httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Bailleul <Emmanuel.Baill...@telindus.fr>
Subject RE: [users@httpd] SSL Reverse Proxy
Date Wed, 27 Jan 2010 09:31:03 GMT
> -----Message d'origine-----
> De : mearns.b@gmail.com [mailto:mearns.b@gmail.com] De la part de Brian
> Mearns
> Envoyé : mardi 26 janvier 2010 21:28
> À : users@httpd.apache.org
> Objet : [users@httpd] SSL Reverse Proxy
> 
> I'm looking for some clarification on how to setup a reverse proxy
> that supports SSL/TLS. My understanding is as follows (please correct
> me if I'm wrong):
> 1. Client connects with SSL, mod_ssl handles this
> 2. mod_proxy handles generating a proxy-request to the configured origin
> server
> 3. SSLProxyEngine should be set to on so that SSL is used to
> communicate securely with the origin server.
> 
> What if any of the original client's SSL information is then available
> to the origin server? For instance, can clients still present
> certificates to authenticate with the origin server, or will that need
> to be handled by the reverse proxy? If this authentication is handled
> by the proxy, can the information from the client certificate be made
> available to the origin server? Will the proxy try to use the same SSL
> parameters (protocol version, ciphersuite, etc) as the client did, or
> will this information otherwise be made available to the origin
> server? Ideally, I'd like the proxy to be transparent to both the
> origin server and the client.
> 
> Additionally, my origin server and reverse proxy are actually on the
> same machine, so I'm not especially concerned about securing
> communications between them, except that I would like all of the
> SSL-relevant information to be available to the origin server. Is
> there a way to do this without using secure communications between the
> proxy and origin server? My primary reason for not wanting to use
> secure connections here is to improve speed and avoid the increased
> drain on my entropy pool. Are these realistic concerns, or would the
> effect be negligible?
> 
> Any help would be greatly appreciated.
> 
> Thanks,
> -Brian
> 

Hi Brian,

I think your description in the first part of you mail is correct. I you use a reverse proxy
in front of your origin, you have to leave it manage the authentication part and as there
will be two distinct connections, SSL parameters from the client-to-proxy connection won't
be necessarily the same as the proxy-to-origin ones, unless you configure them such as they
match.
I guess in order to be able to reach the origin server directly from your client "through"
the frontend, you would rather use some sort of "port-forwarder" which in this case would
not deal at all with SSL.
Last, regarding your idea of "forwarding" some interesting variables from the frontend to
the origin server, I think this could be achieved through the use of something like mod_perl,
but also in a more straight way by using environment variables and headers (via mod_headers).
I kept this idea in mind after reading an article on this ML :
http://mail-archives.apache.org/mod_mbox/httpd-users/200911.mbox/%3CPine.LNX.4.64.0911261559410.28410@haroon.sis.utoronto.ca%3E

The idea was to use the available SSL environment variables (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#envvars)
to set headers with 'RequestHeader set' in the reverse proxy and send them with the backend
connection to the origin server, which could then grab all the info it needs. A question remains
regarding the origin server and if it uses php or something in order to process these headers.

I have not (yet) tried this setup though I think I will soon.

Hope this helps.

Emmanuel

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message