At 01:19 AM 7/26/2001 +0200, Issac Goldstand wrote:
[snipped]
>I see what you mean. I'm not dealing with client certs (yet), and I'm
>thinking that when the system that I'm testing now goes production, it'll be
>a front-end SSL, back-end non-SSL sorta deal... But that won't work for now
>due to other security issues on the developments boxes...
[snipped]
>I understand that. It's just not doable for this... In actuality, the
>"back-end" server now is not REALLY back-end... The mod_perl server is
>_behind_ that, so I'm really doing what you're suggesting already :)
>
>However, information must still get to this "middle-level" server, and the
>top level server certainly can't be trusted to decode sensitive
>information...
Considering this issue, it seems that what might help you more is a VPN.
Have you tried using SSH port forwarding for the time being? And just allow
the SSL stuff to go from your external web server directly through an SSH
vpn link to the back-end (your true front end) server.
Later,
Gunther
