httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Axel-St├ęphane SMORGRAV <Axel-Stephane.SMORG...@europe.adp.com>
Subject RE: [users@httpd] mod_proxy keepalive ssl
Date Wed, 05 Jul 2006 12:30:17 GMT
No - that's not possible.

What you can do however, is to use mod_rewrite to retrieve the ssl id from the client-rproxy
connection and insert it as a header into the rproxy-balancer connection. Search for previous
threads on this list about forwarding client certificate data to a backend server through
a reverse proxy, for example "[users@httpd] Can reverse proxy forward digital certificates",
as you will probably be able to use those rewrite rules as a starting point.

-ascs

-----Original Message-----
From: Francisco Gimeno [mailto:kikov@kikov.org] 
Sent: Wednesday, July 05, 2006 12:27 PM
To: users@httpd.apache.org
Subject: [users@httpd] mod_proxy keepalive ssl

Hello

This is my first mail here and I know a poor English, so please excuse any inconvenience...
;)

I'm trying to setup a reverse proxy using mod_proxy to a cluster of WebServers, balanced with
an Alteon G5 with sslid mechanism. Indeed, the reverse proxies are a cluster of 4 too, balanced
with kernel IPVS ( but this is not important at the moment ).

I have observed problems maintaining the session when using HTTPS and not HTTP.

SSL is a set of protocols built on top of TCP/IP that allows an application server and client
to communicate over an encrypted HTTP session, providing authentication, non-repudiation,
and security. The SSL protocol handshake is performed using clear
(unencrypted) text. The content
data is then encrypted (using an algorithm exchanged during the handshake) prior to being
transmitted.
Using the SSL session ID, the switch forwards the client request to the same real server to
which it was bound during the last session. Because SSL protocol allows many TCP connections
to use the same session ID from the same client to a server, key exchange needs to be done
only when the session ID expires. This reduces server overhead and provides a mechanism, even
when the client IP address changes, to send all sessions to the same real server.
---

  Is there a way to have the same SSL ID in the SSLProxyengine for the same client? how does
it work?
Is the SSL ID for the client-rproxy the same that the rproxy-balancer? How can I fix this?

Thx a lot,
Francisco Gimeno


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message