httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Eckert <thomas.r.w.eck...@gmail.com>
Subject Re: [users@httpd] reverse proxy: connect to origin servers via http or https?
Date Fri, 07 Feb 2014 12:48:38 GMT
> The question is: from the proxy performance/scalability point of view is
it better to configure backends (origin servers) with http or with https?

"Better" depends on what you want to achieve. Do you want to securely
deliver simple html content with no fancy stuff ? Do you want to have
authentication internally ? If so, do you care if your users can see other
user's authentication data (if they are knowledgeable on how to do it) ?


> Is it true that if proxy is setup https->http then it only has to
decrypt/encrypt the headers and the body is encrypted/decrypted on the
backend?

What ? Eh, no. If you configure your frontend with https and your backends
with http, then you just told apache to NOT use SSL between mod_proxy and
the backend servers. Only your frontends will do SSL handshakes in this
setup. That's pretty much SSL Offloading, maybe you got that confused ?


> How either setup affects latency of handling requests?

Involving SSL as opposed to not involving SSL will always slow things down.
How much ? Depends on your settings, on your hardware (SSL accelerators),
etc. Are you going to deal with large amounts of users ? If so you might
want to consider using SSL only for some parts of your page(s).


It all boils down to writing down your requirements. First you should get a
hold on what you actually want, then worry about how to do it. Secondly,
seeing how easy it is to set up basic configurations using the docs you
should start there and dig into specific issues later.



On Fri, Feb 7, 2014 at 4:20 AM, Jakub Moscicki <Jakub.Moscicki@cern.ch>wrote:

> Hello,
>
> I have a reverse proxy (apache 2.2) with mod_proxy_balancer with https
> visible to the outside world.
>
> The question is: from the proxy performance/scalability point of view is
> it better to configure backends (origin servers) with http or with https?
>
> Is it true that if proxy is setup https->http then it only has to
> decrypt/encrypt the headers and the body is encrypted/decrypted on the
> backend? I do not use mod_proxy_html (but maybe there are other modules
> which affect this behaviour on the proxy?.
>
> How either setup affects latency of handling requests? With https->https
> do I have to do two handshakes (on the proxy and on the backend) for every
> connection? I have KeepAlive both on the proxy and the backends.
>
> Many thanks.
>
> Best regards,
>
> kuba
>
> --
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message