httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <DRugg...@primary.net>
Subject Re: mod_ssl's proxy support: make it per directory
Date Sat, 20 Nov 2010 14:57:53 GMT

On 11/19/2010 9:13 AM, Graham Leggett wrote:
> On 19 Nov 2010, at 3:15 PM, Plüm, Rüdiger, VF-Group wrote:
>
>>> For a while, mod_ssl has been able to secure connections from
>>> mod_proxy, backwards towards some backend server.
>>>
>>> For some reason however, the directives that control this behavior
>>> SSLProxy* are all scoped virtual host only, making it
>>> possible to SSL
>>> protect just one single ProxyPass going backwards, and not more than
>>> one, something that severely limits the usefulness of the feature.
>>
>> What limits do you see with the actual "per virtual host" configuration?
>
> Most specifically, any attempt to set a client certificate to a
> particular proxypass ends up being valid server wide.
>
> Each backend server which a reverse proxy proxies to has the potential
> to have different requirements for SSL, from client certs, to ciphers
> used, etc.
>
> We have worked around this to date by either delegating this task to
> load balancers, or writing little php apps to proxy the connections, but
> this is really ugly, when mod_proxy+mod_ssl can potentially do this itself.
>
> Regards,
> Graham
> --
>

Indeed - this is a long standing limitation available in quite a few 
reverse proxies out there... and even several third party proxy modules 
for httpd.

--
Daniel Ruggeri


Mime
View raw message