On Thu, Jan 28, 2010 at 5:34 AM, Matus UHLAR - fantomas <uhlar@xxxxxxxxxxx> wrote: > On 26.01.10 15:28, Brian Mearns wrote: >> I'm looking for some clarification on how to setup a reverse proxy >> that supports SSL/TLS. My understanding is as follows (please correct >> me if I'm wrong): >> 1. Client connects with SSL, mod_ssl handles this >> 2. mod_proxy handles generating a proxy-request to the configured origin server >> 3. SSLProxyEngine should be set to on so that SSL is used to >> communicate securely with the origin server. > > why to have SSL proxy in this case? > >> What if any of the original client's SSL information is then available >> to the origin server? For instance, can clients still present >> certificates to authenticate with the origin server, or will that need >> to be handled by the reverse proxy? If this authentication is handled >> by the proxy, can the information from the client certificate be made >> available to the origin server? > > you can only pass such infromations in request variables and the destination > server will hav to trust the proxy. The proxy can not sign the data with > clients certificate - it would need the clients private key. > >> Will the proxy try to use the same SSL parameters (protocol version, >> ciphersuite, etc) as the client did, or will this information otherwise be >> made available to the origin server? > > no. it will do complete different ssl negotiation. > >> Ideally, I'd like the proxy to be transparent to both the >> origin server and the client. > > why do you want the proxy at all in this case? > > -- > Matus UHLAR - fantomas, uhlar@xxxxxxxxxxx ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0... [snip] Thank you both for the helpful responses. To answer some of your questions: I want a proxy because I have multiple servers running and I want them accessible through the same address. So I just put the proxy at that address and let it figure out which server to use based on the Host header and SNI. I want it to support SSL connections from the client because I want to support SSL connections from clients for all the various reason a person might want to do that, notably privacy. I don't care if it actually speaks SSL to the origin servers, but I didn't know if that would make it more transparent, e.g., if there was a way that the same parameters would be used or something. It sounds like I can't get at the client SSL information /and/ maintain transparency for the backend servers, which is what I kind of figured, I guess. I'm already using a module to set the REMOTE_ADDR based on the X-Forward-For header, so I might try something similar to forward relevant SSL information from the proxy to the origin servers in HTTP X-headers, and then see if I can figure out how to set the SSL_* env vars from those. At least then it's transparent to the applications on the backend servers, even if it's not quite transparent to the server itself. Thanks. -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|