On 2014-09-02 at 22:36 +0000, Phil Pennock wrote: > On 2014-09-03 at 09:21 +1200, Craig Miskell wrote: > > Sadly, I think you'll find that nginx doesn't do HTTPS forward proxying > > (i.e support CONNECT). > > > > http://forum.nginx.org/read.php?2,15124,15256#msg-15256 > > That thread is from 2009. > > CONNECT is for local proxies, not reverse proxies: if you're letting > through CONNECT then you can't do anything sensible with the content , > because then the client is negotiating TLS with the upstream and you're > relegated to fairly dumb TLS frame passer. > > To do forward proxying, you end up wanting the front-end proxy to > _terminate_ the HTTPS and handle the requests, then use HTTPS for the > backend/upstream, with the proxy performing HTTPS identity validation, > etc. > > nginx does that just fine.
I just re-read this and realized I should have taken more care and proof-read a little better, sorry. CONNECT is for "normal" forward proxies, as is deployed at a site to manage outbound connectivity to the Internet. The "To do" paragraph should have been "To do reverse proxying, where the proxy sits in front of one particular set of servers to handle requests from the Internet, you end up wanting that front-end proxy to _terminate_ [...]" My apologies for any confusion created by my sloppiness with the terms and the blatant wrongness of the initial label in that paragraph. -Phil _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
