httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matus UHLAR - fantomas <uh...@fantomas.sk>
Subject [users@httpd] Re: transparent proxy support in Apache?
Date Thu, 30 Aug 2007 16:17:42 GMT
On 02.08.07 06:36, Jason Haar wrote:
> I'm making a WAF (Web Application Firewall)  based around Linux/Apache
> and mod_security, and as part of the design, thought that making it a
> transparent (reverse) proxy would be a good move from a disaster
> recovery perspective (i.e. if it blew up you could just wire around it
> and the backends would still be available).

replacing one SPOF (the webserver) by another SPOF (proxy) is usually not
very efficient.

And while you are talking about "transparent" proxy, this term is defined
elsewhere in different way than you think.

The reverse proxy doesn't have to be intercepting and apache does this
easily.

The intercepting proxy has no meaning for reverse proxy and apache does not
support this. And I don't think it ever will.

> Also, the WAF would primarily be used to protect HTTPS sites. Now I know
> "you can't transparently proxy HTTPS"

you can't efficiently proxy HTTPS. You can do reverse proxy, listening on
HTTPS, connecting via HTTP, and this will work well unless your webservers
need to play with client certificates, and it will be safe unless you have
unsafe network between proxies and servers.

> I've done this successfully with Squid as a normal proxy, but I really
> need the funky features of Apache as a reverse-proxy - but I want
> transparency too...

first you should make clear what do you really want and need...
squid can do intercepting, reverse proxy and SSL accelerator, but for
modifying of content you still need at least ICAP patch and some ICAP
server...
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message