httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] "tee" SSL traffic?
Date Wed, 08 Apr 2009 22:09:54 GMT
John Oliver wrote:
> On Wed, Apr 08, 2009 at 04:16:32PM -0400, Eric Covener wrote:
>> On Wed, Apr 8, 2009 at 1:37 PM, John Oliver <joliver@john-oliver.net> wrote:
>>> Is it possible for an instance of httpd to basically copy all traffic it
>>> receives to another instance of httpd on another host?
>> No -- You want something much lower-level, like a TCP tunnel or a load
>> balancer. Apache will always decrypt/re-encrypt if you put it between
>> a client and an SSL origin server.
> 
> It would actually be quite OK for httpd to decrypt the traffic first,
> since it'll be sent to one other host, on a local segment, re-encrypted
> by a private keypair.
> 
Continuing on the above, I don't know of any way that you could achieve 
what you want using only standard Apache config or modules.
It is after all quite unusual as a requirement.

It is relatively easy to achieve this with mod_perl though.
One of the issues you are facing is that the request to the second host 
is going to return an answer (also, just like the "main" one). So you 
have to read this answer and deal with it somehow at the httpd level, 
you can't just return it to the browser or it will get confused getting 
two times an answer to a single request.

Schematically :
implement a request filter, that will capture the request at the same 
time as letting it through transparently to whatever its original 
destination is.
When the request is entirely captured, the filter forwards this request 
to the second server (not necessarily via HTTPS), gets the answer and 
saves it somewhere.  You may have a practical problem if the requests or 
responses are very large. It may also get more complicated if the 
requests/responses include some kind of "state", like cookies.
With mod_perl and the LWP module, it is quite doable.




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message