At 02:07 PM 6/29/2001 -0500, Christopher L. Everett wrote:
>Hello all,
>
>I've been running apache+mod_perl servers with apache+mod_ssl
>front-ends, and been quite happy with this type of setup for
>quite some time.
>
>Now I need to use SSL certificates for authenticating users
>of an online database. It seems like there's no way to get
>the SSL information that the front-end sees to the back-end
>server because the SSL protocol underlies the HTTP protocol
>(outside of writing a custom apache module, and passing back
>the cert info in headers) and there's no such thing as an SSL
>proxy module that I've been able to find.
>
>Right now, I'm considering setting up a very lightweight
>apache+mod_perl+ssl+mod_proxy frontend with just a single
>perl auth/authz handler installed, and have that decrypt,
>authenticate, authorize, and proxy all SSL requests back
>to the fat server. Then I revert the apache+mod_ssl front
>end to a vanilla apache server and have it handle all
>plain HTTP requests.
>Before I do this, I'd just like to know if anyone has any
>other ideas on how to do this.
Read Mads post. We use a similar method of accomplishing this in our own work.
You can't use mod_proxy to proxy the SSL connection to the back-end server
because as soon as you've established the SSL connection from the front-end
proxy to the browser, you can't carry the certificate through to the
back-end server even if you establish a second SSL connection.
You can only satisfy the SSL challenge response mechanisms through having
the browser's private key which the reverse proxy does not have.
Later,
Gunther
