On 02.08.07 06:36, Jason Haar wrote: > I'm making a WAF (Web Application Firewall) based around Linux/Apache > and mod_security, and as part of the design, thought that making it a > transparent (reverse) proxy would be a good move from a disaster > recovery perspective (i.e. if it blew up you could just wire around it > and the backends would still be available). replacing one SPOF (the webserver) by another SPOF (proxy) is usually not very efficient. And while you are talking about "transparent" proxy, this term is defined elsewhere in different way than you think. The reverse proxy doesn't have to be intercepting and apache does this easily. The intercepting proxy has no meaning for reverse proxy and apache does not support this. And I don't think it ever will. > Also, the WAF would primarily be used to protect HTTPS sites. Now I know > "you can't transparently proxy HTTPS" you can't efficiently proxy HTTPS. You can do reverse proxy, listening on HTTPS, connecting via HTTP, and this will work well unless your webservers need to play with client certificates, and it will be safe unless you have unsafe network between proxies and servers. > I've done this successfully with Squid as a normal proxy, but I really > need the funky features of Apache as a reverse-proxy - but I want > transparency too... first you should make clear what do you really want and need... squid can do intercepting, reverse proxy and SSL accelerator, but for modifying of content you still need at least ICAP patch and some ICAP server... -- Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Where do you want to go to die?" [Microsoft] --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx