httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: how make backend applications aware about tls-offloading
Date Sat, 07 Jan 2017 23:22:13 GMT


Am 07.01.2017 um 23:53 schrieb Yann Ylavic:
> On Sat, Jan 7, 2017 at 11:25 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
>> Am 07.01.2017 um 22:53 schrieb Yann Ylavic:
>>>
>>> Wouldn't something like this work?
>>>
>>> RewriteRule on
>>> RewriteCond %{ENV:remoteip-proxy-ip-list} .
>>> RewriteCond %{HTTP:X-TLS-Offloading} ^true$
>>> RewriteRule ^ - [E=HTTPS:on,E=REQUEST_SCHEME:https]
>
> That wouldn't work anyway, both variables will be overridden later
> when the env is constructed.
>
>>> Given that remoteip-proxy-ip-list is filled by mod_remoteip if (and
>>> only if) RemoteIPInternalProxy matches
>>
>> currently not because nothing provides "X-TLS-Offloading" which is the
>> reason for add both parties to this conversation
>
> OK, that's a prerequisite in any case..
>
>> such global rewrite rules are not very appealing while the intention of get
>> this handeled by mod_remoteip is that for the admin this would be the
>> central place to deal with backendsservers with a proxy in front
>
> Admittedly.
>>
>> it is handeled perfectly for the REMOTE_ADDR where for every access(deny
>> rules, loggings, mod_security-rules and within applications you can trust
>> it's the clients IP and not one from own infrastructure
>
> Right, but HTTPS and REQUEST_SCHEME have a meaning for the httpd
> server, and they refer to its *local* configuration, so overriding
> them is very misleading (and does not work as mentioned above).
>
> Thus RemoteTLSHeader cannot be something that overrides them, and the
> best it could do is to unset the header if not trusted.
>>
>> end-to-end-encryption (one argunmet which came against it) is something one
>> needs to consider anyways if TLS-offloading come into the mix and the
>> connection between proxy and backend needs to be 100% trusted, but it's a
>> great way to spread load of generate dynamic content and encryption to
>> different machines and should be 100% transparent to the application
>
> From the above, the app would have to rely on the (un)defined
> RemoteTLSHeader instead of HTTPS/REQUEST_SCHEME, so it can't be as
> transparent you'd like...
>
> A new mod_remoteip feature for what you could do with mod_rewrite or
> mod_headers is less appealing then

ok, so we need to continue the code below and set the option in every 
tls-offloaded application - intention of this thread was maybe get this 
transparent which seems not to be possible

if(!empty($cms_tls_offload))
{
  $_SERVER['REQUEST_SCHEME'] = 'https';
  $_SERVER['HTTPS']          = 'on';
}

Mime
View raw message