Hello Jim, Thanks for the warning! In my case the HTTP traffic is only between the reverse proxy and a virtual machine running on the same host. With my knowledge the traffic can only be intercepted when someone breaks into my system. It's a personal cloud service and I don't think many people are interested in it. I'm talking about this set-up: https://jeroenverhoeckx.com/build-your-own-personal-cloud.html So, I think I'm relatively safe :-) . Jeroen -------------------------------------------------------- Support the independent web, use [Firefox](https://www.mozilla.org/en-US/firefox/new/) ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, January 13th, 2022 at 11:34 PM, Jim Albert <jim@xxxxxxxxxxxxx> wrote: > With regard to: > reverse proxy --> HTTP --> back-end server > and in respect to the sensitivity of your requests and responses, you might want to consider any security implications or if this violates any compliance requirements depending on the proximity of your proxy to your back-end server. It's likely the proxy -> back-end server stays within a very tight environment. However, that request and response is traveling some segment of network whether physical or virtual and likely only yours, unencrypted or perhaps protected at most by VPN encryption. > > On 1/13/2022 5:05 PM, Jeroen Verhoeckx wrote: > >> Hello Dino / HTH, >> >> Thank you for your very elaborate answer!! >> >> Your 'diagram' made it very clear! >> Clients --> INTERNET --> Apache httpd reverse proxy (answer to HTTPS requests made by your clients) --> Your internal backend(s) (answer to HTTPS requests coming from your proxy). >> >> It's also good to know that I set-up my reverse proxy in the correct way (only installing the SSL certificates on the reverse proxy). >> My set-up is: Clients --> HTTPS - -> reverse proxy --> HTTP --> back-end server >> >> There is no need in my set-up to use HTTPS between the reverse proxy and the back-end server. >> >> Thanks for clarification! >> >> Jeroen >> >> -------------------------------------------------------- >> Support the independent web, use [Firefox](https://www.mozilla.org/en-US/firefox/new/) >> >> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> On Thursday, January 13th, 2022 at 7:15 PM, Dino Ciuffetti [<dino@xxxxxxxxx>](mailto:dino@xxxxxxxxx) wrote: >> >>> Apache httpd works at layer 7 (HTTP/HTTPS). >>> You CANNOT have a reverse proxy at layer 4 with apache httpd where the X509 certificates are only needed on your backends (like HAProxy does). >>> >>> Clients --> INTERNET --> Apache httpd reverse proxy (answer to HTTPS requests made by your clients) --> Your internal backend(s) (answer to HTTPS requests coming from your proxy). >>> >>> The traffic between your internet clients and apache httpd is protected via TLS protocol (HTTPS) so you need a X509 certificate and its private key on your httpd public facing reverse proxy virtual host to terminate TLS internet traffic to your reverse proxy. >>> >>> If you also want your reverse proxy to talk to your internal backend(s) via HTTPS you also need a X509 certificate and private key on your HTTPS backend servers. >>> >>> RECAP: You will need a certificate released by a public (known to all major browsers) Certification Authority for your reverse proxy and a certificate released by a private Certification Authority (only known by your proxy and your backends) on your backends. You could even use self signed certificates on your private side, or mantain a private CA by yourself via openssl. >>> >>> HTH >>> >>> 13 gennaio 2022 12:58, "Jeroen Verhoeckx" <[j.verhoeckx@xxxxxxxxxxxxxx.invalid](mailto:j.verhoeckx@xxxxxxxxxxxxxx.invalid?to=%22Jeroen%20Verhoeckx%22%20<j.verhoeckx@xxxxxxxxxxxxxx.invalid>)> wrote: >>> >>>> Thanks, great to know that it is possible! >>>> >>>> You write that you need to install the SSL certificates on both the reverse proxy and in the virtual machine (or another local server)? >>>> Is that really necessary? I try to avoid duplication whenever that is possible. >>>> >>>> Do you have an example set-up somewhere? >>>> >>>> Thanks!! >>>> >>>> -------------------------------------------------------- >>>> Support the independent web, use [Firefox](https://www.mozilla.org/en-US/firefox/new/) >>>> >>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>>> On Wednesday, January 12th, 2022 at 5:23 PM, Dino Ciuffetti <dino@xxxxxxxxx> wrote: >>>> >>>>>> My question: >>>>>> Would it have been possible to install the SSL certificates in the virtual machines? >>>>> >>>>> YES. It's possibile to send Internet HTTPS traffic to an internal HTTPS service behind apache httpd as a reverse proxy. >>>>> You eventally need to install same SSL certificates (but you don't have to necessarily) on both the reverse proxy and the internal service, enable SSLProxyProtol on your VHs and send the traffic to HTTPS via your ProxyPass.
|