SSL Reverse Proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm looking for some clarification on how to setup a reverse proxy
that supports SSL/TLS. My understanding is as follows (please correct
me if I'm wrong):
1. Client connects with SSL, mod_ssl handles this
2. mod_proxy handles generating a proxy-request to the configured origin server
3. SSLProxyEngine should be set to on so that SSL is used to
communicate securely with the origin server.

What if any of the original client's SSL information is then available
to the origin server? For instance, can clients still present
certificates to authenticate with the origin server, or will that need
to be handled by the reverse proxy? If this authentication is handled
by the proxy, can the information from the client certificate be made
available to the origin server? Will the proxy try to use the same SSL
parameters (protocol version, ciphersuite, etc) as the client did, or
will this information otherwise be made available to the origin
server? Ideally, I'd like the proxy to be transparent to both the
origin server and the client.

Additionally, my origin server and reverse proxy are actually on the
same machine, so I'm not especially concerned about securing
communications between them, except that I would like all of the
SSL-relevant information to be available to the origin server. Is
there a way to do this without using secure communications between the
proxy and origin server? My primary reason for not wanting to use
secure connections here is to improve speed and avoid the increased
drain on my entropy pool. Are these realistic concerns, or would the
effect be negligible?

Any help would be greatly appreciated.

Thanks,
-Brian

-- 
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux