Am 08.01.2017 um 00:31 schrieb Yann Ylavic:
On Sun, Jan 8, 2017 at 12:22 AM, Reindl Harald <h.rei...@thelounge.net> wrote:
ok, so we need to continue the code below and set the option in every
tls-offloaded application - intention of this thread was maybe get this
transparent which seems not to be possible
It is "technically" possible, but not wise IMHO.
Making every httpd module/CGI/app think the local connection is https
could lead to things like "; Secure" cookies sent on the (clear) wire,
and that option would be accompanied with so much warnings ("unless
you're really on the same switch, but even that...") that it'd be hard
to defend (endlessly?).
excatly *that* would be the desired result if configured that way
because the "clear wire" is controlled and trusted in that context and
you *want* the secure flag sent for cookies between the tls-offloading
server and the enduser to not get them back unencrypted over the "real
clear wire"
the whole purpose of *tls offloading* is run the application on a
virtual machine with a preforked httpd and encryption on the
reverse-proxy running multithreaded with keep-alive
another secuity gain here is that the amchine which runs application
code never has a change to see the private ssl key while a breach on the
proxy with no application code is less likely
if(!empty($cms_tls_offload))
{
$_SERVER['REQUEST_SCHEME'] = 'https';
$_SERVER['HTTPS'] = 'on';
}
Your choice ;)