I have a web server handling predominantly https traffic sitting on a DMZ
behind a CARP'd firewall of two ALIX 2D3s.

Since the firewall is NATting traffic to the web server, the source IP of
requests arriving at the web server is always the firewall's CARP address on
the DMZ.  I'd like the server to see the original client IP.

The only solution I can think of is to use relayd, pound etc. as a layer 7
reverse proxy on the firewall that decrypts the SSL and inserts an
X-Forwarded-For header.  The problem there though is that the firewall is
lightweight with just a 500MHz Geode, whereas the web server has dual quad
core 2.3GHz E5410 Xeons sitting mostly idle.  Even if the firewall can handle
the load now, it'll quickly become a bottleneck if traffic increases.

There might be hardware accelerator products that will work with the ALIX
boards, but it seems to me that scalability in future will depend on
separating the SSL decryption from the firewall.

How can I get the best of both worlds, offloading the SSL decryption from the
firewall without losing the client's IP?  Do any reverse proxies support
handing off just the decryption load to other machines?  How do big sites
separate their SSL decryption from their firewalls without losing this
valuable information?

Thanks in advance,

Sam

Reply via email to