux