Re: [OT] Using mod_proxy and mod_ssl to forward SSL connections

Wed, 25 Jul 2001 06:06:00 -0700 

The front end server must be configured to understand SSL. Otherwise, how 
else can the HTTP request be pulled apart (decrypted) to understand that it 
has to be forwarded to the backend server.

If you configure the back-end server to understand SSL, that's OK, but 
beware that all mod_proxy is doing is establishing one SSL connection from 
browser to mod_proxy and then a brand new SSL connection from mod_proxy to 
the backend server. 2 separate SSL sessions because SSL cannot (ie 
inconvenient to) be man-in-the-middled.

It has some likelihood to also to be inefficient because I am not entirely 
sure that mod_proxy is caching the SSL client session key that it generates 
to connect to the back-end server as the browser normally does for the 
front end.

At 03:26 PM 7/25/2001 +0200, Issac Goldstand wrote:
>I am trying to make a back-end mod_perl/mod_ssl server.  The front-end
>server that is currently in place is doing a great job forwarding normal
>requests to the back-end, but it is not forwarding SSL.  Now, the front-end
>server does not understand SSL, itself.  What I'm doing is trying to force
>the entire VirtualHost listening on port 443 to an IP on a private subnet on
>an obscure port (what I do for all the back-end servers.  There are actually
>3 of them doing various things).  But it won't work.  The strange thing is
>that if I go to http://mysite:443/ I get the default Apache "It Worked"
>page, but https://mysite/ generates an error saying that the front end
>cannot understand, which seems to be pointing at the fact that it's not
>forwarding ANYTHING to the back-end server...
>
>Stas & Eric: This situation is mentioned in your book, but in nowhere enough
>detail.  IMHO, that segment of the book (near the end of chapter "Server
>Setup Strategies for the Best Performance") should be redone in better
>detail to explain forwarding SSL to the back-end server.
>
>   Issac
>
>Internet is a wonderful mechanism for making a fool of
>yourself in front of a very large audience.
>   --Anonymous
>
>Moving the mouse won't get you into trouble...  Clicking it might.
>   --Anonymous
>
>PGP Key 0xE0FA561B - Fingerprint:
>7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA 561B

__________________________________________________
Gunther Birznieks ([EMAIL PROTECTED])
eXtropia - The Open Web Technology Company
http://www.eXtropia.com/

Reply via email to