httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: how make backend applications aware about tls-offloading
Date Sat, 07 Jan 2017 16:27:02 GMT


Am 07.01.2017 um 17:04 schrieb Jered Floyd:
> Does the "sslheaders" experimental plugin meet your needs?
>
> https://docs.trafficserver.apache.org/en/latest/admin-guide/plugins/sslheaders.en.html

not really beause it's not transparent to the application and so i can 
continue fake the $_SERVER vars based on application configs - it also 
needs to make sure that this headers never ever are passed through from 
untrusted amchines in front fo the own proxy or faked by clients 
pointing directly to the origin - the way mod_remoteip works takes cae 
of such things

"end-to-end" don't matter when both ATS and httpd are on the same switch 
or even running on the same vritualization host - what matters much more 
is that your applications is aware about the https fact and set the 
*encryption flag for cookies* as example

the fake-by-configuration hacking makes things just more complex because 
you have one more place to care besides DNS, ATS and httpd and the 
Magento hacks placing $_SERVER['xyz'] into 'index.php' are anything but 
not beautiful

well, and for sites which should be reachable with https *and* http you 
can forget this entirely when don't have any clue

> ----- On Jan 7, 2017, at 3:30 AM, Reindl Harald h.reindl@thelounge.net wrote:
>
>> * Apache Trafficserver in front
>> * ATS configured for TLS-offloading
>> * connection to backend-httpd on the LAN unencrypted
>> * mod_remoteip correctly configured on backend httpd
>>
>> is there any way to make the backend php application aware that in fact
>> $_SERVER['HTTPS'] and $_SERVER['REQUEST_SCHEME'] should be 'on' /
>> https:// in case of generate absolute URLs like for emails
>>
>> in a perfect world this would be handeled like the transparent
>> translation of the client IP with
>> https://httpd.apache.org/docs/current/mod/mod_remoteip.html and it's
>> RemoteIPInternalProxy and a header like "X-Forwarded-TLS"
>>
>> something like below where "X-TLS-Offloading" is only evaluated from
>> "RemoteIPInternalProxy" pyhsical addressess
>>
>> RemoteIPHeader         X-Forwarded-For
>> RemoteTLSHeader        X-TLS-Offloading
>> RemoteIPInternalProxy  192.168.196.1

Mime
View raw message