I have a web server handling predominantly https traffic sitting on a DMZ behind a CARP'd firewall of two ALIX 2D3s.
Since the firewall is NATting traffic to the web server, the source IP of requests arriving at the web server is always the firewall's CARP address on the DMZ. I'd like the server to see the original client IP. The only solution I can think of is to use relayd, pound etc. as a layer 7 reverse proxy on the firewall that decrypts the SSL and inserts an X-Forwarded-For header. The problem there though is that the firewall is lightweight with just a 500MHz Geode, whereas the web server has dual quad core 2.3GHz E5410 Xeons sitting mostly idle. Even if the firewall can handle the load now, it'll quickly become a bottleneck if traffic increases. There might be hardware accelerator products that will work with the ALIX boards, but it seems to me that scalability in future will depend on separating the SSL decryption from the firewall. How can I get the best of both worlds, offloading the SSL decryption from the firewall without losing the client's IP? Do any reverse proxies support handing off just the decryption load to other machines? How do big sites separate their SSL decryption from their firewalls without losing this valuable information? Thanks in advance, Sam
