httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: mood_remoteip ProxyProtocol addition
Date Tue, 07 Feb 2017 22:28:42 GMT


Am 07.02.2017 um 21:33 schrieb Yann Ylavic:
> My point is that we are not changing/masquarading something which is
> remote here (like the client IP address), we are making so that the
> applications and httpd itself think they are locally talking SSL/TLS.
> Thus they will send things like "; Secure" cookies in "clear" on the
> wire, or anything which is expected to not be eavesdrop-able.
>
> I'd like others from the community to give their opinions here, for
> now I find this quite opposite to TLS principles/expectations...

it's exactly how it should work - proxy to backend unencrypted, caching 
on the proxy and transport security between proxy endpoint and web client

that is what is meant by "TLS offloading" - it's not your problem how 
secure that wire is, on our VMware-cluster the hosts even don#t talk 
about a switch - they are directly connected for internal traffic and so 
that wire is as secure as the virtual machine itself

Mime
View raw message