httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Tait <>
Subject HTTPS Proxy Through NAT?
Date Wed, 14 Aug 2002 13:43:19 GMT
Hi all,

I've had an odd request from a client that is frankly making my brain hurt. :(

The basics of it are that they have a server deep within their internal 
network that will be servicing requests to external clients.  They want to 
do this over HTTPS, via an Apache proxy, but I'm not sure if that is possible.

The architecture looks like this:

      3rd Party
    1024 |        Request to mmcss-public-ip:443
      ---+---     Firewall (allow)
     443 |        Receive request from 3rdparty-ip:1024
       MMCSS      NAT
    1024 |        Forward to apache-service-ip:443
     443 |        Receive request from mmcss-service-ip:1024
      Apache      HTTPS Proxy (No caching)
    1024 |        Request to slcss-delivery-ip:443
     443 |        Receive request from apache-delivery-ip:1024
       SLCSS      NAT
    1024 |        Forward to ALCSS:443              }
         |                                           } Requests might bypass
         |                                           } these and go straight
      ---+---     Firewall (allow)                   } through from SLCSS to
         |                                           } HTTPD.  To be
         |                                           } determined.
     443 |        Receive request from slcss:1024    }
       ALCSS      NAT                                }
    1024 |        Forward to httpd:443               }
         |                                          }
     443 |        Receive request from alcss:1024

Don't ask about the architecture, I have no say in that! ;)  All I'm 
concerned with is configuring the Apache server.  From looking at this 
scenario, I think it's possible using straight HTTP (sanity check would be 
appreciated).  However, when it comes to HTTPS, I'm not sure it would work.

The 3rd Party machine will never be aware of the Apache server's IP 
address, and vice-versa.  So when it comes to session negotiation, the 
Apache server's certificate is going to need to have the external IP 
address of the MMCSS, yes?  What about the other way around?  Does Apache 
request a certificate from the client?  If so, won't the IP address in the 
client certificate be different from the one in the request, after NAT?

This is just the one half of the story, they also want a proxy going the 
other way to request from internal machines to external machines over 
HTTPS, but that's to be dealt with later.

Is there anyone out there, more clued up than I, who can either confirm 
that this won't work, or suggest a way in which it will work?

Cheers (pass the paracetamol!),


| James Tait                         | ICQ# 17834893                      |
| MUD programmer and Linux advocate  | |

This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message