Re: "tee" SSL traffic?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

John Oliver wrote:

On Wed, Apr 08, 2009 at 04:16:32PM -0400, Eric Covener wrote:

On Wed, Apr 8, 2009 at 1:37 PM, John Oliver <joliver@xxxxxxxxxxxxxxx> wrote:

Is it possible for an instance of httpd to basically copy all traffic it
receives to another instance of httpd on another host?

No -- You want something much lower-level, like a TCP tunnel or a load
balancer. Apache will always decrypt/re-encrypt if you put it between
a client and an SSL origin server.


It would actually be quite OK for httpd to decrypt the traffic first,
since it'll be sent to one other host, on a local segment, re-encrypted
by a private keypair.
Continuing on the above, I don't know of any way that you could achieve what you want using only standard Apache config or modules. 
It is after all quite unusual as a requirement.

It is relatively easy to achieve this with mod_perl though.
One of the issues you are facing is that the request to the second host is going to return an answer (also, just like the "main" one). So you have to read this answer and deal with it somehow at the httpd level, you can't just return it to the browser or it will get confused getting two times an answer to a single request. 

Schematically :
implement a request filter, that will capture the request at the same time as letting it through transparently to whatever its original destination is. When the request is entirely captured, the filter forwards this request to the second server (not necessarily via HTTPS), gets the answer and saves it somewhere. You may have a practical problem if the requests or responses are very large. It may also get more complicated if the requests/responses include some kind of "state", like cookies. 
With mod_perl and the LWP module, it is quite doable.




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux