www-modproxy-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: Reverse Proxy https question
Date Thu, 27 Jun 2002 08:49:01 GMT
Michael wrote:

> I am trying to Reverse Proxy HTTPS connections in the following manner:
>  
> CLIENT Browser (https://secure-site.com) -> Apache 2.0 Reverse Proxy, 
> posing as secure-site.com (non-ssl, non-decrypting, just passing the 
> https through)  -> Sonicwall SSL Accelerator (a stand-alone HW device
> for  SSL decryption/encryption, hosting the certificate 
> for secure-site.com, decrypting the SSL connection) -> WEBSERVER (non-SSL)
>  
> The purpose for this design is to keep the webserver behind a layer of 
> switches (for VLANS and ACLS) and Cisco Content Servers (which act as a 
> router and load balancer) and keep the Apache proxy server as the "edge 
> presence" of the website.

I don't know very much about SSL accelerators (is this a standalone 
server, or hardware acceleration for an existing server of some kind?), 
but regardless putting anything between the browser and the SSL 
accelerator isn't going to work. The connection between browser and 
accelerator is encrypted, so an HTTP proxy of any kind between them 
isn't going to serve any purpose.

> If I install the certificate for secure-site.com on the Apache reverse 
> proxy server and enable SSL , then the Apache reverse proxy will connect 
> with SSL to both the browser and the downstream webserver. This works, 
> but is pointless as it loads the Proxy server's CPU with SSL 
> encryption/decryption. That's what we have the SSL accelerators for.

> This is the Apache config I am using:
> ----------
> Listen IPAddress:443
> LogLevel debug
> <VirtualHost IPAddress:443>
>         SSLProxyEngine On
>         ServerName              web-site
>         ProxyPass               /       https://secure-site.com
>         ProxyPassReverse        /       https://secure-site.com
> </VirtualHost>

 From what it looks like, you have Apache listening on port 443 (the 
HTTPS port) without telling it to speak HTTPS, so the connection just hangs.

The second thing you have is that the Apache proxy is now talking SSL to 
the backend accelerator - which will increase your server load, not 
decrease it, as the content is being encrypted by the accelerator, 
decrypted by the proxy, encrypted a second time by the proxy, and given 
to the browser.

What you need to do is put the accelerator at the outside, which in turn 
talks unencrypted HTTP to Apache, which in turn talks unencrypted HTTP 
to the loadbalanced backend. Thus Apache does caching and URL management 
, but no encryption.

Regards,
Graham
-- 
-----------------------------------------
minfrin@sharp.fm 
	"There's a moon
					over Bourbon Street
						tonight..."


Mime
View raw message