httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: how make backend applications aware about tls-offloading
Date Sat, 07 Jan 2017 23:39:56 GMT


Am 08.01.2017 um 00:31 schrieb Yann Ylavic:
> On Sun, Jan 8, 2017 at 12:22 AM, Reindl Harald <h.reindl@thelounge.net> wrote:
>>
>> ok, so we need to continue the code below and set the option in every
>> tls-offloaded application - intention of this thread was maybe get this
>> transparent which seems not to be possible
>
> It is "technically" possible, but not wise IMHO.
> Making every httpd module/CGI/app think the local connection is https
> could lead to things like "; Secure" cookies sent on the (clear) wire,
> and that option would be accompanied with so much warnings ("unless
> you're really on the same switch, but even that...") that it'd be hard
> to defend (endlessly?).

excatly *that* would be the desired result if configured that way 
because the "clear wire" is controlled and trusted in that context and 
you *want* the secure flag sent for cookies between the tls-offloading 
server and the enduser to not get them back unencrypted over the "real 
clear wire"

the whole purpose of *tls offloading* is run the application on a 
virtual machine with a preforked httpd and encryption on the 
reverse-proxy running multithreaded with keep-alive

another secuity gain here is that the amchine which runs application 
code never has a change to see the private ssl key while a breach on the 
proxy with no application code is less likely

>> if(!empty($cms_tls_offload))
>> {
>>  $_SERVER['REQUEST_SCHEME'] = 'https';
>>  $_SERVER['HTTPS']          = 'on';
>> }
>
> Your choice ;)

Mime
View raw message