httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Eckert <thomas.r.w.eck...@gmail.com>
Subject Re: [users@httpd] Re: reverse proxy choice to origin servers: https->https or https->http
Date Thu, 13 Feb 2014 09:11:33 GMT
If you use httpd as reverse proxy then clients will perform SSL handshakes
with your reverse proxy. In SSL there is no distinction between decrypting
the HTTP headers only or decrypting the full HTTP request - it's simply
"payload" and it will be decrypted as a whole. If you want to understand
how all of this works I suggest reading up on it as this list is simply the
wrong place for it.

I suggest you use the reverse proxy as suggested in the docs and do not
worry about whether the body is decrypted or not. Unless you have specific
reasons for it, you simply shouldn't care. Just give it a try.


On Mon, Feb 10, 2014 at 3:15 PM, Jakub Moscicki <Jakub.Moscicki@cern.ch>wrote:

>
>   Is it true that if proxy is setup https->http then it only has to
>  decrypt/encrypt the headers and the body is encrypted/decrypted on the
> backend?
>  What ? Eh, no. If you configure your frontend with https and your
> backends with http, then you just told apache to NOT use SSL between
> mod_proxy and the backend servers. Only your frontends will do SSL
> handshakes in this setup. That's pretty much SSL Offloading, maybe you got
> that confused ?
>
>
>  Sorry, it was a typo of course. I mean: https->https. So if a proxy
> forwards https to the backend which accepts https - then would the proxy
> decrypt the headers only or the entire request? I am adding cookies at the
> proxy for stickyness so the proxy must be handling the headers.
>
>  In my case http at the backend could be an option inside a trusted
> network.
>
>  kuba
>
>  --
>
>

Mime
View raw message