trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <>
Subject Re: how make backend applications aware about tls-offloading
Date Sat, 07 Jan 2017 22:53:06 GMT
On Sat, Jan 7, 2017 at 11:25 PM, Reindl Harald <> wrote:
> Am 07.01.2017 um 22:53 schrieb Yann Ylavic:
>> Wouldn't something like this work?
>> RewriteRule on
>> RewriteCond %{ENV:remoteip-proxy-ip-list} .
>> RewriteCond %{HTTP:X-TLS-Offloading} ^true$
>> RewriteRule ^ - [E=HTTPS:on,E=REQUEST_SCHEME:https]

That wouldn't work anyway, both variables will be overridden later
when the env is constructed.

>> Given that remoteip-proxy-ip-list is filled by mod_remoteip if (and
>> only if) RemoteIPInternalProxy matches
> currently not because nothing provides "X-TLS-Offloading" which is the
> reason for add both parties to this conversation

OK, that's a prerequisite in any case..

> such global rewrite rules are not very appealing while the intention of get
> this handeled by mod_remoteip is that for the admin this would be the
> central place to deal with backendsservers with a proxy in front


> it is handeled perfectly for the REMOTE_ADDR where for every access(deny
> rules, loggings, mod_security-rules and within applications you can trust
> it's the clients IP and not one from own infrastructure

Right, but HTTPS and REQUEST_SCHEME have a meaning for the httpd
server, and they refer to its *local* configuration, so overriding
them is very misleading (and does not work as mentioned above).

Thus RemoteTLSHeader cannot be something that overrides them, and the
best it could do is to unset the header if not trusted.

> end-to-end-encryption (one argunmet which came against it) is something one
> needs to consider anyways if TLS-offloading come into the mix and the
> connection between proxy and backend needs to be 100% trusted, but it's a
> great way to spread load of generate dynamic content and encryption to
> different machines and should be 100% transparent to the application

>From the above, the app would have to rely on the (un)defined
RemoteTLSHeader instead of HTTPS/REQUEST_SCHEME, so it can't be as
transparent you'd like...

A new mod_remoteip feature for what you could do with mod_rewrite or
mod_headers is less appealing then.

View raw message