Re: Re: reverse proxy choice to origin servers: https->https or https->http

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

If you use httpd as reverse proxy then clients will perform SSL handshakes with your reverse proxy. In SSL there is no distinction between decrypting the HTTP headers only or decrypting the full HTTP request - it's simply "payload" and it will be decrypted as a whole. If you want to understand how all of this works I suggest reading up on it as this list is simply the wrong place for it.

I suggest you use the reverse proxy as suggested in the docs and do not worry about whether the body is decrypted or not. Unless you have specific reasons for it, you simply shouldn't care. Just give it a try.


On Mon, Feb 10, 2014 at 3:15 PM, Jakub Moscicki <Jakub.Moscicki@xxxxxxx> wrote:

Is it true that if proxy is setup https->http then it only has to
decrypt/encrypt the headers and the body is encrypted/decrypted on the backend?
What ? Eh, no. If you configure your frontend with https and your backends with http, then you just told apache to NOT use SSL between mod_proxy and the backend servers. Only your frontends will do SSL handshakes in this setup. That's pretty much SSL Offloading, maybe you got that confused ?


Sorry, it was a typo of course. I mean: https->https. So if a proxy forwards https to the backend which accepts https - then would the proxy decrypt the headers only or the entire request? I am adding cookies at the proxy for stickyness so the proxy must be handling the headers.

In my case http at the backend could be an option inside a trusted network. 

kuba

--


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux