On Thu, 6 Jan 2000, Joseph R. Junkin wrote:
> Actually, I am wrong, the HTTP_REFERER is the previous referring
> document, not the current URL so this does not solve my problem. Again,
> if anyone knows a way to determine if SSL is activated on the backend,
> please let me know.
>
> > > Hi all,
> > > I have a two machine setup:
> > > (A) A frontend running mod_ssl, mod_rewrite and mod_proxy.
> > > (B) A backend mod_perl machine server not running SSL that is
> > > proxypassed to from the frontend
> > >
> > > Problem: I need to know within my mod_perl backend server whether or not
> > > SSL is active on the frontend, because if not I won't permit login.
> > >
> > > So how can I find out from the backend server (B) whether or not the
> > > frontend (A) is running in SSL?
I dealt with a situation somewhat like this recently. The first problem
would be that even though you are encrypting between the client and the
front-end proxy, your communication between proxy and backend is in the
clear which sort of defeats the purpose of SSL. If you're certain that
nobody can sniff your local network, then I guess you can overlook this,
but I wouldn't take any chances.
What we ended up trying (I should note here that we don't have this system
in production yet, so keep that in mind) was to have the frontend machine
set up an encrypted link to the backend through ssh port forwarding.
First we start an ssh that forwards the fronend's localhost:80 to the
backend's localhost:80. Then have the frontend SSL server ProxyPass
everything to localhost:80 and then have the backend only allow connections
from localhost. Look at the ssh man page and learn about its -L and -R
options if this doesn't make sense.
I suppose you could have your frontend server, say, insert a magic header
that says "hey, I'm running SSL", but you can't trust anything you get
from incoming headers (including HTTP_REFERER). Forget I even suggested it.
