> -----Message d'origine----- > De : mearns.b@xxxxxxxxx [mailto:mearns.b@xxxxxxxxx] De la part de Brian > Mearns > Envoyé : mardi 26 janvier 2010 21:28 > À : users@xxxxxxxxxxxxxxxx > Objet : SSL Reverse Proxy > > I'm looking for some clarification on how to setup a reverse proxy > that supports SSL/TLS. My understanding is as follows (please correct > me if I'm wrong): > 1. Client connects with SSL, mod_ssl handles this > 2. mod_proxy handles generating a proxy-request to the configured origin > server > 3. SSLProxyEngine should be set to on so that SSL is used to > communicate securely with the origin server. > > What if any of the original client's SSL information is then available > to the origin server? For instance, can clients still present > certificates to authenticate with the origin server, or will that need > to be handled by the reverse proxy? If this authentication is handled > by the proxy, can the information from the client certificate be made > available to the origin server? Will the proxy try to use the same SSL > parameters (protocol version, ciphersuite, etc) as the client did, or > will this information otherwise be made available to the origin > server? Ideally, I'd like the proxy to be transparent to both the > origin server and the client. > > Additionally, my origin server and reverse proxy are actually on the > same machine, so I'm not especially concerned about securing > communications between them, except that I would like all of the > SSL-relevant information to be available to the origin server. Is > there a way to do this without using secure communications between the > proxy and origin server? My primary reason for not wanting to use > secure connections here is to improve speed and avoid the increased > drain on my entropy pool. Are these realistic concerns, or would the > effect be negligible? > > Any help would be greatly appreciated. > > Thanks, > -Brian > Hi Brian, I think your description in the first part of you mail is correct. I you use a reverse proxy in front of your origin, you have to leave it manage the authentication part and as there will be two distinct connections, SSL parameters from the client-to-proxy connection won't be necessarily the same as the proxy-to-origin ones, unless you configure them such as they match. I guess in order to be able to reach the origin server directly from your client "through" the frontend, you would rather use some sort of "port-forwarder" which in this case would not deal at all with SSL. Last, regarding your idea of "forwarding" some interesting variables from the frontend to the origin server, I think this could be achieved through the use of something like mod_perl, but also in a more straight way by using environment variables and headers (via mod_headers). I kept this idea in mind after reading an article on this ML : http://mail-archives.apache.org/mod_mbox/httpd-users/200911.mbox/%3CPine.LNX.4.64.0911261559410.28410@xxxxxxxxxxxxxxxxxxxxxx%3E The idea was to use the available SSL environment variables (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#envvars) to set headers with 'RequestHeader set' in the reverse proxy and send them with the backend connection to the origin server, which could then grab all the info it needs. A question remains regarding the origin server and if it uses php or something in order to process these headers. I have not (yet) tried this setup though I think I will soon. Hope this helps. Emmanuel --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|